Skip to main content
GENSO
← Back to Home

Data Processing Agreement

v1.0.0Effective February 25, 2026

At a Glance β€” Data Processing Agreement

  • Our role: We act as your data processor; you remain the data controller
  • AI sub-processors: Anthropic and Google are prohibited from training on your data
  • Audit rights: You can request our SOC 2 report or a third-party security summary annually
  • Government requests: We notify you within 5 business days unless legally prohibited
  • Data deletion: Confirmed in writing within 15 days of deletion, without you having to ask
  • International transfers: Schrems II supplementary measures in place for EEA/UK data
  • GDPR liability: Article 82 statutory liability is not capped by this agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the applicable Terms of Service.

1.1 Key Terms

  • "Controller": The entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller.
  • "Processor": The entity that processes Personal Data on behalf of the Controller. Under this DPA, LW Group, LLC dba LW Technologies ("Genso") is the Processor.
  • "Sub-processor": A third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
  • "Processing": Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • "Data Subject": An identified or identifiable natural person whose Personal Data is processed.
  • "Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Service": The Genso platform and related services provided by LW Group, LLC dba LW Technologies.
  • "Agreement": The Terms of Service and any related agreements between the Customer and LW Group, LLC dba LW Technologies.

2. Scope and Roles

2.1 Roles of the Parties

  • Customer (Controller): You, as the customer organization, determine the purposes and means of processing Personal Data through your use of the Service. You decide what data is uploaded, which users have access, and how the Service is used within your organization.
  • LW Group, LLC dba LW Technologies (Processor): We process Personal Data on your behalf to provide the Service. We act only on your documented instructions regarding the processing of Personal Data.

2.2 Scope of Processing

This DPA applies to all Personal Data processed by LW Group, LLC dba LW Technologies in connection with providing the Service, including:

  • Hosting and storing Customer data in our cloud infrastructure
  • Processing documents through AI-assisted features
  • Managing user authentication and access control
  • Providing email notifications and communications
  • Generating analytics and usage reports

2.3 Applicability

This DPA applies where and only to the extent that:

  • LW Group, LLC dba LW Technologies processes Personal Data on behalf of the Customer in the course of providing the Service; and
  • Such Personal Data is subject to applicable Data Protection Laws (GDPR, UK GDPR, CCPA/CPRA, or equivalent legislation). Where the California Consumer Privacy Act (CCPA) applies, LW Technologies acts as a "Service Provider" as defined under the CCPA and will not sell or share personal information.

3. Processing Details

3.1 Subject Matter

The processing of Personal Data under this DPA is performed for the purpose of providing the Service as described in the Agreement, specifically: a SaaS platform for organizational procedure and policy management with AI-assisted features.

3.2 Duration

Processing continues for the duration of the Agreement, plus any post-termination period required for data return and deletion as described in Section 11.

3.3 Types of Personal Data

The following categories of Personal Data may be processed:

  • Identity Data: Names, email addresses, phone numbers, employee IDs, job titles
  • Authentication Data: Hashed passwords, MFA tokens, session identifiers, MFA device fingerprint data (browser user-agent, language preferences)
  • Organizational Data: Department assignments, role designations, location information
  • Content Data: Procedures, policies, and documents that may contain Personal Data of the Customer's employees or third parties
  • Usage Data: Login timestamps, feature usage logs, AI processing request metadata
  • Technical Data: IP addresses, browser information, device identifiers
  • Payment Data: Billing contact information, subscription status (card details processed by Stripe)

3.4 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

  • Customer Employees: Users who access and use the Service on behalf of the Customer
  • Customer Administrators: Users with administrative privileges within the Customer's organization
  • Third Parties: Individuals whose Personal Data may be included in documents uploaded by the Customer (e.g., persons referenced in procedures or policies)

4. Processor Obligations

4.1 Processing Instructions

LW Group, LLC dba LW Technologies shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law
  • Immediately inform the Controller if, in our opinion, an instruction infringes the GDPR or other applicable Data Protection Laws
  • Ensure that the Agreement and this DPA constitute the Controller's complete and final documented instructions (additional instructions require mutual agreement)

4.2 Confidentiality

LW Group, LLC dba LW Technologies shall:

  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Limit access to Personal Data to those personnel who need access to fulfill our obligations under the Agreement

4.3 Security (Article 32)

LW Group, LLC dba LW Technologies shall implement appropriate technical and organizational measures, aligned with industry security standards such as SOC 2, ISO 27001, or equivalent frameworks, to ensure a level of security appropriate to the risk, as further described in Section 6 of this DPA.

