LunaLift

Data Processing Agreement

Last Updated: 26/05/2026

This Data Processing Agreement (DPA) is made on the Effective Date between the Parties:

  1. LunaLift Ltd, a company incorporated in England and Wales with registered number 16243737, whose registered office is at C/O Cavendish Bond, 14 Hanover Square, W1S 1HN London, United Kingdom (the Supplier); and
  2. The Controller (or you).

Background

3. The Supplier is a provider of optimized customer content for LLM results, including LLM bot traffic data, meaning how frequently bots from LLM providers (such as ChatGPT and Claude) visit your website. We are also a provider of insights into what information LLM bots request about you. (Services).

4. The parties have agreed to enter into this DPA in relation to the processing of personal data by the Supplier in the course of providing the Services. The terms of this DPA are intended to apply in addition to and not in substitution of the terms of the Agreement.

1. Meanings

5. In this DPA, the following words are defined:

Addendum
the International Data Transfer Addendum to the EU Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (as amended or updated from time to time).
Data Protection Law
  1. all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, but not limited to EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and
  2. to the extent applicable, the data protection or privacy laws of any other country.
EU Standard Contractual Clauses
Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), as may be replaced or superseded by the European Commission.
GDPR
  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); and
  2. the EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR) (General Data Protection Regulation).
Personnel
in relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms.
Working Day
any day, other than a Saturday, Sunday, or public holiday in England and Wales.

6. Terms such as "Data Subject", "Processing", "Personal Data", "Controller", and "Processor", "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.

7. In this DPA unless the context requires a different interpretation:

  1. the singular includes the plural and vice versa;
  2. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this DPA;
  3. a reference to a person includes firms, companies, government entities, trusts ad partnerships;
  4. 'including' is understood to mean 'including without limitation';
  5. reference to any statutory provision includes any modification or amendment of it;
  6. the headings and sub-headings do not form part of this DPA; and
  7. 'writing' or 'written' will include fax and email unless otherwise stated.

2. Processing Customer Personal Data

8. For the purpose of Data Protection Law, the Customer shall be the Controller and the Supplier shall be the Processor.

9. The Supplier shall:

  1. comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and
  2. only Process Personal Data on the Customer's documented instructions, unless Processing is required by any applicable law to which the Supplier is subject (in which case, the Supplier shall, to the extent permitted by applicable law, inform the Customer of such legal requirement before undertaking the Processing).

10. The Supplier shall take reasonable steps to ensure the reliability of Personnel who have access to the Personal Data, ensuring in each case that such Personnel is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data in compliance with all applicable law and only for the purpose of delivering the Services under the Agreement.

3. Security

11. The Supplier will establish data security in relation to the Processing of Personal Data under this DPA. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of the Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons must be taken into account. Such measures may include, as appropriate:

  1. the pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

12. In assessing the appropriate level of security, the Supplier shall take into account any risks that are presented by the Processing, in particular, from a Personal Data Breach.

13. The Supplier has laid down the technical and organizational measures in Schedule 2 of this DPA. Technical and organizational measures are subject to technical progress and further development. In this respect, the Processor may implement alternative adequate measures from time to time and shall notify the Customer in writing where it has done so.

4. Sub-Processors

14. The Supplier does not engage any Sub-processors in the Processing of Personal Data under this DPA.

5. Data Subject Rights

15. The Supplier will assist the Customer, as needed, in responding to data subject rights requests under applicable Data Protection Laws.

16. The Supplier shall:

  1. promptly (and in any event, within 24 hours) notify the Customer if it (or any of its Sub-processors) receives a request from a Data Subject; and
  2. fully cooperate with and assist the Customer in relation to any request made by a Data Subject, under the Data Protection Law in respect of Personal Data Processed by the Supplier under the terms of the Agreement or this DPA.

6. Personal Data Breaches

17. The Supplier shall:

  1. notify the Customer without undue delay (in any event, no later than 72 hours) upon becoming aware of any Personal Data Breach affecting the Personal Data Processed by the Supplier under this DPA;
  2. provide sufficient information to enable the Customer to evaluate the impact of such Personal Data Breach and to meet any obligations on the Customer to report the Personal Data Breach to a Supervisory Authority and/or notify the affected Data Subjects in accordance with the Data Protection Law;
  3. provide the Customer with such assistance as the Customer may reasonably request; and
  4. cooperate with the Customer and take such reasonable commercial steps (as directed by the Customer) to assist in the evaluation, investigation, mitigation and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

18. The Supplier shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent authorities which the Customer considers necessary pursuant to Articles 35 and 36 of the UK GDPR.

19. Such assistance from the Supplier shall be limited, in each case, to the Processing of Personal Data under this DPA.

8. Return and Deletion of Personal Data

20. Upon expiry or termination of the Agreement, the Supplier shall, within 30 days and as agreed in writing by the parties, delete or return all copies of Personal Data processed on behalf of the Customer.

21. The Supplier may retain Personal Data only if and to the extent required by applicable law. In such cases, the Supplier will notify the Customer (where legally permitted) and ensure the continued confidentiality of the retained data. This data will not be used for any purpose other than as required by the applicable law.

22. At the Customer's request, the Supplier will provide written confirmation that it has complied with its obligations under this section.

