Data Processing Agreement

Last updated: 25 March 2026

This Data Processing Agreement ("DPA") forms part of the service agreement (the "Agreement") between the client (the "Controller") and Luniq (trademark of Homiq BV), acting as Processor.

This DPA is entered into to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the services provided under the Agreement.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
  • "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
  • "Controller" means the natural or legal person that determines the purposes and means of the Processing of Personal Data (the client).
  • "Processor" means the natural or legal person that processes Personal Data on behalf of the Controller (Luniq / Homiq BV).
  • "Sub-processor" means any third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 GDPR. For Belgium, this is the Gegevensbeschermingsautoriteit (GBA).

2. Scope and purpose

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in the context of the services provided under the Agreement.

The Processor shall process Personal Data only to the extent necessary to perform the services under the Agreement and in accordance with the Controller's documented instructions.

Details of the processing

Subject matterWeb design, web development, hosting, maintenance, AI-assisted content creation and optimization (Orbit), and related digital services as described in the Agreement.
DurationFor the term of the Agreement, plus any period required for data deletion or return.
Nature and purposeProcessing of Personal Data as necessary to provide the contracted services, including: website development and deployment (Launched); AI-assisted content generation, search performance analysis, content optimization, hosting, and website maintenance (Orbit); analytics integration; and email processing.
Types of Personal DataNames, email addresses, phone numbers, IP addresses, device/browser data, usage data, search performance data (keywords, impressions, clicks via Google Search Console), and any other personal data submitted through forms or collected via the Controller's website.
Categories of Data SubjectsWebsite visitors, end users, customers, employees, and other individuals whose data is submitted or collected through the Controller's digital properties.

3. Obligations of the Controller

The Controller shall:

  • Ensure that the Processing of Personal Data is based on a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR).
  • Provide the Processor with documented instructions regarding the Processing of Personal Data.
  • Ensure that Data Subjects have been informed about the Processing in accordance with Articles 13 and 14 GDPR.
  • Be responsible for the accuracy, quality, and legality of the Personal Data provided to the Processor.
  • Respond to and fulfill Data Subject requests unless otherwise agreed in writing.
  • Notify the Processor without undue delay of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law (Article 28(3)(a) GDPR).
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR).
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
  • Respect the conditions for engaging sub-processors as set out in Section 5 of this DPA and Article 28(2) and (4) GDPR.
  • Assist the Controller, taking into account the nature of the Processing, by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to Data Subject requests (Article 28(3)(e) GDPR).
  • Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the Processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage (Article 28(3)(g) GDPR).
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits and inspections (Article 28(3)(h) GDPR).
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (Article 28(3) GDPR).

5. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors, subject to the conditions below.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The Controller may object within 14 days of being notified. If no objection is raised, the change is deemed accepted.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, in accordance with Article 28(4) GDPR. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

Current sub-processors

Sub-processorPurposeLocation
Google AnalyticsWebsite analytics and measurementUnited States (EU SCCs)
ResendTransactional and operational email deliveryUnited States (EU SCCs)
ClickUpCRM and project managementUnited States (EU SCCs)
NotionInternal documentation and operationsUnited States (EU SCCs)
RailwayHosting infrastructureUnited States (EU SCCs)
VercelFrontend hosting and deploymentUnited States (EU SCCs)
SupabaseDatabase and backend servicesEU (Frankfurt)

This list may be updated from time to time. The Controller will be notified of any changes in accordance with the procedure described above.

6. Data subject rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction, data portability, and objection.

If a Data Subject contacts the Processor directly with a request, the Processor shall promptly redirect the request to the Controller and shall not respond to the Data Subject without the Controller's prior written authorization, unless legally required to do so.

The Processor shall implement appropriate technical and organizational measures to assist the Controller in responding to such requests, taking into account the nature of the Processing.

7. Security measures

In accordance with Article 32 GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

  • Encryption of Personal Data in transit (TLS/SSL) and at rest where applicable.
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
  • Access controls limiting access to Personal Data to authorized personnel on a need-to-know basis.
  • Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
  • Secure development practices, including code reviews, dependency management, and secure deployment pipelines.
  • Use of up-to-date software, frameworks, and security patches.

The Processor shall regularly review and, where necessary, update these measures to ensure continued appropriateness in light of the state of the art, implementation costs, and the nature, scope, context, and purposes of the Processing.

8. Data breach notification

The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. This notification shall be made within 48 hours at the latest.

The notification shall include, to the extent possible:

  • A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of the Processor's contact point for further information.
  • A description of the likely consequences of the Data Breach.
  • A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach. The Processor shall also assist the Controller in meeting the Controller's obligations under Articles 33 and 34 GDPR (notification to the supervisory authority and communication to data subjects).

9. International data transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place in accordance with Chapter V of the GDPR.

Where transfers to third countries are necessary (e.g., to sub-processors based in the United States), the Processor shall ensure that one of the following transfer mechanisms applies:

  • An adequacy decision by the European Commission (Article 45 GDPR).
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Article 46(2)(c) GDPR).
  • Binding Corporate Rules (Article 47 GDPR).
  • Other approved safeguards or derogations under Articles 46 or 49 GDPR.

Where Standard Contractual Clauses are relied upon, the Processor shall carry out a transfer impact assessment where required and implement supplementary measures as necessary to ensure an essentially equivalent level of protection.

10. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall provide reasonable prior notice (at least 14 business days) and shall ensure that audits are conducted during normal business hours with minimal disruption to the Processor's operations.

The costs of any audit shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear reasonable audit costs.

The Processor may satisfy audit requests by providing relevant certifications, audit reports, or summaries from independent third-party auditors, where available.

11. Duration and termination

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon expiration or termination of the Agreement.

Upon termination of this DPA or the Agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires the continued storage of such data.

The Processor shall certify in writing that it has fulfilled the obligations set out in this section, upon request by the Controller.

Obligations relating to confidentiality, data breach notification, and any other provisions that by their nature should survive termination shall survive the termination of this DPA.

12. Liability

Each party shall be liable for damages caused by Processing that infringes the GDPR in accordance with Article 82 GDPR.

The Processor shall be liable for damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.

Any limitations of liability agreed upon in the Agreement shall also apply to this DPA, to the extent permitted by applicable law.

13. Governing law

This DPA shall be governed by and construed in accordance with the laws of Belgium, without regard to its conflict of laws provisions.

Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Bruges, Belgium.

Where there is a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

14. Contact

For questions or requests related to this Data Processing Agreement, please contact:

Luniq (Homiq BV)
Kruisvest 5B, 8000 Brugge, Belgium
VAT: BE1020.314.690
Email: legal@luniq.io

The last website you will ever need.

Contact us
Spotable — website built by Luniq
Byve — website built by Luniq
Zeth — website built by Luniq
FF — website built by Luniq
Data Processing Agreement | Luniq