Intuitus_AudienceLens_Data_Processing_Agreement.docx. Check document version and legal status before relying on it.AudienceLens Data Processing Agreement
Intuitus Ltd | Working draft | 23 May 2026 | Version 0.2
Prepared for practical customer/procurement use. Working draft for legal and technical review before signature or publication.
| Status and use This draft is intended for business-to-business customers where Intuitus Ltd provides AudienceLens as a processor for customer-submitted content. It should be reviewed by a solicitor and checked against the final production architecture, customer contract, subprocessors, hosting regions, AI/model provider terms, deletion controls and security measures before signature. |
|---|
1. Parties and background
This Data Processing Agreement (DPA) forms part of the agreement between:
| Party | Role in this DPA | Details |
|---|---|---|
| Customer | Controller | [Customer legal name and registered details] |
| Intuitus Ltd | Processor | Provider/operator of AudienceLens. Company details and registered address to be inserted/confirmed. Privacy contact: privacy@[confirm-domain]. |
AudienceLens is a message-testing and audience-review workspace. It is primarily intended to support communications material that is intended for publication or external distribution. It is not intended for safeguarding files, health records, donor financial records, payment card data, HR files or confidential case-management records unless expressly agreed in writing and assessed separately.
2. Roles
- For customer content submitted into AudienceLens, the Customer is normally the controller and Intuitus Ltd is normally the processor.
- For Intuitus Ltd account administration, billing, website, sales, support, security, legal and service-management records, Intuitus Ltd may act as controller.
- If the parties agree a different role split for a specific use case, this must be recorded in the order form, statement of work or a written schedule.
3. Processing details
| Item | Description |
|---|---|
| Subject matter | Provision, support, maintenance and security of AudienceLens. |
| Duration | The term of the customer agreement plus the deletion/return period described in this DPA and the Retention Statement. |
| Nature of processing | Hosting, storing, organising, analysing, generating outputs, improving drafts, autosave/versioning, collaboration, audit logging, troubleshooting, support, backup and deletion. |
| Purpose | To provide the contracted AudienceLens service and related support, security, maintenance, administration and compliance. |
| Data subjects | Customer authorised users; customer staff; prospects, supporters, partners, public figures or other people included in customer-submitted copy/context; people included in support or account records. |
| Personal data categories | Names, job roles, work emails, user identifiers, account details, message content, organisation context, audience notes, location selections, reports, outputs, usage data, logs, support records and billing/contact details where applicable. |
| Special category data | Not expected or permitted unless expressly agreed in writing and covered by a DPIA, additional safeguards and additional terms. |
| Children data | Not expected or permitted unless expressly agreed in writing and assessed separately. |
| Data sensitivity | Generally low to moderate because the core content is normally pre-publication/public communications material; risk remains for pre-publication confidentiality, account data, logs and incidental personal data. |
4. Customer instructions
Intuitus Ltd will process customer personal data only on documented Customer instructions. Documented instructions include the customer agreement, this DPA, product configuration, authorised user actions, support requests and any written instructions accepted by Intuitus Ltd.
If Intuitus Ltd considers an instruction to infringe applicable data protection law, it will inform the Customer unless prohibited from doing so by law.
5. Processor obligations
Intuitus Ltd will:
- process customer personal data only on documented instructions;
- ensure that personnel authorised to process customer personal data are bound by confidentiality obligations;
- implement and maintain appropriate technical and organisational security measures;
- assist the Customer, taking into account the nature of processing and information available to Intuitus Ltd, with data subject rights requests, security obligations, personal data breach assessment, DPIAs and regulator consultations;
- notify the Customer without undue delay after becoming aware of a personal data breach affecting customer personal data;
- delete or return customer personal data at the end of the service unless law requires retention;
- make available information reasonably necessary to demonstrate compliance with processor obligations; and
- allow and contribute to reasonable audits or inspections, subject to confidentiality, security, proportionality, customer data separation and service-continuity controls.
6. Customer obligations
The Customer will:
- ensure it has a lawful basis and provides required privacy information for personal data it submits to AudienceLens;
- avoid submitting unnecessary personal data, special category data, children data, confidential third-party data or regulated records unless agreed in writing;
- configure users, workspaces, access permissions and sharing settings appropriately;
- review AI-assisted outputs before use and remain responsible for publication and communication decisions;
- respond to individuals where the Customer is controller; and
- keep a copy of its own published/privacy notices and records of processing where required.
