Data Processing Agreement (DPA)
Product: LeaseLens (neolain.com/leaselens)
Processor: NeoLain Trading Co. Limited, Hong Kong
HK Business Registration No.: [BR number placeholder]
Registered office: [registered address placeholder]
Contact: legal@neolain.com
Last updated: [last-updated date placeholder]
Plain-English summary. When you upload leases that contain personal data (tenant names, guarantor details, etc.), you are the controller and NeoLain is the processor. This DPA sets out what we do with that data, how we secure it, which subprocessors we use, how we handle breaches (72-hour notification), and what happens to the data when you leave. It is designed for self-serve SMB customers and is GDPR Article 28 compliant.
This Data Processing Agreement ("DPA") forms part of our Terms of Service (/legal/terms) between NeoLain Trading Co. Limited ("NeoLain", "Processor") and the customer identified in the Terms or the applicable order form ("Customer", "Controller"). By using the LeaseLens service, Customer accepts this DPA.
Enterprise customers can request a countersigned copy of this DPA on company letterhead for their vendor-management records by emailing legal@neolain.com.
This DPA is informational; it is not legal advice. Customer should satisfy itself that the terms meet its specific regulatory obligations.
1. Definitions
Terms used but not defined here have the meaning given in the Terms of Service, the GDPR, the UK GDPR, the Hong Kong Personal Data (Privacy) Ordinance ("PDPO"), or Japan's Act on the Protection of Personal Information ("APPI"), as applicable.
- "Personal Data" means personal data (or equivalent defined term under applicable law) contained in Customer Content, that NeoLain processes on behalf of Customer under the Terms.
- "Processing" has the meaning given under GDPR Article 4(2).
- "Subprocessor" means a third party engaged by NeoLain to process Personal Data in connection with the Service.
- "Data Protection Laws" means all laws applicable to the Processing of Personal Data under this DPA, including PDPO, GDPR, UK GDPR, and APPI, each as amended.
2. Roles
Plain-English summary. Customer decides what to upload and why; NeoLain processes on instruction.
- Customer is the Controller. Customer determines the purposes and means of Processing Personal Data contained in Customer Content.
- NeoLain is the Processor. NeoLain processes Personal Data only on documented instructions from Customer, as set out in the Terms, this DPA, and Customer's use of the Service.
- For account administration data (e.g., the email address of the account holder), NeoLain is an independent Controller as described in the Privacy Policy.
3. Scope and subject matter
Subject matter: Processing necessary to deliver LeaseLens as described in the Terms — receiving uploaded lease documents, extracting structured data via the AI pipeline, storing outputs, providing exports.
Duration: The term of the Customer's account plus the post-termination retention periods set out in Section 11.
Nature and purpose of Processing: Hosting, transformation (LLM-assisted extraction), storage, retrieval, export, deletion.
Types of Personal Data:
- Contained in lease PDFs Customer uploads (for example: tenant names and contact details, guarantor names, signatory identities, landlord agent names).
- Customer's own account data (name, work email, company).
Categories of data subjects:
- Customer's personnel who hold LeaseLens seats.
- Individuals named in leases uploaded by Customer.
4. Customer instructions
NeoLain processes Personal Data only on Customer's documented instructions, which are:
- The Terms and this DPA.
- Customer's configuration and use of the Service (including uploads, deletions, API calls).
- Written instructions Customer sends to legal@neolain.com that NeoLain confirms in writing.
NeoLain will inform Customer if, in its opinion, an instruction violates Data Protection Laws. NeoLain is not obliged to follow such an instruction.
5. Confidentiality and personnel
NeoLain ensures that personnel authorized to process Personal Data:
- Are bound by written obligations of confidentiality, whether contractual or statutory.
- Receive regular training appropriate to their role.
- Access Personal Data only on a need-to-know basis under least-privilege controls.
Staff access to Customer Content requires a support ticket that Customer has explicitly approved, and all such access is logged.
6. Security measures
Plain-English summary. Encryption in transit and at rest, logical isolation per workspace, least-privilege access, backups, incident response. Details below.
NeoLain implements technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:
- Encryption. TLS 1.3 in transit; AES-256 at rest across Cloudflare R2 and Supabase Postgres.
- Access control. Single-sign-on and multi-factor authentication for internal admin access. Row-level security in Postgres provides logical isolation between Customer workspaces.
- Least-privilege staff access. Production access limited to named engineers; staff access to Customer Content gated by support ticket and Customer approval.
- Network and platform security. Hosting on Vercel with platform-level DDoS protection. Storage in Cloudflare R2 with access limited to authenticated backend services.
