1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lumos Gate ("Processor", "we") and the customer ("Controller", "you") who uses Lumos Gate services to manage reverse proxy infrastructure.

This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies when we process personal data on your behalf in connection with providing the Service.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
"Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
"Controller" means the entity that determines the purposes and means of processing Personal Data (you, the customer).
"Processor" means the entity that processes Personal Data on behalf of the Controller (Lumos Gate).
"Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope and Nature of Processing

3.1. Zero-Knowledge Architecture

Lumos Gate operates on a zero-knowledge architecture. We do not inspect, store, log, or process the content of traffic flowing through your proxy servers. The HAProxy instances and agents run entirely on your own infrastructure.

3.2. Data We Process

We process the following categories of data on your behalf:

Category	Data Types	Purpose
Account Data	Email, name, hashed password	Authentication, communication
Configuration Data	Domain names, origin IPs, WAF rules	Service delivery
Aggregate Metrics	Request counts, bandwidth, error rates	Analytics dashboard
Billing Data	Transaction hashes, credit balance	Payment processing

3.3. Data We Do NOT Process

HTTP request/response bodies flowing through your proxies.
Visitor IP addresses of your end users.
Cookies, authentication tokens, or session data of your users.
Any content hosted on your origin servers.

4. Obligations of the Processor

Lumos Gate shall:

Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
Ensure that persons authorized to process Personal Data have committed to confidentiality.
Implement appropriate technical and organizational security measures (see Section 6).
Not engage another processor without prior written authorization from the Controller.
Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
Delete or return all Personal Data upon termination of the Service, at the Controller's choice.
Make available all information necessary to demonstrate compliance with GDPR obligations.

5. Sub-processors

We use the following sub-processors to deliver the Service:

Category	Purpose	Location
Infrastructure Provider	Platform hosting (database, application servers)	European Union
CDN / DDoS Protection	Content delivery, DDoS mitigation for dashboard	Global
Email Service Provider	Transactional email delivery	United States

A detailed list of current sub-processors is available upon request by contacting [email protected]. We will notify you of any intended changes to sub-processors at least 14 days before the change takes effect, giving you the opportunity to object.

6. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

Encryption in transit: All communications use TLS 1.2 or higher.
Encryption at rest: Database encrypted at rest. Agent tokens stored as SHA-256 hashes.
Access control: Role-based access, JWT sessions with periodic revalidation.
Password security: bcrypt hashing with salt. Password change invalidates existing sessions.
Rate limiting: Atomic Redis-based rate limiting on all authentication endpoints.
Infrastructure isolation: Database not publicly accessible, internal network only.
Audit logging: Authentication events and administrative actions are logged.

7. Data Breach Notification

In the event of a personal data breach, we will:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
Provide sufficient information for the Controller to meet its own breach reporting obligations.
Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.
Document the breach including its effects and the remedial action taken.

8. Data Subject Rights

We will assist you in fulfilling data subject requests under GDPR Articles 15–22, including:

Right of access – Export your data from Settings.
Right to rectification – Update your profile and settings at any time.
Right to erasure – Delete your account from Settings, which removes all associated data.
Right to data portability – Export your configuration as JSON from Settings.

Since we operate a zero-knowledge architecture, we do not hold your end users' personal data. You remain the Controller for any personal data processed by your proxy infrastructure.

9. International Data Transfers

Our primary infrastructure is hosted in the European Union. Where data is transferred to sub-processors outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Data Retention and Deletion

Upon termination of your account:

Account data is deleted within 30 days.
Configuration data (domains, servers, WAF rules) is deleted immediately upon account deletion.
Aggregate metrics are retained in anonymized form for up to 90 days for service improvement.
Billing records are retained as required by applicable tax and financial regulations.

11. Term and Termination

This DPA remains in effect for the duration of our processing of Personal Data on your behalf. It automatically terminates when all Personal Data has been deleted or returned following termination of the Service.

12. Contact

For questions about this DPA or to exercise your rights:

Data Protection: [email protected]
Legal: [email protected]

See also: Privacy Policy · Terms of Service · Security