Build and transform technology landscapes to support evolving business strategies and operationalize innovation.
Learn moreMaximize market potential through a partner program offering LeanIX solutions tailored to your business model.
Learn moreTake your capabilities to the next level and arm yourself with the knowledge you need
See all resourcesOn this page you will find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the compliance of the LeanIX Subscription Services with Applicable Data Protection Laws.
1. Is a Data Processing Agreement included in standard documentation for the purchase of LeanIX Subscription Services?
The LeanIX Subscription Services do process certain Personal Data of Users. Therefore, in accordance with the applicable data protection regulations, all Agreements for the purchase of LeanIX Subscription Services include a Data Processing Agreement as an Exhibit.
If Customer (“You”) is purchasing the LeanIX Subscription Services from LeanIX, the current version of the Data Processing Exhibits is accessible online.
If You are purchasing the LeanIX Subscription Services from SAP or another affiliate of the SAP group, the current version of the Data Processing Exhibits is accessible on the SAP agreements website or any subsequent website(s) made available by SAP to Customer.
2. Who is the Data Controller for the processing activities carried out on the LeanIX Subscription Services?
The Data Processing Agreement specifies the Parties’ respective obligations in connection with the processing of Personal Data:
You are the Data Controller and are responsible for the processing of the Personal Data submitted to LeanIX or SAP.
LeanIX or SAP is the Data Processor and processes on your behalf the Personal Data exclusively for the purpose of providing to You the LeanIX Subscription Services (LeanIX’s web-based services that you have subscribed to and that LeanIX or SAP makes available to You). For clarity,
3. Can we replace the LeanIX/SAP Data Processing Exhibit with the corresponding document of your organization?
As part of the SAP group, our data protection processes and documentation is standardized at group level, to align with industry standards and ensure efficiency. Therefore, we can only rely on the LeanIX/SAP’s Data Protection documentation for the purpose of the contract review. However, our team is always available to answer questions and provide clarifications on the content and structure of such document.
4. Do the LeanIX Subscription Services comply with applicable data protection laws?
LeanIX/SAP has in place robust compliance processes to make sure that its provision of the LeanIX Subscription Services is always compliant with the applicable data protection laws. Applicable data protection laws, in this case, means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of PData under the Agreement, including but not limited to those of:
The European Union and its member states (including GDPR and any successors),
Brazil (including LGDP and any successors),
Switzerland (including Swiss Federal Act of 19 June 1992 on Data Protection and any successors),
The United Kingdom (including Data Protection Act 2018 and any successors),
The United States (including CCPA, other state and federal laws, and any successors).
5. What Personal Data does the LeanIX Subscription Service process and for which purpose?
The processing of Personal Data is limited to the type, scope and purpose listed below:
| Categories of Data Subjects | Type of Data | Purpose of Processing |
| Users (usually employees or consultants of Customer) | Name (fore-and surname), email address, assigned role in the Subscription Service, subscriptions of fact sheets, profile picture (optional), user activity (in the Subscription Service), browser identification, IP address. |
Provision of features of the Subscription Service, such as user management, functions in the software such as subscriptions to fact sheets, log of updates to fact sheets, creatorship of certain objects, to-dos, surveys, notifications, user support and information, individual user training. |
| Users, others (depending on User) | Data added by Users into Free Form text fields. | Depending on Users (Users can add Personal Data in the Free Form text fields on the Subscription Services; LeanIX/SAP does not recognize them or process them as Personal Data, yet for the purpose of most data protection legislations a Personal Data processing activity occurs). |
6. Does the LeanIX Subscription Service process Sensitive Data?
7. Does LeanIX/SAP access the Personal Data on your workspace?
In normal operation of the services the Data Processor does NOT access your Personal Data.
However, LeanIX personnel might incidentally access your Personal Data in pursue of solving a support ticket or providing emergency maintenance/support. “Incidental” access, in this respect, means that the data are merely accessed and not stored in any local device.
For such purpose, LeanIX/SAP only rely on authorized and trained personnel who committed themselves to confidentiality. The Processor and its Subprocessors will regularly train personnel having access to Personal Data in applicable data security and data privacy measures.
8. Does LeanIX/SAP require its employees to conduct regular data protection training?
Yes, all LeanIX/SAP employees with potential access to Customer Data are required to have regular training on data protection and data security measures.
9. Extraction and Deletion of Personal Data
During the Subscription Term and subject to the Agreement, Data Controller can access its Personal Data at any time. Data Controller may export and retrieve its Personal Data in a standard database export format. Export and retrieval may be subject to technical limitations, in which case Data Processor and Customer will find a reasonable method to allow Data Controller access to Personal Data.
Before the Subscription Term expires, Data Controller may use Data Processor’s self-service export tools (as available) to perform a final export of Personal Data from the Subscription Service (which shall constitute a "return" of Personal Data).
At the end of the Subscription Term, LeanIX/SAP will delete the Personal Data remaining on servers hosting the Subscription Service within a reasonable time period in line with Data Protection Law (not to exceed 6 months) unless applicable law requires retention.
10. How long does LeanIX/SAP retain your data?
During the Subscription Term, different retention period apply, as specified in the relevant documentation and in the LeanIX Deletion Concept. To access the LeanIX Deletion Concept please contact your LeanIX Account Executive.
After the end of the Subscription Term, Data Processor will delete all data uploaded by Customer (including any Personal Data therein included) within a reasonable time period in line with Data Protection Law (not to exceed 6 months) unless applicable law requires retention.
