All payments made in the preview are in test mode. Use card 4242 4242 4242 4242.

Data Processing Agreement (DPA)

Last updated: July 14, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Lenviva ("Processor") and the customer ("Controller") when the Controller uses the Lenviva service to process personal data on behalf of end users (e.g. employees or students).

1. Roles

  • Controller — the customer, who decides why and how personal data is processed.
  • Processor — Lenviva, which processes personal data only on documented instructions from the Controller.

2. Scope & purpose

The Processor processes personal data for the sole purpose of providing the Lenviva service (AI interview practice, transcripts, coaching feedback, subscription management) as described in the main service agreement.

3. Categories of data & data subjects

  • Data subjects: the Controller's authorized end users.
  • Categories: account data, usage data, voice/transcript data, technical logs.

4. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed in our Privacy Policy. We will notify the Controller of any material changes with at least 30 days' notice, during which the Controller may object in writing.

5. Security measures

The Processor implements appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest.
  • Access controls with multi-factor authentication for staff.
  • Role-based access to production data on a strict need-to-know basis.
  • Regular backups and documented incident response procedures.

6. Data subject rights

The Processor will provide reasonable assistance to the Controller in responding to requests from data subjects (access, correction, deletion, portability, restriction, objection).

7. Breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Controller data.

8. International transfers

Where personal data is transferred outside the EEA, the parties rely on Standard Contractual Clauses (SCCs) approved by the European Commission and any supplementary measures required by applicable law.

9. Audits

The Controller may request, no more than once per year and with 30 days' notice, evidence of the Processor's compliance with this DPA. The Processor may satisfy this obligation by providing third-party audit reports (e.g. SOC 2 or ISO 27001) once available.

10. Return or deletion of data

Upon termination of the service agreement, the Processor will delete or return all Controller personal data within 90 days, unless retention is required by law.

11. Entering into this DPA

Business customers who require a signed copy of this DPA can request one by emailing legal@lenviva.app.


This document is a template provided for convenience. It is not legal advice. Please have a qualified attorney in your jurisdiction review and adapt it to your specific business before relying on it.