BetterSuite Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Lume Agency ("BetterSuite," "Processor," "we," "us") and the Tenant Operator ("Controller," "you") who has subscribed to the BetterSuite platform under the BetterSuite Terms of Service ("Agreement").
This DPA sets out the terms under which BetterSuite processes Personal Data on behalf of the Controller in connection with the provision of the Platform.
1. Definitions
Terms not defined in this DPA have the meanings given in the BetterSuite Terms of Service and Privacy Policy. In addition:
- "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data applicable to the parties, including but not limited to: the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act (CCPA), and any amendments or replacements thereof.
- "Controller" means the Tenant Operator who determines the purposes and means of processing End User Personal Data through the Platform.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Personal Data" means any information relating to a Data Subject, as defined in GDPR Article 4(1).
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Processor" means BetterSuite (Lume Agency), which processes Personal Data on behalf of the Controller.
- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.
- "Subprocessor" means a third party engaged by BetterSuite to process Personal Data on behalf of the Controller.
2. Scope and Roles
2.1 Applicability
This DPA applies to the processing of Personal Data by BetterSuite on behalf of the Controller in connection with the Platform services described in the Agreement.
2.2 Roles
- The Controller (Tenant Operator) determines the purposes and means of processing End User Personal Data by selecting which verticals to activate, configuring KYC policies, and defining business rules within the Platform.
- The Processor (BetterSuite) processes Personal Data solely on behalf of the Controller, in accordance with the Controller's documented instructions and this DPA.
2.3 Controller Obligations
The Controller warrants that:
- It has a lawful basis for the processing of Personal Data using the Platform
- It has provided adequate notice to Data Subjects regarding the processing
- It has obtained any required consents from Data Subjects
- Its instructions to BetterSuite comply with Applicable Data Protection Law
- It has conducted any required data protection impact assessments
3. Details of Processing
3.1 Subject Matter
Processing of Personal Data necessary to provide the BetterSuite SaaS platform services as described in the Agreement.
3.2 Duration
Processing continues for the duration of the Agreement, plus any applicable data retention period described in the Privacy Policy.
3.3 Nature and Purpose of Processing
| Processing Activity | Purpose |
|---|---|
| Account management | Creating, authenticating, and managing End User accounts |
| Order processing | Facilitating transactions between End Users (rides, shop orders, bookings, services) |
| Location tracking | Real-time GPS tracking of drivers during active orders for dispatch and navigation |
| Payment processing | Processing payments, managing wallets, facilitating payouts |
| KYC verification | Verifying identity documents for regulatory compliance |
| Communication | Delivering push notifications, emails, SMS, and in-app messages |
| Analytics | Generating performance metrics and operational reports for the Controller |
| Support | Managing support tickets and dispute resolution |
3.4 Types of Personal Data
As detailed in Section 3 of the Privacy Policy, including but not limited to:
- Identity data: names, email addresses, phone numbers, government IDs
- Location data: GPS coordinates, saved addresses, order pickup/dropoff locations
- Financial data: payment method references, wallet balances, transaction records
- Verification data: KYC documents, biometric verification data
- Communication data: chat messages, notification preferences
- Performance data: ratings, completion rates, earnings
- Device data: device platform, push tokens, session information
3.5 Categories of Data Subjects
- Customers (taxi passengers, shop buyers, parking users, service clients)
- Drivers (taxi and delivery)
- Merchants (shop vendors)
- Service Providers
- Parking Spot Providers
- Tenant administrative users (operators, partner admins)
4. Processor Obligations
BetterSuite shall:
4.1 Processing Instructions
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required to do so by applicable law (in which case, BetterSuite shall inform the Controller of that legal requirement before processing, unless prohibited by law)
- Immediately inform the Controller if, in BetterSuite's opinion, an instruction infringes Applicable Data Protection Law
4.2 Confidentiality
- Ensure that all personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Limit access to Personal Data to those personnel who require access to fulfill BetterSuite's obligations under the Agreement
4.3 Security
Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
| Measure | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM for sensitive data fields |
| Encryption in transit | TLS 1.2+ for all client-server and inter-service communication |
| Password hashing | bcrypt with appropriate cost factors |
| Access control | Role-based access control (RBAC) with principle of least privilege |
| Multi-tenant isolation | Database-level tenant scoping with unique constraints preventing cross-tenant access |
| Authentication | JWT-based authentication with refresh token rotation and device tracking |
| Backup | Regular encrypted database backups with point-in-time recovery capability |
| Monitoring | Structured JSON logging with security event detection |
| Session management | Automatic session expiry, device-based session tracking, revocation capability |
| Infrastructure | Network segmentation, firewall rules, regular security updates |
BetterSuite shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to address evolving threats.
4.4 Subprocessor Management
See Section 6 of this DPA.
