Data Processing Agreement

Last updated: 15 July 2026

This summary describes how Lens processes personal data on your behalf. A countersigned DPA incorporating the EU Standard Contractual Clauses is available on request — email hello@lens.app with your legal entity name.

Roles

For content you upload and process (documents, analyses, chats), your organization is the data controller and Lens is the data processor. We process that data only on your documented instructions — i.e. to provide the service.

Scope of processing

Subject matter: providing document analysis. Duration: for the term of your subscription. Nature and purpose: extraction, indexing, and AI analysis of uploaded documents. Data subjects: individuals referenced in your documents. Categories: whatever your documents contain — you control what you upload.

Security measures

EU-region hosting, encryption in transit and at rest, organization- and project-scoped access controls, MFA and SSO options, and full audit logging. See the Privacy Policy for detail.

Subprocessors

We use vetted subprocessors: EU-region infrastructure (hosting, database, storage), Anthropic (AI processing, under terms prohibiting training on your data), Stripe (payments), and an email delivery provider. We will inform you of changes and give you the opportunity to object.

International transfers

Primary processing takes place in the EU. Where a subprocessor processes data outside the EEA, transfers are covered by Standard Contractual Clauses or an equivalent safeguard.

Data subject requests and assistance

We provide export and deletion tooling (Settings → Compliance) and will assist you in responding to data-subject requests and regulator inquiries. On termination, we delete or return personal data at your choice, subject to legal retention requirements.

Sub-processing and audits

Subprocessors are bound by equivalent obligations. We make available the information needed to demonstrate compliance and will accommodate reasonable audit requests under the signed DPA.