- Vulnerability management. Automated dependency scanning on builds; periodic review of security advisories.
- Backups. Automated, encrypted backups in-region with periodic restore testing.
- Secrets management. API keys and credentials held in a secrets manager; rotated on a periodic schedule and on personnel changes.
- Incident response. Defined procedure for detection, containment, investigation, notification, and remediation.
SOC 2 Type I is in progress. NeoLain is not currently certified and does not commit to a specific timeline. NeoLain does not claim HIPAA, PCI-DSS, or ISO 27001 compliance.
7. Subprocessors
Plain-English summary. We use a short list of vendors. They are bound by contract to protect your data. We tell you before we add new ones.
7.1 Authorization
Customer grants NeoLain general authorization to engage the Subprocessors listed below. Each Subprocessor is bound by a written contract containing data-protection terms no less protective than those in this DPA, and appropriate for the Subprocessor's role.
7.2 Current Subprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Google LLC (Vertex AI) | LLM inference (Gemini 2.5 Pro) under Vertex AI Generative AI Service terms — no training, no retention | asia-northeast1 (Tokyo) |
| Google LLC (Cloud Storage) | Short-lived staging of PDFs >20MB, 24h auto-delete lifecycle | asia-northeast1 (Tokyo) |
| Cloudflare, Inc. (R2) | Object storage for uploaded files | AP-East |
| Supabase, Inc. | Postgres database and authentication | Tokyo ap-northeast-1 |
| Stripe Payments Europe / Stripe Asia Pacific | Payment processing | As selected by Stripe |
| Resend | Transactional email | US / EU |
| Vercel, Inc. | Application hosting, edge delivery | Global edge |
| PostHog | Product analytics | EU-hosted instance |
The current list is maintained at neolain.com/leaselens/subprocessors.
7.3 Vertex AI processing note
Lease content is processed through Google Vertex AI (Gemini 2.5 Pro) under the Vertex AI Generative AI Service terms and the Google Cloud Data Processing Addendum. Under those terms, Google does not use Customer Content to train or fine-tune its foundation models and does not retain Customer prompts or responses beyond what is needed to return a response (and a short abuse-protection window). These protections are the default Vertex AI configuration for enterprise customer prompts and outputs.
7.4 Change notifications
NeoLain will give Customer at least 30 days' notice before adding or replacing a Subprocessor that will process Personal Data. Notification is made by email (to the account owner's address) or in-dashboard. Customer may object on reasonable data-protection grounds within 15 days of notification. If NeoLain cannot reasonably accommodate the objection, Customer's sole remedy is to terminate the Service as to the affected data and receive a pro-rated refund of pre-paid fees.
7.5 Liability for Subprocessors
NeoLain remains responsible for the acts and omissions of its Subprocessors to the same extent as for its own acts and omissions, subject to the limitation of liability in the Terms.
8. International transfers
Plain-English summary. Data stays in Asia-Pacific where we can. Where it moves outside EEA/UK we rely on Standard Contractual Clauses.
- Primary regions. Cloudflare R2 AP-East, Supabase Tokyo (
ap-northeast-1), Google Vertex AI Tokyo (asia-northeast1). Lease content is therefore typically processed within Asia-Pacific. - Transfers outside APAC. Some Subprocessors (e.g., Stripe, Resend, Vercel, PostHog) may process Personal Data outside APAC. Google Cloud SCC-backed Data Processing Addendum governs Google's role as a Subprocessor.
- EEA / UK transfers. Where Personal Data of data subjects in the EEA or UK is transferred to a country that has not been the subject of an adequacy decision, NeoLain relies on the European Commission's Standard Contractual Clauses (SCCs) (Module 2 or Module 3 as applicable) and the UK International Data Transfer Addendum. By entering into this DPA, the parties are deemed to have entered into the applicable SCCs with NeoLain as data importer where NeoLain receives data, and where NeoLain is the data exporter to Subprocessors, NeoLain ensures back-to-back SCC coverage.
- PDPO. NeoLain takes reasonable steps under PDPO section 33 guidance to ensure equivalent protection when Personal Data is transferred outside Hong Kong.
- APPI. For Personal Data of Japanese data subjects, NeoLain provides the information required under Article 28 of APPI through this DPA and the Privacy Policy.
9. Data subject requests
Plain-English summary. If a data subject contacts you about their data, we help you respond.
Taking into account the nature of Processing, NeoLain assists Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests from data subjects under Data Protection Laws (including requests for access, rectification, erasure, restriction, portability, and objection).
- If a data subject contacts NeoLain directly about Customer's data, NeoLain refers the data subject to Customer and notifies Customer by email to the account owner.
