Data Processing Agreement
Effective date: March 26, 2026
This DPA is available for customers who require a data processing agreement for GDPR or other regulatory compliance. To execute this DPA, contact us at hello@pompeiilabs.com.
1. Introduction
This Data Processing Agreement ("DPA") supplements the Terms of Service between Pompeii Labs, Inc. ("Processor," "we," "us") and the customer ("Controller," "you") using Lux Cloud. This DPA takes effect when countersigned by both parties and applies to the extent that we process personal data on your behalf in connection with the Service.
This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that you store in or transmit through the Service.
"Processing" means any operation performed on Personal Data, including storage, retrieval, transmission, and deletion.
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Breach" means any unauthorized access, disclosure, alteration, or destruction of Personal Data.
3. Scope and Purpose of Processing
Subject matter: Managed database hosting and related infrastructure services.
Duration: For the term of your use of the Service.
Nature and purpose: Storage, retrieval, and transmission of data you write to your Lux Cloud instances, as necessary to provide the Service.
Types of Personal Data: Any personal data you choose to store in your Lux instances. We do not require or request that you store personal data, and the specific categories depend on your use case.
Categories of data subjects: Determined by you as the Controller. May include your end users, customers, employees, or other individuals whose data you store.
4. Obligations of the Processor
We shall:
- Process Personal Data only on your documented instructions, unless required by law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including password authentication on all instances, data integrity protections (CRC32 checksums on WAL and disk entries), and network-level protections via our infrastructure providers
- Assist you in responding to data subject requests (access, rectification, erasure, portability)
- Notify you of a Data Breach without undue delay and no later than 72 hours after becoming aware
- Assist you in ensuring compliance with your obligations regarding data protection impact assessments and prior consultation with supervisory authorities
- At your choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by law
- Make available to you all information necessary to demonstrate compliance with this DPA
5. Sub-processors
You authorize us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Instance hosting and data storage | United States |
| Supabase, Inc. | Authentication and account metadata | United States |
| Stripe, Inc. | Payment processing | United States |
| Cloudflare, Inc. | DNS, CDN, and DDoS protection | United States / Global |
We will notify you before adding or replacing a sub-processor, giving you the opportunity to object. If you object on reasonable grounds related to data protection, we will work with you to find a resolution. If no resolution is possible, you may terminate the affected Service.
6. International Data Transfers
Where Personal Data is transferred outside of the European Economic Area (EEA) or the United Kingdom, we ensure that appropriate safeguards are in place consistent with applicable data protection law.
7. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed on your behalf, we will notify you by email within 72 hours of becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Audits
Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct an audit or appoint a third-party auditor (subject to reasonable confidentiality commitments) to verify our compliance. Audits shall be conducted with reasonable advance notice, during normal business hours, and no more than once per year unless required by a supervisory authority or a Data Breach.
9. Data Retention and Deletion
Upon termination of the Service, we will delete your instance data within 30 days unless you request a data export or retention is required by applicable law. You can export your data at any time using the snapshot feature in the dashboard or via the CLI.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted by applicable law.
11. Term
This DPA takes effect when you begin using the Service and remains in effect for as long as we process Personal Data on your behalf. The obligations regarding confidentiality and data deletion survive termination.
12. Contact
For questions about this DPA or to exercise your rights as a Controller, contact us at: