Data Processing Agreement

Last updated

29 May 2026.

This Data Processing Agreement forms part of the agreement between Lirena Limited, an Irish private company limited by shares with company number 781851, and the clinic, practice, company, or other organisation that uses Lirena as a customer.

In this DPA, "Customer" means the organisation that determines the purposes and means of processing Customer Personal Data in the Lirena service. "Lirena" means Lirena Limited. "Data Protection Laws" means GDPR, the Irish Data Protection Act 2018, UK GDPR where applicable, the UK Data Protection Act 2018 where applicable, ePrivacy laws where applicable, and any other data protection law that applies to the relevant processing.

Roles

For Customer Personal Data submitted to or generated in a clinic workspace, including client, patient, assessment, response, score, export, review-note, consent, audit, and assessment workflow data, the Customer is normally the controller and Lirena is normally the processor.

Lirena may process limited data as an independent controller for its own account administration, website, demo, support, security, legal compliance, service improvement, and legal-claims purposes as described in the Privacy Policy. This DPA does not apply to processing for which Lirena is an independent controller.

Processing details

Subject matter: Lirena's provision, security, support, maintenance, and improvement of psychometric assessment workflow software for the Customer.

Duration: the term of the Customer's access to the service and any additional period during which Lirena processes Customer Personal Data under the agreement, this DPA, law, or documented Customer instructions.

Nature and purpose: hosting, transmitting, receiving, validating, storing, structuring, scoring where supported, displaying, exporting, auditing, securing, supporting, and deleting or returning Customer Personal Data as needed to provide the service and follow Customer instructions.

Data subjects: Customer personnel and authorised users; clinicians, administrators, and support users; clients, patients, service users, guardians, carers, or respondents involved in a Customer workflow; and other individuals whose data is submitted to or generated in the service by or for the Customer.

Categories of personal data: account and contact data, role and permission data, authentication and session data, client or patient profile data, assessment schedules, assessment responses, scores, scoring provenance, notes, export records, consent records, audit records, deletion and retention workflow records, integration metadata, API and webhook metadata, support information, and technical logs.

Special-category data: health data, mental-health data, psychometric assessment responses, clinical notes, and related information where the Customer uses the service in a clinical or healthcare context.

Customer instructions

Lirena will process Customer Personal Data only on documented instructions from the Customer, including instructions in the agreement, this DPA, the Customer's use and configuration of the service, and written instructions accepted by Lirena, unless EU, Irish, UK, or other applicable law requires Lirena to process it otherwise.

If Lirena believes an instruction infringes Data Protection Laws, Lirena will inform the Customer unless legally prohibited. Lirena is not responsible for determining whether the Customer's instructions comply with laws that apply to the Customer's clinical practice, patient relationship, professional obligations, instrument licences, or records.

Customer responsibilities

The Customer is responsible for providing privacy notices, selecting lawful bases and special-category conditions, obtaining consent where required, managing clinical governance, verifying instrument rights and licences, handling patient and data subject communications, responding to rights requests, setting retention instructions, and ensuring that Customer users are authorised and trained.

The Customer must not submit personal data to Lirena unless it is authorised to do so and the processing is lawful. The Customer must not instruct Lirena to process patient-level data for advertising, data brokerage, insurance pricing, employment screening, automated clinical decision systems, autonomous diagnosis, automated clinical interpretation, treatment recommendation, or clinical risk stratification.

Confidentiality

Lirena will ensure that personnel authorised to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality. Lirena will limit access to personnel and contractors who need access to provide, secure, support, or maintain the service.

Security measures

Taking into account the state of the art, implementation costs, processing nature, scope, context, purposes, and risks to individuals, Lirena will implement appropriate technical and organisational measures designed to protect Customer Personal Data.

Verified repository controls and service posture include authenticated clinician workspaces, practice-scoped API context, role-aware product surfaces, managed identity, audit-log foundations, secret-management boundaries, analytics minimisation expectations, no committed production secrets, and internal-only default posture for worker services.

