Legal
Data Processing Agreement
Last updated: May 2026 · Aligned to UK GDPR & Data Protection Act 2018
This agreement governs the processing of personal data carried out by lensoLABS on behalf of its clients in connection with the delivery of digital engineering services.
1. Definitions
In this Agreement: "Controller" means the client engaging lensoLABS; "Processor" means lensoLABS; "Personal Data" has the meaning given in UK GDPR Article 4; "Processing" means any operation performed on Personal Data; "Sub-processor" means any third party engaged by lensoLABS to process Personal Data on behalf of the Controller.
2. Scope and Purpose
This Data Processing Agreement ("DPA") governs the processing of Personal Data by lensoLABS (as Processor) on behalf of the client (as Controller) in connection with the provision of digital engineering services. The nature, purpose, duration, and types of Personal Data processed are as defined in the relevant Statement of Work or Master Services Agreement.
3. Processing Instructions
lensoLABS shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law. lensoLABS shall promptly notify the Controller if, in its opinion, an instruction infringes applicable data protection law.
4. Confidentiality
lensoLABS ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, lensoLABS shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include: encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256); access controls limiting processing to authorised personnel only; regular testing and evaluation of the effectiveness of security measures.
6. Sub-processors
lensoLABS shall not engage a Sub-processor without prior specific or general written authorisation from the Controller. Where general written authorisation is given, lensoLABS shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object. Current Sub-processors include: Vercel Inc. (infrastructure hosting), Supabase Inc. (database), and Resend Inc. (transactional email). Each is bound by equivalent data protection obligations.
7. Data Subject Rights
lensoLABS shall, insofar as possible, assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of UK GDPR. All such requests received directly by lensoLABS shall be forwarded to the Controller without undue delay.
8. Data Breach Notification
lensoLABS shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Notification shall include, where possible: a description of the nature of the breach; the categories and approximate number of data subjects concerned; the likely consequences; and the measures taken or proposed to address the breach.
9. Data Transfers
lensoLABS shall not transfer Personal Data to a country outside the UK or EEA without ensuring appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions as applicable.
10. Deletion and Return
At the choice of the Controller, lensoLABS shall delete or return all Personal Data to the Controller after the end of the provision of services, and shall delete existing copies unless applicable law requires storage of the Personal Data.
11. Audit Rights
lensoLABS shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
12. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales. To request a countersigned DPA for your organisation, contact enquiries@lensolabs.com.
Request a countersigned DPA
Enterprise clients requiring a countersigned DPA for vendor procurement should contact us at enquiries@lensolabs.com. We will return a signed copy within two business days.