- Customer can fulfill many requests directly through the dashboard (view, edit, delete, export). NeoLain provides support at support@neolain.com for anything that cannot be self-served.
- NeoLain responds to assistance requests within 10 business days in the ordinary course.
10. Data breach notification
Plain-English summary. If something breaks involving personal data, we tell you within 72 hours of confirming it.
On becoming aware of a Personal Data Breach affecting Customer's Personal Data, NeoLain will:
- Notify Customer without undue delay and in any event within 72 hours of confirming the breach, by email to the account owner and legal/security contact on file.
- Provide, to the extent known and in progressively greater detail as the investigation develops:
- Nature of the breach, categories and approximate number of data subjects and records affected.
- Likely consequences.
- Measures taken or proposed to address the breach and mitigate possible adverse effects.
- Contact point for further information.
- Cooperate with Customer's own notifications to supervisory authorities and data subjects as required by Data Protection Laws.
NeoLain's notification is not an acknowledgment of fault or liability.
11. Return or deletion on termination
Plain-English summary. When your contract ends, your data is available to download for 30 days, then deleted.
On termination of the Service:
- Customer Content (including uploaded documents and extracted data) remains available for download for 30 days after the termination effective date.
- After that 30-day window, NeoLain deletes Customer Content from active systems within 14 days and from encrypted backups within the standard backup-rotation cycle (no longer than 35 additional days).
- Operational records (account, billing, support, security logs) are retained in line with the retention windows set out in the Privacy Policy (Section 14).
- On written request before the end of the 30-day download window, NeoLain provides a final export of Customer Content in JSON format at no charge.
NeoLain will, on written request, confirm completion of deletion.
During the term, Customer can delete Personal Data at any time through the dashboard. Deletions propagate within 24 hours, including from backups within the standard rotation cycle.
12. Audit
Plain-English summary. We publish what we can publish; larger customers can ask questions in writing.
NeoLain makes available to Customer, on reasonable written request to legal@neolain.com:
- The latest available security documentation (security overview, subprocessor list, this DPA).
- Responses to reasonable vendor-security questionnaires.
- Where available, third-party audit reports (e.g., SOC 2 reports, once issued).
For Enterprise customers with a signed order form, a right of on-site or remote audit may be negotiated on commercially reasonable terms, not more than once per 12-month period, on at least 30 days' written notice, and subject to confidentiality. For self-serve customers, the documentation above satisfies NeoLain's audit-assistance obligations under GDPR Article 28(3)(h).
13. Conflicts and order of precedence
In case of conflict between documents, the order of precedence is:
- Any Enterprise order form signed between the parties.
- This DPA.
- The Terms of Service.
- The Privacy Policy.
On matters specifically addressed by the SCCs (where they apply), the SCCs prevail.
14. Liability
Liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA excludes liability that cannot be excluded under applicable Data Protection Laws.
15. Term and termination
This DPA is effective when Customer begins using the Service and remains in effect for the duration of the Terms. Sections that by their nature should survive (Sections 10, 11, 14) survive termination for as long as NeoLain retains any Personal Data.
16. Governing law
This DPA is governed by the laws of the Hong Kong Special Administrative Region, consistent with the Terms of Service. Where the SCCs apply to a particular transfer, the law specified in the relevant SCC module applies to that transfer only.
17. Contact
Legal / DPA: legal@neolain.com
Support: support@neolain.com
Postal: NeoLain Trading Co. Limited, [registered address placeholder], Hong Kong SAR
Annex A — Description of Processing
| Item | Detail |
|---|---|
| Controller | Customer (as identified in the Terms / order form) |
| Processor | NeoLain Trading Co. Limited, Hong Kong |
| Subject matter | Processing of lease documents and associated data for structured data extraction via the LeaseLens service |
| Duration | Term of the Service plus post-termination retention set out in Section 11 |
| Nature and purpose | Hosting, LLM-assisted extraction, storage, retrieval, export, deletion |
| Types of Personal Data | Names, business contact details, signatory details, guarantor details contained in uploaded leases; Customer account data (name, work email, company) |
| Categories of data subjects | Customer personnel; individuals named in Customer-uploaded leases |
| Frequency | Continuous, on Customer action |
Annex B — Technical and Organizational Measures
Summarized in Section 6. A current, more detailed security overview is published at neolain.com/leaselens/security.
Annex C — Approved Subprocessors
Listed in Section 7.2 and maintained at neolain.com/leaselens/subprocessors.
LeaseLens output is informational. It is not legal advice. Always have qualified counsel review lease terms before relying on them for legal or financial decisions.