LEX|OCULUS
EXIT →

Data Processing Agreement

Effective Date: April 17, 2026

This Data Processing Agreement ("DPA") forms an integral part of the LexOculus Terms of Service or any other Enterprise Agreement between LexOculus ("Data Processor") and the Customer ("Data Controller"). To execute a counter-signed copy of this DPA, please contact founder@lexoculus.com.

1. Subject Matter, Nature, and Purpose

Subject Matter: The processing of Personal Data in connection with the provision of the LexOculus technical compliance auditing platform.

Nature and Purpose: LexOculus will process Personal Data solely to provide the Service, including repository analysis, risk classification generation, compliance report production, and related security monitoring. LexOculus does not process Personal Data for its own marketing or algorithmic training purposes.

Duration: The processing will continue for the duration of the Agreement between the parties, and until the Personal Data is deleted in accordance with Section 7.

2. Types of Personal Data & Categories of Data Subjects

  • Categories of Data Subjects: Employees, contractors, or agents of the Data Controller who access the LexOculus platform.
  • Types of Personal Data: Identification and contact data (Name, Email), Authentication data (GitHub Usernames, Encrypted OAuth Tokens), and System interaction data (Truncated IP addresses, timestamped audit logs).

3. Sub-Processors

The Controller agrees that the Processor may engage the following sub-processors:

  • Supabase (Database & Auth — South Korea, ap-northeast-2)
  • Vercel (Hosting & CDN — Paris, France, cdg1)
  • Groq (LLM Inference - USA)

LexOculus will provide 30 days prior written notice of any new sub-processors. LexOculus ensures that all sub-processors are bound by data protection obligations materially the same as those in this DPA. Note on Supabase region: Data is hosted in South Korea (AWS ap-northeast-2), which is an EU-adequate country under European Commission Adequacy Decision 2022/254. No additional safeguards (SCCs) are required. Note on Groq: Groq is contractually prohibited from using any API data for training AI models.

4. Security Measures (Art. 32 GDPR)

LexOculus implements the following technical and organizational measures:

  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Control: Row-Level Security (RLS) ensures tenant isolation. Strict principle of least privilege for internal access.
  • Certifications: Core infrastructure (Supabase, Vercel) holds SOC 2 Type II and/or ISO 27001 certifications.

5. Data Breach Notification

In the event of a Personal Data breach affecting the Controller's data, LexOculus will notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach, providing sufficient information to allow the Controller to meet its obligations to report to supervisory authorities.

6. Data Subject Rights (Art. 15-22 GDPR)

LexOculus provides self-service tools within the platform enabling the Controller to export (JSON dataset) or delete data. If a Data Subject directly submits a request to LexOculus, we will forward the request to the Controller. LexOculus will assist the Controller by appropriate technical and organizational measures regarding the fulfillment of the Controller's obligations.

7. Deletion and Return of Data

Upon termination of the service, or upon written request from the Controller, LexOculus will securely delete all Personal Data associated with the Controller's account. LexOculus implements an automated 30-day purge cycle for all repository metadata in standard use.

8. Governing Law

Without prejudice to clauses applying the GDPR directly, this agreement is governed by the laws of India. For avoidance of doubt, LexOculus complies fully with the EU GDPR directly as a Data Processor serving customers in the European Union.