Legal

Our commitment as data processor

If you are already a LeanIX Customer or you are evaluating our services, you should know that by uploading data on our platform you would entrust LeanIX as your Data Processor. On this page you will find information, answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details regarding LeanIX role as Data Processor.

Frequently Asked Questions (FAQ) regarding LeanIX compliance with
Data Protection Laws

1. Is a Data Processing Annex included in LeanIX standard documentation?

All LeanIX Agreements between LeanIX (“we”, “us”) and the Customer (“You”) includes a Data Processing Exhibit as an Exhibit. The current version of the Data Processing Exhibits is accessible online.
It specifies the Parties’ respective obligations in connection with the processing of Personal Data:
  • You and your Users (Data Controller) are responsible for the processing of the Personal Data submitted to LeanIX.
  • In this context, LeanIX is the subcontractor (Data Processor) processing on your behalf the Personal Data exclusively for the purpose of providing to you the LeanIX Subscription Services (LeanIX’s web-based services that you have subscribed to and that LeanIX makes available to you).

2. Why using LeanIX Data Processing Exhibit and not the corresponding document of your organization?

A customer’s form of agreement is written to cast a wide net over a broad spectrum of service providers.  However, the very reason why you are considering LeanIX, i.e. the attributes and peculiarities that distinguish us from the competition, creates a natural discord with any such form of agreement, since they inevitably would not be regulated by a standardized form.
If we were to use a customer’s form of agreement, we would inevitably require extensive modifications in order to align it with our service offering, which would inevitably extend the review process for both the customer and LeanIX alike.

3. Does LeanIX comply with applicable data protection laws in delivering its Services?

LeanIX has in place robust compliance processes to make sure that its provision of the LeanIX Subscription Services is always compliant with the applicable data protection laws. Applicable data protection laws, in this case, means the laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to those of:
  • The European Union and its member states (including GDPR and any successors),
  • Brazil (including LGDP and any successors),
  • Switzerland (including Swiss Federal Act of 19 June 1992 on Data Protection and any successors),
  • The United Kingdom (including Data Protection Act 2018 and any successors),
  • The United States (including CCPA, other state and federal laws, and any successors).

4. What Personal Data does LeanIX process and for which purpose?

LeanIX does not process any sensitive Data and the processing of Personal Data is limited to the type, scope and purpose listed below:
CATEGORIES OF DATA SUBJECTS TYPE OF DATA PURPOSE OF PROCESSING
Users name, surname, User’s assigned role in the Subscription Service, subscriptions of objects, profile picture (optional). Provision of certain features of the Subscription Service: user management, functions in the software such as subscriptions of objects
Users email addresses, User activity in the software, browser identification, IP address. Provision of certain features of the Subscription Service: user management, functions in the software such as notifications, error analysis, quality assurance of the operation and the faultlessness of the software, user support and information about news, individual user training
Users, others
(depending on User)		 Data added by Users into Free Form text fields. Depending on Users
EXCLUSIVELY FOR SMP MODULE SUBSCRIBERS: Users, others Email addresses Managing of subscriptions to other SaaS Applications
 

5. Does LeanIX access your data?

No, in normal operation of the services LeanIX does NOT access your data.
However, LeanIX personnel might incidentally access your data in pursue of solving a support ticket or providing emergency maintenance/support. “Incidental” access, in this respect, means that the data are merely accessed and not stored in any local device.
In any case, access to your data will be provided exclusively for the purpose of providing customer support, success and maintenance services, and only to personnel who has the necessary professional skills and competence to do so. Such personnel will be required to have regular training on data protection topics (upon hiring and at least once per year thereafter) and shall enter into appropriate confidentiality obligations in writing.

6. Does LeanIX require its employees to conduct regular data protection training?

Yes, all LeanIX employees are required to have regular training on data protection topics (upon hiring and at least once per year thereafter).

7. How long does LeanIX retain your Personal Data?

The LeanIX Services include functionalities to allow customers to always access, correct, transfer and delete customer data.
If data are not deleted by a customer, LeanIX will delete the Personal Data within 30 days following the expiration or termination of the Agreement in accordance with the LeanIX Deletion Concept, which means that the retention period corresponds to the duration of the Agreement. However, shorter retention periods apply to particular categories of data, such as back ups and archived documents. To access the LeanIX Deletion Concept, please contact your LeanIX Account Executive.

8. Extraction and Deletion of Personal Data

You may extract Personal Data in machine-readable format at any point during the duration of the Agreement and up to 30 days after the expiration or termination of the Agreement.

9. Where are the LeanIX solution and Personal Data hosted?

LeanIX relies on Microsoft Azure for hosting purposes and offers different available regions, depending on customer’s choice. The available regions include (but are not limited to) US, EU and Australia. Check with your LeanIX Account Executive what are the options available to you.
LeanIX relies on data center pairs for business continuity and disaster recovery reasons. All datacentres are ISO 27001, SOC 1, 2, 3 certified.

10. Does LeanIX relies on third parties for the processing of your Personal Data?

Yes, LeanIX relies on different entities to process your Personal Data. However, LeanIX has in place a robust onboarding process to guarantee that whatever third party we rely on, it is able to comply with the contractual commitments we have in place with our customers, in particular when it comes to data processing and data security.
The current list of LeanIX Subprocessors (LeanIX Affiliates and third-party Subprocessors) is detailed and available on the List of Subprocessors page.

