Data Processing Agreement (DPA)
Last updated: April 6, 2026
Note: This is a summary of key DPA terms for Pro plan subscribers. The full executable DPA is available upon request at legal@optilens.ai.
1. Overview
This DPA establishes the terms under which OptiLens processes personal data on behalf of its customers. It supplements the Terms of Service and Privacy Policy.
2. Roles and Responsibilities
Data Controller (You): You determine the purposes and means of processing. You are responsible for having the appropriate legal basis.
Data Processor (OptiLens): We process data on your behalf, strictly per your instructions. We will not process for any other purpose.
3. Scope of Processing
| Data Category | Description | Processing Activity |
|---|---|---|
| Website Crawl Data | URLs and crawled page content | AI-powered analysis via multi-agent pipeline |
| Behavioral Analytics Data | Click and scroll events via optional tracking snippet | Behavioral analytics visualization for your own website |
| Integration Data | GA4 and GSC data | Revenue calculation and search analysis |
4. Sub-Processors
Key sub-processors involved in data processing:
- Anthropic (Claude API): AI-powered analysis of crawled website data.
- Supabase: Primary database for account and audit data.
We notify you of material sub-processor changes at least 14 days in advance. Object by contacting legal@optilens.ai within 14 days.
5. Security Measures
- Encryption in transit (TLS 1.3) and at rest for sensitive tokens (Fernet symmetric)
- Supabase Row-Level Security (RLS) for multi-tenant data isolation
- Role-based access controls following least privilege
- Behavioral analytics input field masking enabled by default
- Webhook signature verification (HMAC SHA-256)
- CORS restrictions and rate limiting on all API endpoints
- Regular security assessments and vulnerability reviews
6. Data Subject Requests
Upon receiving a data subject request, we will:
- Promptly notify you within 3 business days
- Not respond to the data subject directly unless instructed by you
- Provide reasonable technical assistance
- Implement deletion, correction, or restriction as directed
7. Data Breach Notification
In the event of a data breach, we will:
- Notify you without undue delay and within 72 hours where feasible
- Provide breach details: nature, categories affected, likely consequences, measures taken
- Cooperate in notifying supervisory authorities and affected individuals
- Document the breach and remediation steps
8. Data Retention and Deletion
- 30-day grace period for reactivation or export after subscription ends
- Permanent deletion of all personal data after the grace period
- Written confirmation of deletion available upon request
- Billing records retained up to 7 years per tax regulations
- Encrypted backup data deleted per backup rotation schedule
9. Audits and Compliance
- Information to demonstrate DPA compliance available upon reasonable request
- Audits and inspections permitted with 30 days' notice
- Compliance questionnaire responses provided
10. International Transfers
Where processing involves transfer outside the EEA, we rely on Standard Contractual Clauses (SCCs) supplemented by Transfer Impact Assessments.
11. Duration and Termination
This DPA remains in effect for the duration of your subscription and continues until all data is deleted or returned. Confidentiality and data protection obligations survive termination.
12. Requesting the Full DPA
The complete, executable DPA is available upon request. Contact legal@optilens.ai.
13. Contact
For questions about this Data Processing Agreement, please contact us.
OptiLens
General: support@optilens.ai
Legal: legal@optilens.ai
Data Protection: dpo@optilens.ai
Website: optilens.ai