Data Processing
Agreement.
This Data Processing Agreement (“DPA”) supplements the LensHub Terms of Service and applies whenever Subsense OÜ (“LensHub”, “Processor”) processes Personal Data on behalf of a Customer (“Customer”, “Controller”) in the course of providing the Service. Capitalised terms not defined here have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, or the Terms of Service, as applicable.
1. Roles & scope
For the purposes of the GDPR, Customer is the Controller of Personal Data contained in Customer Data, and LensHub is the Processor. Where LensHub determines its own purposes for processing (for example, billing, account-contact data, security monitoring), LensHub is an independent Controller solely for that limited purpose, governed by the Privacy Policy.
This DPA applies only to processing activities carried out for the duration of the underlying Service subscription and only to the extent that LensHub processes Personal Data on Customer's behalf.
2. Subject-matter, nature, purpose, and duration
- Subject-matter: processing of Personal Data contained in source content the Customer connects through Service integrations and in associated metadata.
- Nature: ingestion, classification, embedding, indexing, retrieval, audit logging, and serving via APIs / MCP tools.
- Purpose: providing, securing, supporting, and improving the Service for Customer, in accordance with the Terms of Service.
- Duration: for the term of the Service subscription, plus any post-termination period required to allow Customer to export Customer Data and for LensHub to delete it.
- Categories of Personal Data: identifiers (names, emails, usernames), workplace metadata (titles, teams, manager), content authored by data subjects, message metadata, and audit-log fields. Customer may from time to time include additional categories by virtue of the source content it connects.
- Categories of data subjects: Customer's employees, contractors, and other individuals referenced in connected source content.
3. Customer instructions
LensHub will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless otherwise required by applicable law (in which case LensHub will inform Customer before processing, unless that law prohibits the disclosure on important grounds of public interest). Customer's instructions are formalised in (a) the Terms of Service, (b) this DPA, (c) the Customer's in-product configuration of the Service, and (d) any signed order form.
4. Processor obligations
- Process Personal Data only as set out in Section 3.
- Ensure that personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.
- Implement and maintain the technical and organisational measures described on the Security page, taking into account the state of the art, the costs of implementation, and the risks to data subjects.
- Engage subprocessors only with prior general authorisation from Customer (granted on entry into this DPA), maintain a current subprocessor list, and notify Customer of changes with reasonable opportunity to object on legitimate data-protection grounds. If Customer reasonably objects, the parties will work in good faith to resolve the issue; if not resolved, Customer may terminate the affected portion of the Service.
- Provide reasonable assistance to Customer in fulfilling Customer's obligations to respond to data-subject requests and supervisory-authority enquiries, taking into account the nature of processing and the information available to LensHub.
- Notify Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware) of any Personal Data breach affecting Customer Data, providing the information then available and updating Customer as more information becomes available.
5. Subprocessors
Customer authorises LensHub to engage subprocessors for the purposes set out in Section 2. Current subprocessors include cloud-hosting providers in Customer's selected region, email-delivery services, payment processors, error-monitoring tools, and customer-support tooling. The current list is available on request and as an exhibit to a signed copy of this DPA. LensHub will impose data-protection obligations on subprocessors no less protective than those in this DPA.
6. International transfers
Where Personal Data is transferred outside the EEA, the UK, or Switzerland, the parties rely on the EU Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor as applicable), as supplemented by the UK Addendum or Swiss Addendum where relevant, and the EU–US Data Privacy Framework where applicable. Customer is deemed to have entered into the SCCs with subprocessors on Customer's behalf; LensHub will provide a copy of the executed SCCs on request.
7. Security
LensHub implements the technical and organisational measures described on the Security page, which form part of this DPA. The parties acknowledge that security is a shared responsibility, that the measures may evolve over time provided they continue to provide an equivalent or higher level of protection, and that no system can be made completely secure.
8. Audits
LensHub will make available, on Customer's reasonable request and not more than once per twelve-month period, information necessary to demonstrate compliance with this DPA, including by providing copies of relevant third-party audit reports, when available.
On-site audits are not granted by default. They may be agreed in a signed order form for Enterprise customers, subject to: reasonable advance notice (no less than thirty (30) days), execution of confidentiality undertakings, scope and timing limited to what is reasonably necessary, conduct during business hours, no access to other customers' data or LensHub trade secrets, and reimbursement of LensHub's reasonable costs.
9. Return or deletion
On termination of the Service, Customer may export all Personal Data via the standard export tooling for thirty (30) days. Thereafter, LensHub will delete Personal Data from production systems within thirty (30) days, with backups expiring per the documented retention schedule. Customer may request a written confirmation of deletion. LensHub may retain Personal Data as required by applicable law, in which case LensHub will continue to protect it under this DPA until deletion is permitted.
10. Liability
Liability under this DPA is governed by the limitations set out in the Terms of Service, which apply on an aggregate basis to all claims under the Terms and this DPA. In case of conflict between this DPA and the Terms with respect to Personal Data processing, this DPA prevails.
11. Term & survival
This DPA enters into force on the effective date of the Terms of Service and remains in effect for as long as LensHub processes Personal Data on Customer's behalf. Sections 3, 4(f), 6, 9, 10, and 11 survive termination.
12. Order of precedence
In the event of conflict, the order of precedence is: (i) any signed bespoke DPA between the parties; (ii) this DPA; (iii) the Terms of Service. Other documents (privacy policy, cookie policy, marketing materials) do not modify this DPA.
13. Contact & signed copies
To request a counter-signed copy of this DPA, the current subprocessor list, or the executed SCCs, contact legal@lenshub.ai.