Data Processing Addendum

Customer is the Controller (or Business under CCPA). Luminex Technologies LLC is the Processor (or Service Provider under CCPA). Where Customer's underlying data subjects include patients, Customer is also the Covered Entity under HIPAA and a parallel BAA applies. See the HIPAA Notice.

Luminex processes Personal Data only to deliver the Riley service to Customer per the MSA. Categories of Personal Data: practice contact info, patient identifiers (where authorized), and review, AR, and recall content. Categories of data subjects: Customer's staff and Customer's patients (where authorized). Processing duration: subscription term plus 90 days for export.

All Luminex personnel with access to Personal Data are bound by confidentiality obligations and least-privilege role-based access controls.

Technical and organizational measures listed on the Security page: encryption at rest (AES-256), encryption in transit (TLS 1.3), OAuth-only authentication, per-tenant isolation, automatic PII scanning, immutable audit logs, and SOC 2 readiness work (not certification).

Customer authorizes the use of subprocessors listed in Disclosures section 18. Material changes are posted 30 days in advance. Each subprocessor is bound by data-protection terms consistent with this DPA.

Luminex assists Customer in honoring data subject rights (access, deletion, correction, portability, objection) within applicable legal SLAs: 30 days for HIPAA and GDPR, 45 days for CCPA. Customer initiates requests via privacy@hireriley.com.

Customer Personal Data is processed in the United States. For EU and UK transfers (when applicable), Luminex relies on the EU Standard Contractual Clauses 2021/914 (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum.

Customer may audit Luminex's compliance with this DPA on 30 days' notice, no more than once per 12 months, at Customer's expense, subject to confidentiality. SOC 2 reports satisfy audit obligations once issued.

Luminex notifies Customer of Personal Data breaches without undue delay and within 72 hours of becoming aware as required by GDPR Article 33. Notification includes the nature of the breach, categories and approximate number affected, likely consequences, and remediation steps.

Upon termination, Customer has 90 days to export Personal Data. After 90 days, Luminex deletes or returns Personal Data per Customer instruction. Backup data follows 90-day rolling retention and is then purged. Aggregated, fully anonymized data is not subject to deletion.