Legal
Data Processing Addendum
This page provides an overview of our Data Processing Addendum (DPA) for clients whose engagements involve the processing of personal data. To execute a DPA, please contact our legal team.
Introduction
A Data Processing Addendum (DPA) is a legally binding agreement between a data controller (typically, our client) and a data processor (Central Lense Inc.) that governs the processing of personal data in connection with the services we provide.
A DPA applies whenever Central Lense processes personal data on behalf of a client as part of a service engagement, for example, when managing IT infrastructure that stores employee records, customer databases, patient health information, or financial data. The DPA supplements and is incorporated into the master service agreement or other governing contract between Central Lense and the client.
Please note: This page is an informational overview of what our DPA covers. It does not constitute an executed Data Processing Addendum. To request and execute a DPA tailored to your engagement, please contact us at [email protected].
Definitions
The following key terms are used throughout our Data Processing Addendum. We include terminology from both the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to ensure broad applicability:
- Data Controller / Business, The entity that determines the purposes and means of processing personal data. Under GDPR, this is the "controller"; under CCPA, this is the "business." In most engagements, this is our client.
- Data Processor / Service Provider, The entity that processes personal data on behalf of the controller. Under GDPR, this is the "processor"; under CCPA, this is the "service provider." In most engagements, this is Central Lense.
- Personal Data / Personal Information, Any information relating to an identified or identifiable natural person. Under GDPR, this is "personal data"; under CCPA, this is "personal information." This includes names, email addresses, IP addresses, health records, financial information, and any other data that can directly or indirectly identify an individual.
- Processing, Any operation or set of operations performed on personal data, whether by automated means or not, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- Sub-Processor, A third party engaged by the processor (Central Lense) to process personal data on behalf of the controller (client).
- Data Subject / Consumer, The identified or identifiable natural person to whom the personal data relates. Under GDPR, this is the "data subject"; under CCPA, this is the "consumer."
- Supervisory Authority, An independent public authority responsible for monitoring the application of data protection law, such as an EU Member State data protection authority or the UK Information Commissioner's Office (ICO).
Scope of Processing
The specific types of personal data processed and the categories of data subjects depend on the nature of each client engagement. Common scenarios include:
Types of Data Processed:
- Employee data, Names, contact information, employment records, credentials, and access logs for clients whose workforce IT we manage.
- Customer data, End-customer contact information, account details, and transaction records stored within client systems.
- Patient data, Protected health information (PHI) for healthcare clients, subject to HIPAA requirements in addition to the DPA.
- Financial data, Account numbers, transaction histories, and other financial records for clients in the financial services sector.
- Client employees and contractors
- Client customers and end users
- Patients (for healthcare engagements)
- Other individuals whose data resides in systems managed by Central Lense
Obligations of the Processor
As a data processor, Central Lense commits to the following obligations under the DPA:
- Process only on documented instructions, We process personal data only in accordance with the controller's documented instructions, unless required by applicable law to do otherwise. In such cases, we will inform the controller of the legal requirement before processing, unless prohibited by law.
- Confidentiality obligations for personnel, All Central Lense personnel who have access to personal data are bound by confidentiality obligations, whether by contract or statutory duty. Access is limited to those individuals who need it to perform the services.
- Implement appropriate security measures, We maintain technical and organizational security measures appropriate to the risk, as described in the Security Measures section of this document.
- Assist with data subject requests, We provide reasonable assistance to the controller in fulfilling its obligation to respond to data subject rights requests, including access, rectification, erasure, and portability.
- Notify of breaches, We notify the controller of any personal data breach without undue delay after becoming aware of it, as detailed in the Data Breach Notification section.
- Support audits, We make available to the controller all information necessary to demonstrate compliance and allow for and contribute to audits conducted by the controller or an authorized auditor.
- Delete or return data on termination, Upon termination of the service agreement, we will delete or return all personal data to the controller, at the controller's election, and delete existing copies unless retention is required by applicable law.
Sub-Processors
Central Lense engages the following sub-processors to assist in delivering services to our clients. Each sub-processor is bound by data processing obligations no less protective than those set out in our DPA:
- Supabase Inc., Cloud database and authentication infrastructure. Location: United States.
