Legal

Data Processing Agreement

GDPR Article 28 compliant data processing terms.

Effective date: 1 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Hanso Pte. Ltd., a company registered in Singapore ("Processor", "we", "us", "Lenno"), for the provision of the Lenno platform services as described in the Terms of Service (the "Principal Agreement").

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
  • "Supervisory Authority" means an independent public authority established by an EU/EEA Member State pursuant to Article 51 of the GDPR.
  • "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller as necessary to provide the Lenno agent orchestration platform, including AI agent provisioning, message handling, channel integrations, and related services as described in the Principal Agreement.

2.2 Nature and Purpose

The nature and purpose of processing includes:

  • Hosting and storing agent configurations, conversation data, and user account information.
  • Transmitting messages between users and AI agents across configured communication channels.
  • Processing agent instructions and generating AI-powered responses via third-party model providers.
  • Providing analytics, logging, and monitoring of agent operations.
  • Account management, authentication, and access control.

2.3 Categories of Data Subjects

  • The Controller's employees and authorised users of the Service.
  • End users who interact with the Controller's AI agents via communication channels.
  • Other individuals whose Personal Data is processed through the Controller's use of the Service.

2.4 Types of Personal Data

  • Contact information (names, email addresses, phone numbers).
  • Account credentials and authentication data.
  • Messages and conversation content exchanged with AI agents.
  • Usage data and interaction logs.
  • IP addresses and device identifiers.
  • Any other Personal Data submitted by the Controller or its end users through the Service.

2.5 Duration

Processing shall continue for the duration of the Principal Agreement and for the retention period specified in Section 9, unless otherwise agreed in writing.

3. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
  • Respect the conditions for engaging Sub-processors as set out in Section 4.
  • Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to Data Subject requests as described in Section 5.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage, as described in Section 9.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as described in Section 8.
  • Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4. Sub-processors

4.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-processors to process Personal Data on behalf of the Controller. The Processor shall maintain a list of current Sub-processors, which is available upon request.

4.2 Notification of Changes

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before the change takes effect, thereby giving the Controller the opportunity to object to such changes.

4.3 Objection Right

If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If the parties cannot reach a resolution, the Controller may terminate the affected portion of the Service without penalty upon written notice.

4.4 Sub-processor Obligations

When engaging a Sub-processor, the Processor shall impose on the Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures such that the processing meets the requirements of the GDPR. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

4.5 Current Sub-processors

The following categories of Sub-processors are currently engaged:

Category Purpose Location
Cloud infrastructure provider Hosting, compute, and storage EU / EEA
AI model provider Processing agent instructions and generating responses United States (with SCCs)
Payment processor Subscription billing and payment handling United States (with SCCs)
Email delivery provider Transactional email sending United States (with SCCs)

5. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required by applicable law.

The Processor shall implement technical and organisational measures to enable the Controller to fulfil Data Subject requests, including mechanisms for data export, deletion, and correction within the Service.

6. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

6.1 Technical Measures

  • Encryption of Personal Data in transit using TLS 1.3 and at rest using AES-256.
  • Field-level encryption for highly sensitive data such as API keys and credentials.
  • Isolated container environments (Incus) for agent execution, preventing cross-tenant access.
  • Network segmentation and firewall rules restricting access to processing systems.
  • Automated vulnerability scanning and dependency auditing.
  • Secure key management with regular key rotation.

6.2 Organisational Measures

  • Role-based access control (RBAC) with the principle of least privilege.
  • Multi-factor authentication for all personnel with access to processing systems.
  • Confidentiality agreements for all employees and contractors.
  • Regular security awareness training for personnel.
  • Documented information security policies and procedures.
  • Business continuity and disaster recovery planning.

7. Data Breach Notification

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

7.2 Contents of Notification

The notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of the Processor's data protection contact point.
  • A description of the likely consequences of the Data Breach.
  • A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

7.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall provide the Controller with timely updates as additional information becomes available.

7.4 Records

The Processor shall maintain a record of all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8. Audit Rights

8.1 Right to Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

8.2 Audit Procedure

The Controller shall provide the Processor with at least 30 days' written notice of any audit, unless a shorter period is required due to a Data Breach or regulatory investigation. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations.

8.3 Costs

Each party shall bear its own costs in connection with any audit. If an audit reveals a material non-compliance by the Processor, the Processor shall bear reasonable costs of the audit and shall promptly remediate the non-compliance at its own expense.

8.4 Confidentiality

The Controller and any auditor mandated by the Controller shall maintain the confidentiality of all information obtained during an audit and shall not disclose such information to third parties without the Processor's prior written consent, except as required by law or a Supervisory Authority.

9. Data Deletion and Return

9.1 Upon Termination

Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller's choice and within 30 days of receiving written instructions:

  • Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
  • Delete all Personal Data and certify such deletion in writing.

9.2 Retention Exceptions

The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of such data and shall not actively process it for any purpose other than compliance with legal obligations.

9.3 Backup Deletion

Personal Data contained in backup systems shall be deleted in accordance with the Processor's regular backup rotation schedule, which shall not exceed 90 days from the date of the deletion request.

10. International Transfers

10.1 Transfer Mechanism

The Processor is located in Singapore, which is not subject to an adequacy decision by the European Commission. For transfers of Personal Data from the EEA or UK to Singapore or other third countries, the parties shall rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognised transfer mechanisms.

10.2 Supplementary Measures

Where required, the Processor shall implement supplementary measures (technical, organisational, or contractual) to ensure that the level of protection of Personal Data is not undermined by the transfer.

10.3 Transparency

The Processor shall promptly notify the Controller if it becomes aware of any changes to the laws or practices of any country to which Personal Data is transferred that may affect the level of protection afforded to the data.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the Principal Agreement, unless otherwise required by mandatory data protection law. Where the GDPR applies, the provisions of the GDPR shall prevail over any conflicting terms in this DPA.

12. Amendments

This DPA may only be amended in writing and signed by authorised representatives of both parties. Notwithstanding the foregoing, the Processor may update the technical and organisational measures described in Section 6 from time to time, provided that the updated measures do not materially diminish the overall level of protection of Personal Data.

13. Contact

For questions or requests relating to this Data Processing Agreement, please contact:

Hanso Pte. Ltd.
Singapore
Email: legal@lenno.ai
Website: lenno.ai