Data Processing Agreement (DPA)
Last updated: July 14, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Lenviva ("Processor") and the customer ("Controller") when the Controller uses the Lenviva service to process personal data on behalf of end users (e.g. employees or students).
1. Roles
- Controller — the customer, who decides why and how personal data is processed.
- Processor — Lenviva, which processes personal data only on documented instructions from the Controller.
2. Scope & purpose
The Processor processes personal data for the sole purpose of providing the Lenviva service (AI interview practice, transcripts, coaching feedback, subscription management) as described in the main service agreement.
3. Categories of data & data subjects
- Data subjects: the Controller's authorized end users.
- Categories: account data, usage data, voice/transcript data, technical logs.
4. Sub-processors
The Controller authorizes the Processor to engage the sub-processors listed in our Privacy Policy. We will notify the Controller of any material changes with at least 30 days' notice, during which the Controller may object in writing.
5. Security measures
The Processor implements appropriate technical and organizational measures including:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Access controls with multi-factor authentication for staff.
- Role-based access to production data on a strict need-to-know basis.
- Regular backups and documented incident response procedures.
6. Data subject rights
The Processor will provide reasonable assistance to the Controller in responding to requests from data subjects (access, correction, deletion, portability, restriction, objection).
7. Breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Controller data.
8. International transfers
Where personal data is transferred outside the EEA, the parties rely on Standard Contractual Clauses (SCCs) approved by the European Commission and any supplementary measures required by applicable law.
9. Audits
The Controller may request, no more than once per year and with 30 days' notice, evidence of the Processor's compliance with this DPA. The Processor may satisfy this obligation by providing third-party audit reports (e.g. SOC 2 or ISO 27001) once available.
10. Return or deletion of data
Upon termination of the service agreement, the Processor will delete or return all Controller personal data within 90 days, unless retention is required by law.
11. Entering into this DPA
Business customers who require a signed copy of this DPA can request one by emailing legal@lenviva.app.
This document is a template provided for convenience. It is not legal advice. Please have a qualified attorney in your jurisdiction review and adapt it to your specific business before relying on it.