- Google LLC, Analytics infrastructure (Google Analytics, Google Fonts). Location: United States.
- Shopify Inc., E-commerce and marketplace platform. Location: Canada / United States.
- Microsoft Corporation, Azure cloud hosting, Microsoft 365 services. Location: United States.
International Data Transfers
For clients located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following transfer mechanisms may apply when personal data is transferred to Central Lense in the United States:
- EU-U.S. Data Privacy Framework (DPF), Where applicable, we rely on the EU-U.S. Data Privacy Framework as a valid transfer mechanism for personal data from the EEA to the United States.
- Standard Contractual Clauses (SCCs), We offer the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) as an alternative or supplementary transfer mechanism. The SCCs are incorporated into the DPA by reference.
- UK International Data Transfer Addendum, For transfers of personal data from the United Kingdom, we incorporate the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as approved by the UK Information Commissioner's Office.
Security Measures
Central Lense implements and maintains a comprehensive set of technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
Technical Measures:
- Encryption at rest and in transit, All personal data is encrypted using industry-standard encryption (AES-256 for data at rest, TLS 1.2+ for data in transit).
- Access controls, Role-based access controls (RBAC) ensure that only authorized personnel can access personal data, following the principle of least privilege.
- Multi-factor authentication (MFA), MFA is required for all personnel accessing systems that store or process personal data.
- Regular vulnerability scanning, We conduct regular vulnerability assessments and penetration testing to identify and remediate security weaknesses.
- Security training, All employees and contractors receive security awareness training upon onboarding and at least annually thereafter.
- Incident response plan, We maintain a documented incident response plan that is tested and updated regularly.
- Vendor due diligence, All sub-processors and third-party vendors undergo security assessments before engagement and are subject to ongoing monitoring.
- Business continuity, We maintain business continuity and disaster recovery plans to ensure the availability and resilience of systems processing personal data.
Data Breach Notification
In the event of a personal data breach, Central Lense will:
- Notify the controller within 72 hours of becoming aware of the breach. This notification will be made to the designated contact specified in the service agreement or DPA.
- Provide required information including:
- The nature of the personal data breach, including the categories and approximate number of data subjects affected
- The categories and approximate number of personal data records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including measures to mitigate potential adverse effects
- Cooperate with the controller in investigating the breach and fulfilling the controller's notification obligations to supervisory authorities and affected data subjects under applicable law.
- Document the breach including its facts, effects, and the remedial actions taken, and make this documentation available to the controller.
Data Subject Rights
Central Lense will assist the controller in fulfilling its obligations to respond to data subject rights requests under applicable data protection laws, including but not limited to:
- Right of access, The right to obtain confirmation of whether personal data is being processed and to receive a copy of that data.
- Right to rectification, The right to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure, The right to have personal data deleted when it is no longer necessary for the purpose for which it was collected, or when consent is withdrawn.
- Right to restriction of processing, The right to limit how personal data is used in certain circumstances.
- Right to data portability, The right to receive personal data in a structured, commonly used, and machine-readable format.
- Right to object, The right to object to processing based on legitimate interests or for direct marketing purposes.
Term and Termination
The DPA becomes effective upon execution and remains in effect for the duration of the underlying service agreement between Central Lense and the client.
Upon termination or expiration of the service agreement:
- Data deletion or return, Central Lense will, at the controller's election, delete or return all personal data within 90 days of termination. This includes all copies of personal data in our systems and in the systems of our sub-processors.
- Certification of deletion, Upon request, Central Lense will provide written certification that all personal data has been securely deleted in accordance with the DPA.
- Legal retention, Where applicable law requires Central Lense to retain certain personal data beyond the termination period, we will isolate and protect such data and limit processing to the purpose required by law.
How to Request a DPA
To request a Data Processing Addendum for your engagement with Central Lense, please contact our legal team at [email protected].
Please include the following information in your request to help us prepare a customized DPA efficiently:
- Company name and primary contact
- Services engaged, which Central Lense services are covered by the DPA
- Data types involved, the categories of personal data that will be processed
- Applicable regulations, the data protection laws that apply to your organization (e.g., GDPR, CCPA, HIPAA, GLBA)