9. Audits

22. The Supplier shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA.

23. The Supplier shall allow for and contribute to audits, including inspections, by the Customer (or any other auditor mandated by the Customer) in relation to the Processing of Personal Data under this DPA.

24. The Customer (or any other auditor mandated by the Customer) shall give the Supplier reasonable notice of any audit or inspection, and shall make all reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier premises, equipment, personnel and business in the course of the audit or inspection.

25. Such audit rights may be exercised only once in any calendar year during the term of the Agreement and for a period of 3 years following the expiry or termination of the Agreement.

10. External Links and Third-Party Resources

26. Our platform may reference or connect to external websites, data sources, and tools operated by other companies. These external resources are offered for your assistance but remain outside our control. LunaLift does not review, endorse, or take responsibility for content found on third-party sources. Any interactions you have with external sites are solely between you and those providers and you may be subject to the terms and privacy practices established by those providers.

11. Liability and Indemnity

27. Nothing in this DPA limits or excludes either party's liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

28. Each party agrees to defend, indemnify, and hold the other party and its personnel harmless from any claims, losses, costs, expenses (including legal fees), or damages arising from a breach of its obligations under this DPA.

29. Except as stated above, each party's total liability under this DPA is subject to the limitations on damages set out in the main Agreement.

12. General Terms

30. Except for any provisions of this DPA that are intended to continue after the termination or expiry of the Agreement, this DPA will remain in effect for the same duration as the Agreement.

31. Neither party may assign, transfer, or sub-contract any of its rights or obligations under this DPA to a third party without the prior written consent of the other party (such consent not to be unreasonably withheld).

32. Any changes to this DPA must be agreed in writing by both parties to be valid and binding.

33. Any changes to the Agreement must also be agreed in writing by both parties to be valid and binding.

34. The Contracts (Rights of Third Parties) Act 1999 does not apply to this DPA, and no third party shall have any right to enforce or rely on any of its terms.

35. Unless otherwise agreed, no delay or omission by either party in exercising any right or remedy under this DPA will be considered a waiver of that right or remedy.

36. If any part of this DPA is found to be invalid, unlawful, or unenforceable by a court or other competent authority, that part will be removed as necessary, and the rest of the DPA will remain in full force.

37. Any notice required under this DPA (except for legal proceedings) must be in writing and delivered by one of the following methods:

  1. By first-class post to the recipient's registered office or main business address (deemed received on the second Working Day if posted within the UK, or the tenth Working Day if posted internationally);
  2. By hand delivery to the recipient's registered office or main business address (deemed received at the time of delivery);
  3. By email to the recipient's main business email address (deemed received on the next Working Day after sending, unless a delivery failure notice is received).

13. Governing Law and Jurisdiction

38. This DPA will be governed by and interpreted according to the law of England and Wales and all disputes arising under the DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh courts.

Schedule 1 — Processing Activities

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) UK GDPR. The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this DPA.

The nature and purpose of the Processing of Personal Data

The Supplier will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by the Customer in its use of the Services.

The types of Personal Data to be Processed

The Customer may submit Personal Data to the Services, the extent of which, is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following types of Personal Data:

  • IP address
  • User agent
  • Hostname

The categories of Data Subject to whom the Personal Data relates

The Customer may submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • LLM service providers

The obligations and rights of Customer and Customer Affiliates

The obligations and rights of the Customer (and any Customer Affiliates) are set out in the Agreement and this DPA.

Schedule 2 — Technical and Organizational Measures

The Supplier will conduct the activities covered by this DPA in compliance with its Information Security Policy. The Supplier also has the following technical and organisation measures in place:

  • LunaLift collects only the minimum data necessary to optimize content visibility in AI search engines. This includes: Bot request metadata: hashed versions of IP address, User-Agent, and hostname. Plus content access patterns and LLM interaction metrics. No personal user data is collected beyond what is strictly required for LLM bot detection and analytics. All identifiers are hashed using SHA-256 immediately upon receipt, making the original data irreversible. LunaLift does not track or process personal data of your site visitors, and the integration involves no cookies or JavaScript execution.
  • We maintain robust encryption across all touchpoints: In transit: All communications use HTTPS / TLS 1.3+. At rest: Bot traffic data and platform content are stored using full-disk encryption. Endpoints: All employee devices are encrypted and access-controlled. Server-to-server API requests (e.g., structured data retrieval) include only hashed metadata within secure channels.
  • All data processed is strictly limited to the following purposes: Monitoring AI search engine crawler activity, optimizing customer content visibility in LLM results, and generating aggregated, anonymous performance reports. No profiling, cross-referencing with personal data, or unauthorized secondary use occurs.
  • Hashed bot metadata is retained for a maximum of 24 months to enable trend analysis. Customers may configure hashing preferences, request immediate deletion of their stored data and receive monthly transparency reports outlining what data was collected and how it was used. All deletions are performed using cryptographic erasure methods.
  • All services are hosted using trusted cloud providers with physical security and network-level protections, DDoS mitigation, redundancy, and failover capabilities. Plus automated updates and vulnerability patching. Content (e.g. llms.txt and structured data) is version-controlled, served via a secure, managed Content Delivery Network (CDN), and embedded server-side to prevent JavaScript injection or manipulation.
  • All LunaLift team members complete mandatory GDPR training quarterly, with modules covering bot data handling, hashing protocols, AI-specific privacy and compliance. Access to sensitive systems is restricted and reviewed regularly.