4.4 Assistance with Data Protection

LW Group, LLC dba LW Technologies shall:

  • Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities (Articles 32-36 GDPR)
  • Taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to Data Subject requests (Section 8)

4.5 Audit and Demonstration of Compliance

LW Group, LLC dba LW Technologies shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, as further described in Section 10.

4.6 Deletion and Return

Upon termination of the Agreement, LW Group, LLC dba LW Technologies shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, as further described in Section 11.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller provides general authorization for LW Group, LLC dba LW Technologies to engage Sub-processors. The following Sub-processors are currently authorized:

Sub-processor Purpose Data Processed Location
Supabase, Inc. Database hosting, authentication, file storage All account data, content, authentication tokens United States
Stripe, Inc. Payment processing, subscription management Billing information, payment details United States
Anthropic, PBC AI document parsing and analysis Document content submitted for AI processing United States
Google LLC AI content generation Prompts and context submitted for AI generation United States
Mailjet SAS Transactional email delivery Email addresses, notification content European Union
Functional Software, Inc. (Sentry) Error monitoring, performance tracking Error data, technical metadata, anonymized session data United States
Amazon Web Services, Inc. Cloud infrastructure, storage Hosted data and files as part of infrastructure United States
Cloudflare, Inc. Bot protection (Turnstile CAPTCHA) IP address, browser fingerprint data United States
Twilio, Inc. SMS-based multi-factor authentication Phone numbers, verification codes United States

5.2 Notification of Changes

LW Group, LLC dba LW Technologies shall:

  • Maintain an up-to-date list of Sub-processors
  • Notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors
  • Provide the Controller with the opportunity to object to such changes

5.3 Objection Rights

If the Controller objects to a new Sub-processor on reasonable grounds related to data protection:

  • LW Group, LLC dba LW Technologies will make reasonable efforts to address the Controller's objection, including offering an alternative Sub-processor or configuration
  • If the objection cannot be reasonably resolved, the Controller may terminate the Agreement with respect to the affected Service component without penalty

5.4 Sub-processor Obligations

LW Group, LLC dba LW Technologies shall:

  • Impose the same data protection obligations on each Sub-processor by way of a contract or other legal act
  • Remain fully liable to the Controller for the performance of each Sub-processor's obligations

5.5 AI Sub-Processor Restrictions

AI sub-processors (including Anthropic and Google) are authorized only for the specific processing activities described in this DPA. Such sub-processors: (a) shall not use personal data for model training, fine-tuning, or model improvement; (b) shall not transfer personal data to sub-processors of their own without LW Technologies' prior written consent; (c) are bound by data processing terms consistent with this DPA. LW Technologies represents that current AI provider API terms prohibit use of inputs for model training.

5.6 AI Sub-Processor API Policy Monitoring

LW Technologies will monitor material changes to AI sub-processor data handling policies. If a material change would reduce data protection commitments, LW Technologies will notify Controller within 30 days of becoming aware and, if the change cannot be mitigated, provide Controller the right to terminate the affected AI features without penalty.

6. Security Measures

LW Group, LLC dba LW Technologies implements the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

Encryption

  • In Transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher
  • At Rest: Database storage and file storage are encrypted at rest using AES-256 encryption

Access Controls

  • Row-Level Security (RLS): Database-level isolation ensures each organization can only access its own data
  • Role-Based Access Control: Application-level permission system with granular role assignments
  • Multi-Factor Authentication: TOTP-based MFA support for all user accounts
  • Session Management: Automatic session expiration with configurable idle timeouts (default: 24-hour max, 30-minute idle)

Security Monitoring

  • Audit Logging: Comprehensive logging of administrative actions and data access events
  • Rate Limiting: Progressive lockout protection against brute-force authentication attacks
  • Error Monitoring: Automated error detection and alerting via Sentry

Infrastructure Security

  • Network Security: Firewall rules, network segmentation, and DDoS protection
  • Regular Updates: Timely application of security patches and updates
  • Backup Systems: Regular automated backups with encryption

6.2 Organizational Measures

  • Access to Personal Data is restricted to authorized personnel on a strict need-to-know basis
  • All personnel with access to Personal Data are bound by confidentiality obligations
  • Regular security training and awareness programs
  • Documented incident response procedures
  • Regular review and testing of security measures

7. Data Breach Notification

7.1 Notification Timeline

In the event of a Data Breach affecting Personal Data processed under this DPA, LW Group, LLC dba LW Technologies shall:

  • Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the Data Breach
  • If notification cannot be made within 72 hours, provide reasons for the delay