4.5 Data Subject Rights
- Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to Data Subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection)
- Promptly forward to the Controller any Data Subject request received directly by BetterSuite, unless otherwise agreed
- Provide the Controller with self-service tools in the admin console for managing End User data (where available), including account viewing, status management, and account deletion
4.6 Data Protection Impact Assessments
Assist the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required, by providing relevant information about the Platform's processing activities and security measures.
4.7 Deletion and Return
Upon termination of the Agreement:
- Make available to the Controller all Personal Data processed on its behalf within the 30-day post-termination export window described in the Terms of Service
- After the export window, securely delete all Personal Data processed on behalf of the Controller, except where retention is required by Applicable Data Protection Law (e.g., KYC documents retained for AML compliance per the retention schedule in the Privacy Policy)
- Upon request, certify in writing that deletion has been completed
5. Personal Data Breach Notification
5.1 Notification to Controller
BetterSuite shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall include:
- A description of the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of BetterSuite's point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
5.2 Cooperation
BetterSuite shall:
- Cooperate with the Controller and take reasonable steps to assist in investigating, mitigating, and remediating the breach
- Provide timely updates as additional information becomes available
- Maintain records of all Personal Data Breaches, including the facts, effects, and remedial actions taken, and make such records available to the Controller upon request
5.3 Controller Notification Obligations
The Controller retains responsibility for:
- Notifying the relevant supervisory authority within 72 hours per GDPR Article 33 (BetterSuite's 48-hour notification to the Controller allows time for this)
- Notifying affected Data Subjects per GDPR Article 34, where required
- Determining the scope and content of notifications based on its own assessment of the breach
6. Subprocessors
6.1 Authorization
The Controller provides general written authorization for BetterSuite to engage the Subprocessors listed in Section 6.3. BetterSuite shall impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA.
6.2 Changes to Subprocessors
BetterSuite shall:
- Notify the Controller at least 30 days in advance of any intended addition or replacement of a Subprocessor, including the Subprocessor's name, location, and processing activities
- Provide the Controller with an opportunity to object to the change on reasonable data protection grounds
- If the Controller objects and BetterSuite cannot reasonably accommodate the objection, the Controller may terminate the affected services without penalty
6.3 Current Subprocessors
| Subprocessor | Location | Processing Activities | Data Processed |
|---|---|---|---|
| Stripe, Inc. | United States (with global infrastructure) | Payment processing, subscription billing, merchant/driver payouts (Stripe Connect) | Payment method tokens, billing details, payout account references, transaction records |
| Sumsub (Sum and Substance Ltd) | United Kingdom / EU | KYC and identity verification | Government IDs, selfies, biometric data, address proofs, business documents |
| Google LLC (Maps Platform) | United States | Geocoding, routing, place search, distance calculation | Addresses, geographic coordinates, route queries |
| Google LLC (Firebase/FCM) | United States | Push notification delivery | Device tokens, notification content |
| Mapbox, Inc. | United States | Geocoding, routing, place search (where configured by Controller) | Addresses, geographic coordinates, route queries |
| HERE Global B.V. | Netherlands | Geocoding, routing (where configured by Controller) | Addresses, geographic coordinates |
| TomTom N.V. | Netherlands | Geocoding, routing (where configured by Controller) | Addresses, geographic coordinates |
| Email delivery provider | As configured by Controller | Transactional email delivery | Recipient email addresses, email content |
| SMS delivery provider | As configured by Controller | OTP verification and transactional SMS | Recipient phone numbers, message content |
Map, email, and SMS providers are configurable per tenant. The Controller selects these providers through the Platform configuration. BetterSuite will maintain an up-to-date list of all available providers.
6.4 Subprocessor Liability
BetterSuite remains fully liable to the Controller for the performance of each Subprocessor's obligations. Where a Subprocessor fails to fulfill its data protection obligations, BetterSuite shall be liable to the Controller for the Subprocessor's failures as if they were BetterSuite's own.
7. International Data Transfers
7.1 Transfer Mechanisms
Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, BetterSuite shall ensure that adequate safeguards are in place, including:
-
Standard Contractual Clauses (SCCs): BetterSuite incorporates the European Commission's SCCs (Commission Implementing Decision 2021/914) for transfers to Subprocessors in countries without an adequacy decision. The applicable SCCs are:
- Module Two (Controller to Processor): For transfers of Controller's data to BetterSuite where BetterSuite is established outside the EEA
- Module Three (Processor to Sub-processor): For BetterSuite's transfers to Subprocessors outside the EEA
-
Adequacy Decisions: Where the European Commission has determined that a country provides an adequate level of data protection (e.g., under the EU-US Data Privacy Framework for certified US companies)
-
Supplementary Measures: Where required by the "Schrems II" decision (CJEU C-311/18), BetterSuite implements supplementary technical measures including encryption in transit and at rest, pseudonymization, and access controls
7.2 Transfer Impact Assessments
BetterSuite shall conduct transfer impact assessments for each Subprocessor receiving data outside the EEA, evaluating the laws and practices of the destination country and the effectiveness of the transfer mechanism and supplementary measures.