7. Subprocessors
Intuitus Ltd may appoint subprocessors to provide AudienceLens. The current subprocessor list must be completed before customer use. Intuitus Ltd will impose written data protection obligations on subprocessors that are materially equivalent to this DPA, taking into account the nature of the services provided.
| Subprocessor category | Likely service | Data processed | Status |
|---|---|---|---|
| Hosting/cloud provider | Application hosting, storage, networking | Customer content, account data, logs | TBC - confirm provider, region and transfer mechanism |
| Database/auth provider | Database, authentication, access controls | Account data, customer content, authentication logs | TBC |
| AI/model/API provider | Report generation, signal summaries, improvement suggestions | Prompts, customer content, outputs and metadata | TBC - confirm retention, training, location and deletion terms |
| Analytics provider | Product/website analytics | Usage events, device info, identifiers | TBC - block non-essential analytics until consent/exemption position is confirmed |
| Email/support/CRM provider | Transactional emails, support tickets, customer communications | Contact details, message metadata, support content | TBC |
| Payment provider | Billing and payment processing if used | Billing contacts and payment metadata | TBC / if applicable |
Customer notice process: Intuitus Ltd will give reasonable notice of material new subprocessors, normally at least 30 days where practical, and will allow Customers to object on reasonable data-protection grounds. If an objection cannot be resolved, the parties should follow the remedies set out in the main agreement.
8. AI/model provider terms
- Customer content must not be used to train third-party or Intuitus Ltd models unless expressly agreed in writing.
- Before launch, Intuitus Ltd should confirm whether prompts, content, outputs and metadata are retained by the model provider and for how long.
- Before launch, Intuitus Ltd should confirm model processing locations, transfer mechanisms, deletion procedures and any onward subprocessors.
- AudienceLens outputs are decision-support only and must be reviewed by human users before publication or action.
- AudienceLens is not intended to make solely automated decisions about individuals with legal or similarly significant effects.
9. International transfers
Where customer personal data is transferred outside the UK, Intuitus Ltd will ensure that an appropriate transfer mechanism is in place where required, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful safeguard. Intuitus Ltd will assess relevant transfer risks and apply supplementary measures where appropriate.
10. Security measures
Intuitus Ltd will maintain appropriate technical and organisational measures for AudienceLens. Minimum working controls include:
| Control area | Draft measure |
|---|---|
| Governance | Named privacy/security owner, supplier review, security awareness and confidentiality obligations. |
| Access control | Unique accounts, least privilege, MFA where available, role-based access, periodic access reviews and leaver removal. |
| Application/infrastructure security | TLS in transit, encryption at rest where supported, environment separation, secure secret management, vulnerability/dependency review, patching and secure configuration. |
| Customer content handling | Logical workspace separation, restricted staff access, support access only where needed, deletion/export controls and no cross-customer context sharing. |
| Logging/monitoring | Security-relevant event logging with access restricted and retention aligned to the Retention Statement. |
| Backups/resilience | Regular backups, restricted backup access, restore testing and rolling overwrite/deletion. |
| Incident response | Triage, breach assessment, customer notification, corrective action and post-incident review. |
11. Personal data breaches
Intuitus Ltd will notify the Customer without undue delay after becoming aware of a personal data breach affecting customer personal data. The notice should include, where available:
- a description of the nature of the breach;
- categories and approximate volume of affected data/data subjects where known;
- likely consequences;
- mitigation and containment steps;
- measures taken or proposed to address the breach; and
- a contact point for follow-up.
The Customer remains responsible for regulator or individual notifications where it is controller, unless the parties agree otherwise in writing.
12. Data subject requests
If Intuitus Ltd receives a request concerning customer content for which the Customer is controller, Intuitus Ltd will not respond substantively unless instructed by the Customer. Intuitus Ltd will either refer the requester to the Customer or notify the Customer, subject to law and identity/security checks.
For Intuitus Ltd controller data, Intuitus Ltd will handle rights requests under its own privacy process.
13. Deletion and return
- During the contract, Customer admins should be able to delete projects, scenarios, reports or workspaces where technically supported.
- On termination or expiry, Intuitus Ltd will delete or return customer personal data within 60 days unless the Customer requests earlier deletion and this is technically feasible.
- Backups will be overwritten in the ordinary course, normally within 90 days, unless a legal hold, security investigation or technical constraint applies.
- Intuitus Ltd may retain minimal records required for legal, tax, accounting, security, dispute, audit and compliance purposes.
14. Audit and evidence
The Customer may request reasonable evidence of compliance, such as a security summary, Cyber Essentials certificate when issued, subprocessor list, retention statement, completed security questionnaire, or supplier trust materials. Intrusive or on-site audits must be subject to reasonable notice, confidentiality, scope limits, no access to other customers data, and no material disruption to the service.
15. Liability and order of precedence
This DPA governs data protection matters if there is a conflict with the main agreement. Commercial liability, warranties, indemnities, service levels and fees should be handled in the main agreement unless expressly stated otherwise.
16. Signatures
| For Customer | For Intuitus Ltd |
|---|---|
| Name: Title: Date: Signature: | Name: Title: Date: Signature: |