Data Processing Agreement
Last updated: 15 July 2026
This summary describes how Lens processes personal data on your behalf. A countersigned DPA incorporating the EU Standard Contractual Clauses is available on request — email hello@lens.app with your legal entity name.
Roles
For content you upload and process (documents, analyses, chats), your organization is the data controller and Lens is the data processor. We process that data only on your documented instructions — i.e. to provide the service.
Scope of processing
Subject matter: providing document analysis. Duration: for the term of your subscription. Nature and purpose: extraction, indexing, and AI analysis of uploaded documents. Data subjects: individuals referenced in your documents. Categories: whatever your documents contain — you control what you upload.
Security measures
EU-region hosting, encryption in transit and at rest, organization- and project-scoped access controls, MFA and SSO options, and full audit logging. See the Privacy Policy for detail.
Subprocessors
We use vetted subprocessors: EU-region infrastructure (hosting, database, storage), Anthropic (AI processing, under terms prohibiting training on your data), Stripe (payments), and an email delivery provider. We will inform you of changes and give you the opportunity to object.
International transfers
Primary processing takes place in the EU. Where a subprocessor processes data outside the EEA, transfers are covered by Standard Contractual Clauses or an equivalent safeguard.
Data subject requests and assistance
We provide export and deletion tooling (Settings → Compliance) and will assist you in responding to data-subject requests and regulator inquiries. On termination, we delete or return personal data at your choice, subject to legal retention requirements.
Sub-processing and audits
Subprocessors are bound by equivalent obligations. We make available the information needed to demonstrate compliance and will accommodate reasonable audit requests under the signed DPA.