7.3 Government Access Requests
If BetterSuite receives a legally binding request from a public authority for disclosure of Personal Data processed under this DPA, BetterSuite shall:
- Promptly notify the Controller (unless legally prohibited)
- Challenge the request where there are reasonable grounds to consider it unlawful
- Provide the minimum amount of Personal Data permissible under the request
8. Audit Rights
8.1 Information and Documentation
BetterSuite shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, including:
- Documentation of technical and organizational security measures
- Records of processing activities (GDPR Article 30)
- Subprocessor agreements (in summary or redacted form where commercial confidentiality requires)
- Results of security assessments or penetration tests (in summary form)
- Incident response and breach notification records (as applicable to the Controller)
8.2 Audits
The Controller (or an independent third-party auditor appointed by the Controller) may conduct audits to verify BetterSuite's compliance with this DPA, subject to the following conditions:
- Audits require at least 30 days' advance written notice
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt BetterSuite's operations
- The Controller (or its auditor) shall comply with BetterSuite's reasonable security and confidentiality requirements
- Audit scope is limited to processing activities performed on behalf of the requesting Controller
- Audits may not occur more than once per 12-month period, unless required by a supervisory authority or following a Personal Data Breach
- The Controller bears the costs of any audit it initiates
8.3 Certifications and Reports
Where available, BetterSuite may satisfy audit requests by providing:
- Third-party security audit reports or certifications (e.g., SOC 2, ISO 27001)
- Penetration test summaries
- Compliance attestation letters
The Controller agrees to accept such reports and certifications in lieu of an on-site audit where they reasonably address the Controller's audit objectives.
9. Data Retention and Deletion
9.1 Retention During Agreement
During the term of the Agreement, BetterSuite retains Personal Data as necessary to provide the Platform services, in accordance with the retention schedule set out in the Privacy Policy:
| Data Category | Retention Period |
|---|---|
| End User account data | Duration of account, deleted upon account deletion request (immediately or with 30-day delay per role) |
| Location trail data | 6 months from collection date |
| KYC/identity documents | 7 years by default (configurable: 1, 3, 5, 7, or 10 years per Controller's retention policy) |
| Order and transaction records | Duration of Tenant subscription |
| Chat messages | Duration of account lifetime |
| Session data | Until session expiry or revocation |
9.2 Retention After Termination
Upon termination of the Agreement:
- Days 1-30 (Export Window): Personal Data remains available for export. The Controller may request a data export during this period.
- After Day 30: Personal Data is securely deleted using industry-standard methods (cryptographic erasure or physical destruction of storage media, as applicable).
- Exceptions: The following data is retained beyond the export window where required by law:
- KYC documents per the applicable retention policy (for AML/KYB compliance)
- Billing and invoice records per applicable tax and accounting law
- Any data subject to a legal hold or pending legal proceeding
9.3 Deletion Certification
Upon request, BetterSuite shall provide written certification that deletion has been completed, specifying the date of deletion and the categories of data deleted, within 30 days of completing the deletion process.
10. Liability
10.1 Allocation
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Agreement (Terms of Service, Section 14).
10.2 Regulatory Fines
Nothing in this DPA limits either party's liability for regulatory fines imposed directly on that party by a supervisory authority. Each party is responsible for fines imposed on it for its own violations of Applicable Data Protection Law.
10.3 Indemnification
Each party shall indemnify the other against damages, costs, and expenses arising from the indemnifying party's breach of this DPA, subject to the liability cap in the Agreement.
11. Term and Termination
11.1 Term
This DPA takes effect on the date the Controller accepts the Agreement (Terms of Service) and remains in effect for the duration of the Agreement, including any post-termination data retention period.
11.2 Survival
Sections 4.7 (Deletion and Return), 5 (Breach Notification), 7 (International Transfers), 8 (Audit Rights), 9 (Retention and Deletion), and 10 (Liability) survive termination of this DPA.
12. Governing Law
This DPA is governed by the same governing law as the Agreement (Terms of Service, Section 16). Where Applicable Data Protection Law requires application of a specific jurisdiction's law (e.g., GDPR requiring EU/EEA law for EU Data Subjects), that law applies to the extent of the conflict.
13. Amendments
BetterSuite may update this DPA to reflect changes in Applicable Data Protection Law, regulatory guidance, or BetterSuite's processing activities. Material changes require 30 days' advance notice to the Controller. The Controller's continued use of the Platform after the notice period constitutes acceptance. If the Controller objects to a material change, the Controller may terminate the Agreement without penalty.
14. Contact
For questions about this DPA, data protection matters, or to exercise audit rights:
Legal Entity: Lume Agency
Email: [email protected]
Subject Line: "DPA Inquiry"
