top of page

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force on the 25 May 2018 and imposes more stringent rules for the use and storage of personal data by companies operating in the EU (being those established in the EU, and also those established outside of the EU, where such companies process EU data subjects’ personal data, in connection with their business).

At Luminoso we have taken all necessary steps, both internally and in conjunction with our third-party cloud-hosting providers, to ensure compliance with GDPR.

Customer Data

Luminoso’s products analyze data provided and controlled by its customers; data is never duplicated or stored outside of the third-party cloud hosting environments in which Luminoso’s products are deployed.

Luminoso’s Compliance

Luminoso has a GDPR compliance program that was designed with the support of a third-party firm retained to perform our Service Organization Control 2 audit.  Important compliance actions include taking the following steps:

  • Customer Contracts. We have updated our contractual templates to clarify and comply with our obligations in processing customer data through our products and services.

  • Data Residency. Our services deployed in multiple regions around the globe that our customers, as Data Controllers, may choose from.

  • Data Masking. All data, including personal data in a customer’s program, can be viewed only by users with appropriate permissions.

  • Data Access and Correction. Luminoso can correct or otherwise modify database records at the request of our customers.

  • Data Security. Security testing and monitoring is regularly reviewed and updated using a combination of internal resources, external auditors, and accredited 3rd party testing.

  • Contract Terms. All client data is destroyed at the end of a contract period if it has not been renewed.

  • The “Right to be Forgotten.” Luminoso’s policies and procedures are designed to enable GDPR-compliant deletion of personal information as requested by our customers. As Luminoso primarily operates as a Data Processor, consumers seeking GDPR-compliant deletion of their personal information from Luminoso systems must submit their request to the appropriate Data Controller. Persons seeking removal from Luminoso’s marketing records (or other systems for which Luminoso is a Data Controller) should submit a request to


Should you have specific queries relating to Luminoso’s compliance with the GDPR, please email

bottom of page