Lenavio
Lenavio / Legal / DPA

Data Processing Agreement

Last updated: April 21, 2026

Draft — pending legal review. This document is a working draft intended to describe our practices. A final, counsel-reviewed version will replace this page. For enterprise procurement, contact hello@lenavio.com.

When you use the Lenavio application on behalf of your organization, Lenavio, Inc. acts as a data processor and your organization as the data controller. The Data Processing Agreement (“DPA”) below, together with any order form and our Terms of Service, governs our processing of personal data you submit to the Service.

Signed DPA — PDF

The full counter-signable document including EU SCCs (Module Two) and the UK International Data Transfer Addendum.

Download PDF

1. Scope and roles

This DPA applies to the processing of Customer Personal Data by Lenavio in the course of providing the Service. Customer is the controller; Lenavio is the processor. Where applicable, Lenavio acts as processor or sub-processor for Customer's own customers.

2. Subject matter, duration, nature, purpose

  • Subject matter: provision of the Lenavio HR platform.
  • Duration: the term of the agreement plus any retention period.
  • Nature and purpose: hosting, processing, and displaying Customer Personal Data as instructed by Customer to operate the Service.

3. Categories of data and data subjects

  • Data subjects: Customer's employees, contractors, applicants, and other personnel.
  • Personal data categories: identifiers, contact data, employment data, compensation, time and attendance, documents, and case content. Special categories may be processed where Customer configures them.

4. Confidentiality

Lenavio personnel authorized to process Customer Personal Data are bound by written confidentiality obligations.

5. Security measures

Lenavio maintains the technical and organizational measures described in our Security page and in Annex II of the signed DPA, including encryption at rest and in transit, role-based access control enforced at the database, logical tenant isolation, and annual penetration testing.

6. Sub-processors

Customer authorizes Lenavio to engage sub-processors listed in Annex III of the signed DPA. Lenavio will notify Customer of new sub-processors at least thirty (30) days before onboarding them, and Customer may object on reasonable grounds.

7. Data subject rights

Lenavio will assist Customer, taking into account the nature of the processing, in responding to data subject requests under applicable law (including LGPD, GDPR, UK GDPR, and CCPA/CPRA).

8. International transfers

To the extent personal data is transferred outside the EEA, the UK, or Brazil, the parties rely on the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum, each incorporated by reference. Data residency in the EU, US, or Brazil is available on Enterprise plans.

9. Incident notification

Lenavio will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably necessary for Customer to meet its own notification obligations.

10. Audits

Lenavio will make available to Customer on request: (a) our most recent SOC 2 Type II report (when available), (b) summaries of penetration tests, and (c) responses to reasonable written security questionnaires. On-site audits are available under NDA for Enterprise customers on reasonable notice.

11. Return or deletion

On termination, Lenavio will, at Customer's choice, delete or return Customer Personal Data within thirty (30) days, subject to any legal retention requirements.

12. Contact

DPA execution and questions: hello@lenavio.com.