Luminar Invest
Open account
Brass scales of justice on marble
Privacy

Data Processing Agreement

Last updated: May 26, 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of the service agreement between Luminar Invest Capital DMCC ("Processor") and the Business Client ("Controller") and applies where Luminar Invest processes personal data on behalf of the Controller. It is aligned with EU Regulation 2016/679 (GDPR) Article 28 and UAE Federal Decree-Law No. 45 of 2021 (PDPL).

2. Subject matter and duration

  • Subject matter: processing of client and beneficial owner personal data for wealth management services
  • Duration: for the term of the underlying service agreement, plus retention periods
  • Nature and purpose: onboarding, KYC, transaction processing, reporting, support

3. Categories of data and data subjects

  • Identity data, contact data, financial data, transactional data, device data
  • Data subjects: end clients, beneficial owners, authorised representatives

4. Processor obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process the data are bound by confidentiality
  • Implement appropriate technical and organisational measures (encryption at rest and in transit, access control, MFA, logging, segregation)
  • Assist the Controller with data subject requests and DPIAs
  • Notify the Controller within 72 hours of becoming aware of a personal data breach
  • At end of services, return or delete personal data unless retention is required by law

5. Sub-processors

The Controller authorises Luminar Invest to engage sub-processors listed in Annex B (custodians, identity verification, cloud hosting, email infrastructure). Luminar Invest will notify the Controller of any intended changes and gives a right to object on reasonable grounds.

6. International transfers

Where personal data is transferred outside the UAE or EEA, the transfer is governed by appropriate safeguards (Standard Contractual Clauses, adequacy decision, or recognised certifications).

7. Audit

The Controller may, no more than once per year and with 30 days' notice, audit Luminar Invest's compliance with this DPA — directly or through an independent auditor bound by confidentiality. Luminar Invest may instead provide a SOC 2 Type II or ISO 27001 audit report.

8. Request a signed copy

To request a counter-signed PDF of this DPA, email contact@luminarinvest.com with your entity name, registered address and authorised signatory.