Data Processing Agreement
Last Updated: 12/05/2026
✨ TL;DR (The Short Version)
This agreement is for our B2B customers. If you are just a regular user, our standard Privacy Policy applies to you.
- →Your Role: You are the "Data Controller." You decide what client or employee data you put into Illumaze systems (like HR or inventory modules).
- →Our Role: We are the "Data Processor." We only store and process that data based on your instructions (i.e., you using our software).
- →Compliance: It is your legal responsibility to ensure you have the right to collect and store the data you upload to our platform.
1. Scope and Applicability
This Data Processing Agreement ("DPA") applies when Illumaze processes Personal Data on behalf of you (the "Customer") while providing our business management modules, hosting, or development platforms. This DPA forms part of our Terms of Service. In the context of the UK General Data Protection Regulation (UK GDPR), the Customer is the Data Controller and Illumaze is the Data Processor.
2. Roles and Responsibilities
Customer Obligations: You guarantee that all Personal Data provided to Illumaze has been collected legally and that you have the lawful basis to transfer this data to us for processing. You are solely responsible for answering any data subject requests (e.g., a request from your employee to delete their HR records).
Illumaze Obligations: We will only process Personal Data in accordance with your documented instructions (which includes your normal use of our platform UI and APIs). We will not use your Personal Data for our own independent marketing or analytics purposes.
3. Security Measures
Illumaze shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or accidental access, loss, alteration, or disclosure. This includes utilizing encrypted databases, secure API endpoints, and strict internal access controls.
4. Sub-processors
You grant Illumaze general authorization to engage third-party sub-processors to fulfill our service obligations. These currently include infrastructure providers (such as OVH Cloud and Clouvider) and transactional services. We ensure all sub-processors are bound by written agreements that require them to provide at least the level of data protection required by this DPA. We will provide 30 days' notice of any new sub-processors.
5. Data Breach Notification
In the event of a confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of your Personal Data, Illumaze will notify you without undue delay (and in any event, within 48 hours of becoming aware). We will provide reasonable assistance to help you meet your regulatory reporting obligations to the Information Commissioner's Office (ICO).
6. Deletion or Return of Data
Upon termination of your account or subscription, Illumaze will, at your choice, delete or return all Customer Personal Data within our systems, unless applicable law requires the continued storage of such data. Backups containing Personal Data will be securely overwritten in accordance with our standard backup rotation schedule.
7. Liability
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the main Terms of Service.