Asset-Lens

Data Processing Addendum

Last updated: April 8, 2026

This Data Processing Addendum ("DPA") forms part of the Asset-Lens Terms of Service between Asset-Lens ("Processor") and the customer ("Controller") when the Controller's use of the Services involves the processing of personal data.

1. Definitions

Capitalized terms have the meanings given in the GDPR or CCPA, as applicable. "Personal Data" means any information relating to an identified or identifiable natural person processed by us on the Controller's behalf.

2. Scope

This DPA applies to all Personal Data processed by Asset-Lens in the course of providing the Services. The Controller appoints Asset-Lens as a Processor.

3. Processing Instructions

Asset-Lens processes Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law.

4. Confidentiality

Asset-Lens ensures that personnel authorized to process Personal Data are bound by confidentiality obligations.

5. Security Measures

Asset-Lens implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication for administrative access
  • Logging and monitoring of access to Personal Data
  • Regular security reviews and incident response procedures
  • Tenant isolation enforced at the application layer

6. Subprocessors

The Controller authorizes Asset-Lens to engage subprocessors as listed in the Privacy Notice. Asset-Lens will notify the Controller of any intended changes to subprocessors at least 30 days in advance and will ensure each subprocessor is bound by data protection obligations no less protective than those in this DPA.

7. Data Subject Requests

Asset-Lens will assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under applicable law.

8. Personal Data Breaches

Asset-Lens will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.

9. Audits

The Controller may, on reasonable notice and no more than once per year, request information necessary to demonstrate compliance with this DPA.

10. Return or Deletion

Upon termination of the Services, Asset-Lens will return or delete all Personal Data within 60 days, unless retention is required by law.

11. International Transfers

If Personal Data originates in the EEA, UK, or Switzerland, Asset-Lens relies on Standard Contractual Clauses (SCCs) where applicable for transfers to the United States.

12. Contact

Email support@assetlens.io for any DPA questions or to request a signed copy.