Lensym← Back home

Data Processing Agreement

B2B terms for organizations collecting personal data

Data Processing Agreement (DPA)

This agreement governs the processing of personal data when you use Lensym to collect personal information from survey respondents.

Last updated: September 14, 2024
Version 1.2

When This DPA Applies

Understanding when you need this agreement

This Data Processing Agreement (DPA) applies when you use Lensym to collect personal data from survey respondents. Under GDPR, you are the "Controller" and Lensym is your "Processor."

You Need This DPA If:

  • You collect personal data (names, emails, etc.) in your surveys
  • You are subject to GDPR or other privacy regulations
  • You represent an organization, institution, or business
  • Your surveys are used for research involving personal data

You May Not Need This DPA If:

  • You only collect anonymous, non-personal responses
  • You use Lensym for personal, non-commercial purposes
  • Your surveys don't collect identifiable information

Data Processing Details

What data we process and how

Types of Personal Data

  • Survey responses containing personal information
  • Email addresses (if collected)
  • Names and demographic information
  • Any other personal data you choose to collect

Processing Activities

  • Collection and storage of survey responses
  • Providing analytics and reporting features
  • Enabling data export and management
  • Technical support and platform maintenance

Your Obligations as Data Controller

What you must do to comply with privacy laws

Legal Requirements

  • Obtain proper consent: Ensure respondents consent to data collection
  • Provide privacy notices: Tell respondents how their data will be used
  • Respect data subject rights: Handle access, deletion, and other requests
  • Ensure lawful basis: Have a legal basis for collecting personal data

Best Practices

  • Only collect personal data that you actually need
  • Use clear, plain language in your privacy notices
  • Implement appropriate data retention policies
  • Train your team on privacy requirements

Lensym's Obligations as Data Processor

Our commitments to protecting your respondents' data

Our Commitments

  • Process only on your instructions: We only use data as you direct
  • Maintain security: Implement appropriate technical and organizational measures
  • Assist with rights requests: Help you respond to data subject requests
  • Notify of breaches: Alert you within 72 hours of any security incidents

Security Measures

  • Encryption of data in transit and at rest
  • Regular security audits and assessments
  • Access controls and authentication requirements
  • Staff training on data protection requirements

International Data Transfers

How we handle data transfers outside the EU

EU Data Stays in EU

For EU customers, we process and store personal data within the European Union:

  • Primary hosting in EU data centers
  • Database replication within EU boundaries
  • Backup storage in EU-based facilities
  • Sub-processors with EU operations

Safeguards for Non-EU Transfers

When limited transfers outside the EU are necessary (e.g., for technical support), we use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where available
  • Additional safeguards and impact assessments
  • Minimization of data transferred

Sub-Processors

Third parties we work with and their safeguards

We work with carefully selected sub-processors to provide our services. All sub-processors have signed data processing agreements with equivalent protections to this DPA.

Current Sub-Processors

Vercel (Hosting)EU hosting, DPA signed
Cloudflare (CDN/Security)EU processing, DPA signed
Stripe (Payments)Billing only, DPA signed

Full transparency: View all our sub-processor agreements at/trust/processors

Data Subject Rights Support

How we help you handle individual rights requests

When survey respondents exercise their GDPR rights, we provide tools and support to help you respond:

Right of Access

Export individual response data

Right to Rectification

Edit or correct response data

Right to Erasure

Delete individual responses

Data Portability

Export in machine-readable formats

Our Support

  • Built-in tools for data management
  • Technical assistance with complex requests
  • Guidance on legal requirements
  • 30-day response time commitment

Security Incident Procedures

What happens if there's a data breach

Our Incident Response

  • Immediate containment: Stop the breach and secure systems
  • Assessment: Determine scope and impact of the incident
  • Notification: Alert you within 72 hours of discovery
  • Remediation: Fix vulnerabilities and prevent recurrence

Your Responsibilities

  • Assess whether notification to supervisory authorities is required
  • Determine if data subjects need to be informed
  • Document the incident and response measures
  • Cooperate with our investigation and remediation efforts

Termination and Data Return

What happens to data when the agreement ends

Data Handling on Termination

  • 30-day grace period: Export your data after account closure
  • Complete deletion: All data permanently removed after grace period
  • Certification: Written confirmation of deletion provided
  • Backup cleanup: All backup copies also deleted

Contact and Signature

How to execute this agreement

Agreement Execution

This DPA is automatically incorporated into your Lensym Terms of Service when you use our platform to collect personal data. No separate signature is required for standard use.

For Custom DPAs

Enterprise customers requiring customized terms can contact:
Email: legal@lensym.com

DPA Questions

For questions about this agreement:
Email: dpo@lensym.com