7.2 Content of Notification

The notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
  • The name and contact details of the data protection contact or other point of contact
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

7.3 Cooperation

LW Group, LLC dba LW Technologies shall:

  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach
  • Assist the Controller in meeting its obligations to notify supervisory authorities and Data Subjects, as required under applicable Data Protection Laws
  • Not inform any third party of the Data Breach without the Controller's prior written consent, except as required by law

7.4 Documentation

LW Group, LLC dba LW Technologies shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

8. Data Subject Rights

8.1 Assistance

LW Group, LLC dba LW Technologies shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

8.2 Notification of Requests

If LW Group, LLC dba LW Technologies receives a request directly from a Data Subject, we shall promptly redirect the request to the Controller, unless otherwise legally required.

8.3 Response Timelines

LW Group, LLC dba LW Technologies shall provide reasonable assistance to enable the Controller to respond to Data Subject requests within the timeframes required by applicable law (generally 30 days under GDPR).

8.4 Technical Capabilities

The Service provides the following capabilities to assist Controllers in fulfilling Data Subject requests:

  • Access and Portability: Data export functionality for user accounts and content
  • Rectification: User profile editing and data correction capabilities
  • Erasure: Account and content deletion functionality
  • Restriction: Account suspension and access control capabilities

9. International Data Transfers

9.1 Processing Location

The Service is primarily hosted and operated in the United States. Personal Data processed under this DPA may be transferred to and processed in the United States.

9.2 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties rely on:

  • Standard Contractual Clauses (SCCs): As adopted by the European Commission, where applicable
  • UK International Data Transfer Agreement/Addendum: For transfers from the United Kingdom
  • Supplementary Measures: Additional safeguards implemented as needed based on transfer impact assessments

9.3 Sub-processor Transfers

LW Group, LLC dba LW Technologies ensures that any onward transfers of Personal Data to Sub-processors are also covered by appropriate transfer mechanisms as described above.

9.4 Adequacy Decisions

Where the European Commission, UK government, or Swiss authorities have made adequacy decisions regarding the transfer destination, such decisions may also serve as the basis for transfers.

9.5 Schrems II Supplementary Measures

Where Standard Contractual Clauses (Module 2: Controller-to-Processor) are relied upon for transfers from the EEA/UK to the United States, the parties acknowledge the requirements of the Schrems II judgment (Case C-311/18) and agree that the following supplementary measures are in place: (a) data in transit is encrypted using TLS 1.2 or higher; (b) data at rest is encrypted using AES-256; (c) access to personal data requires multi-factor authentication; (d) access is restricted to personnel with a documented need-to-know; (e) access is logged and subject to regular review. LW Technologies will notify Controller within 5 business days if it determines that supplementary measures are no longer sufficient.

10. Audit Rights

10.1 Right to Audit

The Controller has the right to conduct audits, including inspections, to verify LW Group, LLC dba LW Technologies's compliance with this DPA.

10.2 Audit Procedures

  • Notice: The Controller shall provide at least 30 days' written notice of an intended audit
  • Scope: Audits shall be limited to the processing activities covered by this DPA
  • Frequency: No more than one audit per 12-month period, unless a Data Breach or regulatory investigation requires additional audits
  • Conduct: Audits shall be conducted during regular business hours and shall not unreasonably interfere with LW Group, LLC dba LW Technologies's operations
  • Confidentiality: Auditors shall be bound by appropriate confidentiality obligations

10.3 Third-Party Auditors

The Controller may engage a qualified, independent third-party auditor to conduct audits, subject to appropriate confidentiality agreements.

10.4 Audit Alternatives

In lieu of an on-site audit, LW Technologies shall provide, upon written request and no more than once per 12-month period: (a) its most recent SOC 2 Type II audit report (if available), or (b) a written summary of security controls and compliance posture prepared by an independent third party. If neither alternative satisfies Controller's reasonable audit requirements, an on-site audit shall be permitted subject to Section 10.2.

10.5 Costs

The Controller shall bear the costs of any audit it initiates. LW Group, LLC dba LW Technologies shall bear its own internal costs of cooperating with the audit.

11. Data Return and Deletion

11.1 Post-Termination Export

Upon termination or expiration of the Agreement, the Controller shall have a period of 30 days to export its data from the Service using the available data export functionality.

11.2 Deletion

Following the 30-day export period (or earlier upon the Controller's written request), LW Group, LLC dba LW Technologies shall:

  • Delete all Personal Data processed under this DPA from its active systems
  • Direct Sub-processors to delete Personal Data from their systems
  • Provide written confirmation of deletion to Controller within 15 days of completion, without requiring a request from Controller. Confirmation shall include the date of deletion and the categories of data deleted.