11. What international transfer mechanisms does LeanIX use?

To transfer Personal Data to its Subprocessors located outside of EU/EE in a country which does not benefit from an adequacy decision of the European Commission pursuant to Article 45 GDPR, LeanIX executed Standard Contractual Clauses, in the new version that came into place in 2021, in the wake of the Schrems II decision.

12. What additional safeguards has LeanIX taken in the wake of the Schrems II decision?

In accordance with the new SCCs, which have codified the Schrems II requirement to undertake a Transfer Impact Assessment (“TIA”), LeanIX has executed and keeps constantly up to date a TIA. LeanIX customers or prospects can obtain a copy of our TIA upon request, prior execution of appropriate confidentiality agreements.
They also require data importers to take specific data protection steps if they receive a government access request.

13. Should you sign Standard Contractual Clauses / International Data Transfer Addendum with LeanIX?

If you are located within the EU and you contract with LeanIX in Europe, you would not need to enter into SCCs.
Nonetheless, the Standard Contractual Clauses / International Data Transfer Addendum are always annexed to our LeanIX Data Processing Exhibit, which is incorporated in your agreement with LeanIX. To the extent the processing activities under the Agreement are subject to the GDPR, and the execution of the Agreement would determine a transfer of personal data out of the EEA to third countries not recognized by the European Commission as ensuring an adequate level of protection for personal data, the SCCs and/or the IDTA will apply.

14. What are the technical and organizational measures implemented by LeanIX for the protection of your Personal Data?

LeanIX provides a robust Information Security Program, including policies, standards and procedures regulating the processing and protection of your personal Data (Deletion Concept, Transfer impact Assessment, Data Protection Impact Assessment, Privacy by Design, Privacy Policies …).  The Data Security Exhibit, incorporated in all our agreements, provide a list of the technical and organizational measures we commit to provide as part of the provision of our services.
Such measures are developed - and shall periodically be updated by LeanIX - to be appropriate for the protection of your Personal Data taking into account the state of the art technology, the implementation costs and the nature, the scope, circumstances and purposes of the Processing of Personal Data.
For further information on LeanIX Information Security Program, please also visit https://www.leanix.net/en/products/security-and-trust

15. Does LeanIX implements Privacy by Design principles?

Yes, the LeanIX solution is developed using a "Privacy By Design" approach to ensure compliance with Personal Data processing. It consists of adapting appropriate organizational and technical measures from the project design stage and by default, guaranteeing the protection of privacy and fundamental freedoms.

16. How would LeanIX manage a request for disclosure of Personal Data from Public Authorities?

Because of the nature of the personal data uploaded on our platform (see above), it is unlikely that LeanIX would be the target of a request from public authorities. However, if LeanIX receives a request for disclosure of Personal Data from a public authority, including judicial authorities, LeanIX commits to:
  • Promptly notify to you of such request to the extent legally allowed,
  • Redirect the law enforcement agency to request that data directly from you,
  • And if compelled to disclose Personal Data, take reasonable steps to object to the Law Enforcement Request or, at a minimum, seek to limit the Law Enforcement Request to only Personal Data that is necessary and proportionate under Data Protection Laws,
  • And keep you informed about any steps it takes to object and limit the Law Enforcement Request and, where possible, give you an opportunity to intervene in relation to a Law Enforcement Request.

17. How would LeanIX manage Data Subjects requests?

If a Data Subject contacts LeanIX with a request for exercising his or her rights in relation to Personal Data, to the extent reasonably possible, LeanIX will inform you without undue delay or instruct the Data Subject to contact its respective Data Controller.
Please consider that LeanIX will not be able to address those requests directly, since it does not work or has direct access to your data. However, LeanIX has implemented technical and organizational measures (automated tools) to enable you to access, correct, rectify, erase, or block any Personal Data as may be requested by a Data Subject or required under Data Protection Laws. Should such automated tools not be enough, LeanIX will provide all reasonable cooperation to address the issue.

18. What are LeanIX’s policies in case of Personal Data breach?

LeanIX will notify you without undue delay, but not later than seventy-two (72) hours, after becoming aware of any Breach. To the extent possible, LeanIX’s initial notification shall include a description of:
  • The nature of the Breach (and as far as possible the categories and the approximate number of affected Data Subjects and Personal Data),
  • The consequences of the Breach,
  • The measures taken or proposed by LeanIX to remedy the Breach and to mitigate potential adverse effects. 
If this information is not available at the time of initial notification, LeanIX will provide it subsequently, without undue delay as it becomes available.

19. What to do if you want to obtain access to LeanIX policies and procedures for the purpose of evaluating our data processing and data security processes?

You can access to up-to-date LeanIX data protection, security and compliance documents through requesting access to the LeanIX Corporate Hub to your LeanIX Account Executive or/and LeanIX Customer Success Manager.

20. Did LeanIX appoint a Data Protection Officer?

LeanIX has appointed an external Data Protection Officer (DPO), Andreas Schmidt, dataprivacy@leanix.net.

21. Contact

Should you have any other questions about LeanIX compliance with Data protection Laws, please contact data.privacy@leanix.net