Data Processing Agreement (DPA)

Last updated: May 2026

This page is a summary of our standard Data Processing Agreement (DPA) that applies as soon as you use AgencyLens. The full signable version can be requested via privacy@agencylens.io.

Roles

Under the GDPR, you (as the customer) are the data controllerfor your organization's Google Ads data. AgencyLens acts as the data processor that retrieves, stores and analyzes this data on your behalf.

Subject matter of the processing

  • Google Ads change history (which changes, by whom, when)
  • Campaign, ad and search term data from the connected account
  • Derived analyses: scorecard, sessions, waste reports

Purposes

Solely the delivery of the insights described in this service. We never use your data for other purposes, do not sell data, and do not share data with third parties other than the sub-processors listed in our privacy policy.

Security measures

  • OAuth refresh tokens encrypted with AES-256-GCM
  • Passwords hashed with bcrypt (12 rounds)
  • TLS 1.2+ for all traffic; HSTS headers
  • Tenant isolation: every query filters on organization ID
  • Automated security tests guaranteeing that nothing is ever written to Google Ads
  • Audit log of all sensitive actions (login, OAuth, exports)
  • Rate limiting on authentication endpoints
  • Daily, encrypted off-site backups of the database

Sub-processors

See our privacy policy for the full list. We announce changes to the sub-processor list at least 30 days in advance, so that you can object.

Data location

All production infrastructure runs in the EU (Hetzner, Germany). Mailgun runs in the EU region. Google Ads API traffic goes through Google's EU endpoints, with Standard Contractual Clauses (SCCs) covering the processing by Google in the US.

Data breach notification

If we suspect a data breach affecting your organization, we will notify you within 72 hours of discovery, in accordance with GDPR Art. 33.

Data subject rights

We assist you with data subjects' requests for access, rectification, erasure or data portability — this is included in your subscription.

Audit rights

Upon reasonable request (max. once per year, with 30 days' notice), we can provide relevant security documentation, the sub-processor list and a SOC2-style control statement.

Termination

Upon termination of the subscription, we erase all personal data within 30 days. Upon request, we provide a data export in a commonly used format (CSV/JSON) beforehand.

Signable version

For customers who need a formally signed DPA (e.g. for their own compliance requirements), send an email to privacy@agencylens.io — we will return a completed PDF within 2 business days.