11.3 Retention Exceptions

LW Group, LLC dba LW Technologies may retain Personal Data beyond the deletion period to the extent required by applicable law (such as tax records or audit logs mandated by regulation). Such retained data shall:

  • Be limited to the minimum necessary to comply with the legal requirement
  • Continue to be protected under the terms of this DPA
  • Be deleted once the legal retention period expires

11.4 Backup Systems

Personal Data in automated backup systems shall be deleted in accordance with the regular backup rotation schedule, but no later than 90 days following the deletion from active systems. All backups are encrypted at rest and access is restricted to authorized personnel on a need-to-know basis.

11.5 Deletion Confirmation

Upon completion of data deletion following termination, LW Technologies shall provide written confirmation to Controller within 15 days of completion, without requiring a request. Confirmation shall include the date of deletion and the categories of personal data deleted.

12. Term and Termination

12.1 Term

This DPA shall remain in effect for the duration of the Agreement between the Controller and LW Group, LLC dba LW Technologies, and for as long as LW Group, LLC dba LW Technologies processes Personal Data on behalf of the Controller.

12.2 Survival

The obligations of LW Group, LLC dba LW Technologies under this DPA that by their nature should survive termination shall survive, including but not limited to obligations regarding data return and deletion (Section 11), confidentiality, and data breach notification.

12.3 Termination for Breach

If either party materially breaches its obligations under this DPA and fails to cure such breach within 30 days of receiving written notice, the non-breaching party may terminate this DPA and the related Agreement.

13. Liability

13.1 General

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service), except as modified by this Section.

13.2 GDPR-Specific Provisions

In accordance with Article 82 of the GDPR:

  • Each party shall be liable for damage caused by processing that infringes the GDPR
  • A Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller
  • Each party may be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage

13.3 Indemnification

Each party shall indemnify the other party against any costs, claims, damages, or expenses incurred as a result of the indemnifying party's material breach of this DPA, subject to the limitations of liability in the Agreement.

13.4 GDPR Article 82 Carve-Out

Notwithstanding any liability limitations in this DPA or the Agreement, nothing in this DPA limits either party's liability for damages arising under GDPR Article 82 or analogous provisions of applicable Data Protection Laws. Statutory data protection liability is not subject to contractual limitation to the extent prohibited by applicable law.

14. General Provisions

14.1 Conflict

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

14.2 Amendments

This DPA may only be amended in writing, signed by authorized representatives of both parties. We may update the list of Sub-processors in accordance with Section 5.2.

14.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.4 Governing Law

This DPA shall be governed by the same law that governs the Agreement, except where applicable Data Protection Laws require otherwise.

14.5 Supervisory Authorities

LW Technologies shall reasonably cooperate with competent supervisory authorities where required under applicable data protection law.

15. Contact Information

For questions about this Data Processing Agreement:

15.2 Privacy Contact

For data protection inquiries, contact: support@gensoapp.com. LW Technologies will respond to data protection inquiries within 5 business days.

16. GENSO Compliance Documentation Features

The Service's built-in infrastructure is designed to support Processor obligations and assist Controller in demonstrating compliance under applicable Data Protection Laws:

  • Immutable Audit Logs: All processing activities, data access events, and administrative actions are logged with timestamps and user attribution and cannot be retroactively altered.
  • Data Access Controls: Role-based permissions ensure personal data is accessible only to authorized personnel, supporting data minimization and access control requirements.
  • Processing Records: The Service maintains records of data processing activities that assist in fulfilling record-keeping obligations under applicable law.
  • Incident Logging: Security events and anomalies are automatically logged, supporting breach detection and notification timelines.

These features assist with compliance documentation but do not independently satisfy all obligations under applicable Data Protection Laws.

17. Government and Law Enforcement Requests

If LW Technologies receives a legal order requiring disclosure of personal data processed under this DPA, it will: (a) notify Controller within 5 business days unless legally prohibited from doing so; (b) cooperate with Controller's reasonable efforts to challenge the order; and (c) disclose only the minimum personal data required by the legal obligation. LW Technologies will publish an annual transparency report summarizing the number of government requests received, to the extent permitted by law.

18. Data Residency

The Service is hosted in the United States. Customers requiring regional data residency (such as EU-only hosting) should contact LW Technologies to discuss available options.

This Data Processing Agreement was last updated on February 25, 2026.

For questions about our legal documents, please contact us at support@gensoapp.com