Legal

Data Processing Addendum

Article 28 GDPR terms for Customers using GovLens as a processor of their personal data.

Effective date: 2026-05-10 · Version: 1.0

This Data Processing Addendum (the "DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between Trelvio Technology OÜ, registered at Tornimäe tn 5, 10145 Tallinn, Estonia, registry code 16827799 ("Processor" or "GovLens"), and the customer identified in the Agreement (the "Controller" or "Customer").

It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the GovLens services and is intended to satisfy Article 28 of Regulation (EU) 2016/679 ("GDPR").

If the Customer's use of GovLens involves no Customer-controlled personal data being processed by GovLens (which will normally be the case for individual Free or Pro subscribers acting in their own capacity), this DPA does not apply.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Controller", "Processor", "Data Subject", "Sub-processor", "Processing" and "Supervisory Authority" carry their GDPR meanings.

2. Subject matter, nature and purpose

  • Subject matter: provision of the GovLens services to the Customer.
  • Nature of processing: hosting, storage, retrieval, transmission, structuring, analysis, and deletion of Customer Personal Data.
  • Purpose: to enable the Customer to use GovLens features (legislative tracking, alerts, briefings, team management, API access).
  • Duration: for the term of the Agreement, plus the retention periods set out in §10.
  • Categories of Data Subjects: Customer's personnel, team members, end users, and any third parties whose data the Customer chooses to upload or reference.
  • Categories of Personal Data: names, email addresses, professional roles, organisation, sectors of interest, watchlist and saved-view configurations, alert recipients, briefing recipients, IP addresses and request logs derived from use of the Service. The Customer warrants it will not upload special-category data (Art. 9 GDPR) without prior written agreement.

3. Roles

The Customer is the Controller of the Personal Data it provides to or generates through the Service. GovLens is the Processor in respect of that data. GovLens acts as an independent Controller for limited operational data (e.g., billing records, security logs of its own systems) — those activities are described in the GovLens Privacy Policy and are not covered by this DPA.

4. Customer instructions

GovLens will Process Personal Data only on documented instructions from the Customer. The Agreement (including the in-product configuration the Customer chooses) constitutes the Customer's complete and final instructions. If GovLens is required to Process Personal Data for another purpose under EU or Member-State law, GovLens will inform the Customer before doing so unless prohibited by law. GovLens will inform the Customer if, in its opinion, an instruction infringes the GDPR.

5. Confidentiality

GovLens ensures that personnel authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and are appropriately trained.

6. Security (Art. 32)

GovLens implements the technical and organisational measures listed in Annex II to ensure a level of security appropriate to the risk, including:

  • AES-256-GCM encryption at rest of sensitive identifiers;
  • TLS 1.2+ in transit with HSTS;
  • HMAC-SHA256 pseudonymisation of high-sensitivity records;
  • bcrypt password hashing;
  • access control on a need-to-know basis with audit logging;
  • automated dependency and vulnerability scanning;
  • bot-mitigation and rate-limiting on authentication endpoints;
  • annual review of security measures and incident-response procedures.

7. Sub-processors

The Customer grants general authorisation for the engagement of Sub-processors. The current list is set out in the Privacy Policy and includes Stripe, Resend, Sinch, PostHog, Sentry, Cloudflare, Railway, IBM Cloud Object Storage, OpenRouter / DeepInfra, and the EU Lobby Register API.

GovLens will give the Customer at least 30 days' prior notice of any addition or replacement of a Sub-processor by email or in-product banner. The Customer may object on reasonable data-protection grounds within 14 days; if no commercially reasonable resolution is found, the Customer may terminate the affected portion of the Agreement.

GovLens imposes data-protection terms on each Sub-processor that are no less protective than those in this DPA and remains liable for the Sub-processor's compliance.

8. Assistance to the Controller

Taking into account the nature of Processing and the information available, GovLens will assist the Customer through appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligations to:

  • respond to Data Subject requests under Articles 15–22 GDPR;
  • comply with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).

GovLens will pass on to the Customer, without undue delay, any request received directly from a Data Subject relating to Personal Data Processed under this DPA, and will not respond to that request itself unless instructed by the Customer.

9. Personal data breach

GovLens will notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting the Customer's data. The notification will describe the nature of the breach, likely consequences, measures taken or proposed, and a contact point. The Customer is responsible for any onward notification to its Supervisory Authority and Data Subjects under Articles 33 and 34 GDPR.

10. Return and deletion

On termination of the Agreement, GovLens will, at the Customer's choice, return or delete all Customer Personal Data within 30 days, except to the extent EU or Member-State law requires longer storage. Back-ups containing Customer Personal Data are deleted in line with the standard back-up rotation, not exceeding 90 days.

11. Audits

GovLens will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. On reasonable prior written notice (at least 30 days), no more than once per year, the Customer may conduct, at its own cost, an audit of GovLens's compliance with this DPA, either by way of (a) GovLens's most recent third-party audit reports or compliance certifications, or (b) a remote audit by independent auditors bound by confidentiality. On-site audits require GovLens's prior agreement and may not unreasonably interfere with normal business operations.

12. International transfers

Where Personal Data is transferred outside the European Economic Area to a country without an adequacy decision, the Parties agree that the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor), are deemed incorporated into this DPA, with the following selections:

  • Clause 7 (docking clause): applicable;
  • Clause 9(a): Option 2, prior general authorisation, with the 30-day notice period set in §7 above;
  • Clause 11(a): independent dispute-resolution body not offered;
  • Clause 17 (governing law): Estonian law;
  • Clause 18 (forum and jurisdiction): the courts of Tallinn, Estonia;
  • Annexes I and II: as set out below.

13. Liability

The liability of each Party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits a Data Subject's rights under the GDPR.

14. Termination

This DPA terminates automatically on termination of the Agreement and remains in force for as long as GovLens Processes Customer Personal Data.

15. Conflicts

In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of any data-protection issue. The Standard Contractual Clauses prevail over this DPA.

Annex I — Description of processing

Set out in §2 above.

Competent Supervisory Authority of the Processor: Andmekaitse Inspektsioon (AKI), Tatari 39, 10134 Tallinn, Estonia.

Annex II — Technical and organisational measures

  1. Pseudonymisation and encryption. AES-256-GCM at rest for sensitive identifiers; HMAC-SHA256 pseudonymisation of stable user identifiers; encrypted webhook secrets.
  2. Confidentiality, integrity, availability and resilience. Multi-AZ EU-region hosting; daily encrypted back-ups with 30-day retention; documented disaster-recovery procedure.
  3. Restoration after incident. Targeted recovery time objective ≤ 4 hours for primary services.
  4. Process for regular testing. Quarterly review of security controls; annual penetration test; continuous automated dependency scanning.
  5. Authentication. Multi-factor authentication required for all employee access to production systems.
  6. Logging and monitoring. Centralised audit logs with restricted access; security-relevant events alerting.
  7. Personnel. Confidentiality undertakings; security training; least-privilege access provisioning and de-provisioning.
  8. Supplier governance. Documented sub-processor list; written DPAs with each sub-processor; SCCs for non-EEA transfers.

Signatures

This DPA may be executed electronically. By accepting the Agreement online, both Parties are deemed to have accepted this DPA. Customers requiring a counter-signed copy should contact privacy@trelvio.eu.

See also: Terms of Service · Privacy Policy · Acceptable Use Policy