Lensym← Back home

Sub-Processors

Third-party DPAs and contracts

Sub-Processor Register

Complete transparency: All our third-party data processing agreements, contracts, and safeguards. This register is updated in real-time as we add or remove sub-processors.

Last updated: September 14, 2024
Version Current

Our Transparency Commitment

Why we publish all our sub-processor agreements

Unlike most companies that provide only basic information about their sub-processors, we publish the actual Data Processing Agreements (DPAs) we've signed. This gives you complete visibility into how your data is protected at every level.

What This Means for You

  • Full transparency: See exactly what protections are in place
  • Legal certainty: Verify compliance with your own requirements
  • Trust verification: Review the actual contracts, not just summaries
  • Academic standards: Meet institutional transparency requirements

Our Selection Criteria

We only work with sub-processors that meet our strict standards:

  • GDPR-compliant data processing agreements
  • SOC 2 Type II or equivalent certifications
  • EU data residency or adequate safeguards
  • Regular security audits and assessments

Current Sub-Processors

All third parties that process personal data on behalf of Lensym

V

Vercel

Application hosting and deployment

Data Processed

Application data, user content, technical logs

Location

European Union (Frankfurt, Germany)

Legal Basis

EU hosting - no international transfer

Contract: 2024-02-01
Reviewed: 2024-09-01
SOC 2 Type IIISO 27001GDPR Compliant
C

Cloudflare

CDN, DDoS protection, Web Application Firewall

Data Processed

IP addresses, request metadata, security logs

Location

Global network with EU data processing

Legal Basis

EU-US Data Privacy Framework

Contract: 2024-01-15
Reviewed: 2024-09-01
SOC 2 Type IIISO 27001PCI DSS
S

Stripe

Payment processing and billing

Data Processed

Billing information, payment data (tokenized)

Location

European Union (Dublin, Ireland)

Legal Basis

EU hosting - no international transfer

Contract: 2024-01-10
Reviewed: 2024-09-01
PCI DSS Level 1SOC 2 Type IIISO 27001
R

Resend

Transactional email delivery

Data Processed

Email addresses, email content, delivery logs

Location

European Union (Frankfurt, Germany)

Legal Basis

EU hosting - no international transfer

Contract: 2024-03-01
Reviewed: 2024-09-01
SOC 2 Type IIGDPR Compliant

Data Processing Safeguards

Additional protections beyond standard DPAs

Technical Safeguards

  • End-to-end encryption for all data transfers
  • Separate encryption keys per customer
  • Network isolation and VPC boundaries
  • Regular security assessments

Legal Safeguards

  • Standard Contractual Clauses (SCCs)
  • Data residency requirements
  • Audit rights and compliance monitoring
  • Data subject rights assistance

Ongoing Monitoring

Quarterly
DPA Reviews
Annual
Security Audits
Real-time
Compliance Monitoring

Change Management

How we handle updates to our sub-processor list

Notification Process

When we add, remove, or change sub-processors, we follow a strict notification process:

1
30 days advance notice via email to all customers
2
Update this register with new information and DPAs
3
Objection period allowing customers to terminate if needed
4
Implementation only after notification period expires

Your Rights

  • Object to new processors: You can object to any new sub-processor
  • Terminate if necessary: If we can't accommodate your objection
  • Data export: Full data portability before any termination
  • No penalties: No fees for termination due to sub-processor changes

Historical Changes

Complete record of sub-processor modifications

Change Log

Added Resend for email delivery

Replaced previous email provider with EU-based solution

2024-03-01
Updated Cloudflare DPA

New version with enhanced data residency provisions

2024-02-15
Initial sub-processor setup

Established DPAs with Vercel, Cloudflare, and Stripe

2024-01-01

Questions and Requests

How to get more information about our sub-processors

Sub-Processor Questions

Email: dpo@lensym.com
Subject: Sub-Processor Inquiry
Response time: Within 48 hours

Enterprise Customers

Email: enterprise@lensym.com
For: Custom DPA requirements
Response time: Within 24 hours

Notification Preferences

Want to be notified about sub-processor changes? All customers are automatically notified via email, but you can also subscribe to our RSS feed for real-time updates.