MyLumera
MyLumera
Technologies
← Back to home
Legal

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions or any separate service agreement between MyLumera Technologies (“Processor”) and the customer entity (“Controller”). It sets out the terms for processing personal data in compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations.

When this DPA applies. This DPA applies whenever MyLumera Technologies processes personal data on behalf of a customer as a personal information processor (PIP) under the Data Privacy Act. It is incorporated by reference into your service agreement or subscription terms.

Definitions and roles

“Personal Data,” “Processing,” “Personal Information Controller” (PIC), and “Personal Information Processor” (PIP) have the meanings given in the Data Privacy Act. The Controller determines the purposes and means of processing. The Processor processes Personal Data only on documented instructions from the Controller, including those set out in this DPA and the applicable service agreement.

Instructions and purpose limitation

The Processor shall process Personal Data only for the purposes described in the service agreement and as documented in this DPA: (a) to provide, maintain, and improve the Services; (b) to provide customer support; (c) for security, fraud prevention, and compliance; and (d) as required by applicable law. The Processor shall not process Personal Data for its own commercial purposes without the Controller’s prior written consent.

Security measures

The Processor shall implement appropriate organizational, physical, and technical security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. Measures include: encryption in transit and at rest; access controls and authentication; regular security testing; logging and monitoring; staff confidentiality obligations; and business continuity planning. The Processor shall review and update these measures periodically.

Subprocessors and third parties

The Controller authorizes the Processor to engage the subprocessors listed in our Trust & Security page for hosting, email, analytics, and payment processing. The Processor shall ensure that any subprocessor is bound by data protection obligations materially equivalent to those in this DPA. The Processor shall remain liable for subprocessor breaches. The Controller may request the current subprocessor list and object to new subprocessors on reasonable grounds.

Confidentiality and staff obligations

The Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations. Access is granted on a need-to-know basis and is promptly revoked upon role change or termination. The Processor shall provide privacy and security training to relevant staff.

Breach notification

The Processor shall notify the Controller without undue delay, and in any case within 24 hours of discovery, after becoming aware of any Personal Data breach that may affect the Controller’s data subjects. The notification shall include: the nature of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed to address the breach. The Processor shall cooperate with the Controller in notifying the National Privacy Commission (NPC) and affected data subjects as required by law.

Data subject rights and assistance

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by the Data Privacy Act. The Processor shall provide the necessary information and tools to enable the Controller to fulfill its obligations. The Processor shall not respond directly to data subjects unless expressly authorized by the Controller.

Audit and compliance cooperation

The Processor shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including on-site inspections, subject to reasonable notice and confidentiality obligations. The Processor shall cooperate with audits conducted by the NPC or other competent regulatory authorities.

Return and deletion of data

Upon termination or expiry of the service agreement, the Processor shall, at the Controller’s choice, return or delete all Personal Data, except where retention is required by applicable law. Deletion shall be carried out in a manner that prevents recovery. The Processor shall certify completion of deletion upon request.

Cross-border transfers

If Personal Data is transferred outside the Philippines, the Processor shall ensure that the destination jurisdiction provides a level of protection comparable to that under the Data Privacy Act, or that appropriate safeguards (such as contractual clauses approved by the NPC) are in place. The Controller shall be informed of any intended cross-border transfers in advance.

Governing law and disputes. This DPA is governed by the laws of the Republic of the Philippines. Any dispute arising from this DPA shall be resolved in the courts of the Philippines. This DPA does not limit the rights of data subjects under the Data Privacy Act.

Last updated: June 2026. This DPA is maintained by MyLumera Technologies and may be revised to reflect changes in law or our practices. For questions, contact privacy@mylumera.net.