11. Where are the LeanIX solution and Personal Data hosted?
Data Processor relies on Microsoft Azure for hosting purposes of the LeanIX Subscription Services and offers different available regions, depending on the Data Controller’s choice. The default regions are US or EU (depending on Customer’s location). Check with your LeanIX Account Executive what different options available to you.
Data Processor relies on data center pairs for business continuity and disaster recovery reasons. All data centers are ISO 27001, SOC 1, 2, 3 certified.
12. Does the Data Processor rely on third parties for the processing of your Personal Data?
Yes, Data Processor relies on different entities to process Personal Data. However, Data Processor has in place a robust onboarding process to guarantee that whatever third party we rely on, it is able to comply with the contractual commitments we have in place with our customers, in particular when it comes to data processing and data security.
The list of Subprocessors on the effective date of the Agreement is published on the following website, and includes the name, address and role of each Subprocessor, plus information on the scope of the sub-processing.
13. What international transfer mechanisms does the Data Processor use?
To transfer Personal Data to its Subprocessors located outside of EU/EE in a country which does not benefit from an adequacy decision of the European Commission pursuant to Article 45 GDPR, the Data Processor executed EU Standard Contractual Clauses, in the new version that came into place in 2021, in the wake of the Schrems II decision.
14. What additional safeguards has the Data Processor taken in the wake of the Schrems II decision?
As a Data Processor, we have prepared a Data Transfer Factsheet to help its customers as Data Controllers conduct a case-by-case Transfer Impact Assessment (“TIA”) to determine whether an essentially equivalent level of protection as provided in the EU/EEA is afforded in the Third Country of destination. The information contained in the Data Transfer Factsheet is designed to help Data Processor’s customers carry out a TIA for the LeanIX Subscription Services.
The Data Controller can obtain a copy of the Data Transfer Factsheet upon request.
15. Should you sign the EU Standard Contractual Clauses with Data Processor?
If you are located within the EU and you contract with the Data Processor in Europe, you would not need to enter into SCCs.
Nonetheless, the EU Standard Contractual Clauses are always annexed to the DPA, which is incorporated in your Agreement with the Data Processor. To the extent the processing activities under the Agreement are subject to the GDPR, and the execution of the Agreement would determine a transfer of personal data out of the EEA to third countries not recognized by the European Commission as ensuring an adequate level of protection for personal data, the EU Standard Contractual Clauses EU Standard Contractual Clauses will apply.
16. What are the technical and organizational measures implemented by the Data Processor for the protection of your Personal Data?
LeanIX provides a robust information security program, including policies, standards and procedures regulating the processing and protection of your personal Data (Deletion Concept, Transfer impact Assessment, Data Protection Impact Assessment, Privacy by Design, Privacy Policies …). The Technical and Organizational Measures, incorporated in all our DPAs, provide a list of the technical and organizational measures we commit to provide as part of the provision of our services.
Such measures are developed - and are periodically updated by LeanIX - to protect your Personal Data taking into account the state-of-the-art technology, the implementation costs and the nature, the scope, circumstances and purposes of the Processing of Personal Data.
For further information on the Information Security Program related to the LeanIX Subscription Services, please also visit our Security and Trust website.
17. Does LeanIX implements Privacy by Design principles?
Yes, the LeanIX solution is developed using a "Privacy By Design" approach to ensure compliance with Personal Data processing. It consists of adapting appropriate organizational and technical measures from the project design stage and by default, guaranteeing the protection of privacy and fundamental freedoms.
18. How would LeanIX/SAP manage Data Subjects requests?
If a Data Subject contacts LeanIX with a request for exercising his or her rights in relation to Personal Data, to the extent reasonably possible, LeanIX will inform You without undue delay or instruct the Data Subject to contact its respective Data Controller.
Please consider that LeanIX will not be able to address those requests directly, since it does not work or has direct access to your data. However, LeanIX/SAP has implemented technical and organizational measures (automated tools) to enable you to access, correct, rectify, erase, or block any Personal Data as may be requested by a Data Subject or required under data protection laws. Should such automated tools not be enough, LeanIX/SAP will provide all reasonable cooperation to address the issue.
19. What are the Data Processor’s policies in case of Personal Data breach?
The Data Processor will:
Notify Data Controller without undue delay after becoming aware of any Personal Data Breach
Provide reasonable information in its possession to assist Data Controller to meet Data Controller’s obligations to report a Personal Data Breach as required under Data Protection Law.
May provide such information in phases as it becomes available.
20. Did LeanIX appoint a Data Protection Officer?
In the case the Agreement is signed between LeanIX and Customer and LeanIX being the Data Processor:
LeanIX has appointed an external Data Protection Officer (DPO), Andreas Schmidt, dataprivacy@leanix.net.
In the case the Agreement is signed between SAP and Customer and SAP being the Data Processor: The SAP Group’s data protection officer is Mathias Cellarius (privacy@sap.com). Certain local regulations require a local data protection officer to be appointed (e.g., Philippines or China).
21. Contact
Should you have any other questions about Data Processor’s compliance with Data protection Laws:
In the case the Agreement is signed between LeanIX and Customer and LeanIX being the Data Processor, please contact dataprivacy@leanix.net.
In the case the Agreement is signed between SAP and Customer and SAP being the Data Processor, please contact privacy@sap.com.