Lirena's security measures must be assessed in light of the Customer's intended use, data sensitivity, configuration, user administration, integrations, and local clinical governance. Lirena does not guarantee absolute security or uninterrupted availability.

Subprocessors

The Customer authorises Lirena to use subprocessors to provide, secure, support, and improve the service, subject to this DPA. Lirena remains responsible to the Customer for subprocessors' performance of their data protection obligations to the extent required by Data Protection Laws.

Subprocessors and processor-like providers identified from public and repository sources at the date of this DPA include Google Cloud for cloud infrastructure and hosting, a managed identity provider for authentication and organisation identity workflows, and PostHog for product analytics where enabled. Customer-configured integration providers, including Semble where configured by the Customer, process data only when the Customer enables or instructs that integration.

Lirena will impose data protection terms on subprocessors that are substantially protective of Customer Personal Data and appropriate to the relevant processing. Lirena will provide information about material subprocessor changes through its published legal pages, contract materials, or other reasonable customer notice channel. The Customer may object on reasonable data protection grounds before the change takes effect where the objection period and notice mechanism are made available.

International transfers

The Customer authorises Lirena and its subprocessors to transfer Customer Personal Data outside the EEA, Ireland, and the United Kingdom where necessary to provide the service and subject to appropriate safeguards required by Data Protection Laws.

Where required, the parties will rely on adequacy decisions, the European Commission standard contractual clauses, the UK international data transfer addendum or equivalent approved transfer terms, and supplementary measures where appropriate. If the standard contractual clauses apply, the Customer is the data exporter and Lirena is the data importer for controller-to-processor transfers unless the parties' roles require another module.

Assistance

Taking into account the nature of processing and the information available to Lirena, Lirena will provide reasonable assistance to the Customer with data subject requests, security obligations, personal data breach obligations, data protection impact assessments, prior consultations, and regulatory enquiries relating to Customer Personal Data.

If Lirena receives a request from an individual relating to Customer Personal Data for which the Customer is controller, Lirena may refer the request to the Customer unless legally required to respond directly. The Customer is responsible for deciding how to respond.

Personal data breaches

Lirena will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to Lirena to help the Customer meet its own breach assessment and notification obligations.

Lirena may provide information in phases as it investigates. A notification is not an admission of fault or liability. The Customer is responsible for deciding whether notice to regulators, patients, service users, or other individuals is required, except where Data Protection Laws impose a direct obligation on Lirena.

Deletion, return, and retention

On termination or expiry of the service, or on documented Customer instruction, Lirena will delete or return Customer Personal Data in accordance with the agreement, this DPA, service functionality, and applicable law. Lirena may retain copies where required by law, legal claims, audit obligations, security records, backup cycles, or professional and clinical retention constraints applicable to the Customer's instructions.

Clinical records and assessment data may require human review before deletion because they can be subject to legal, safety, professional, and local clinic retention duties. Lirena's role is to assist the Customer; the Customer remains responsible for clinical record retention decisions.

Audits and information

Lirena will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR obligations, subject to confidentiality, security, availability, and protection of other customers' information.

Audits must be reasonable, proportionate, limited to Customer Personal Data and relevant controls, and conducted with prior written notice during normal business hours. Lirena may satisfy audit requests through security documentation, written responses, independent reports where available, or a mutually agreed audit process. The Customer must not use an audit to access Lirena secrets, source code, other customers' data, production credentials, or information that would weaken security.

Restricted uses

Lirena will not sell Customer Personal Data. Lirena will not use patient-level Customer Personal Data for advertising targeting, data broker enrichment, insurance pricing or eligibility, employment screening, automated clinical decision systems, autonomous diagnosis, automated clinical interpretation, treatment recommendation, or clinical risk stratification.

Any research, analytics, anonymisation, or data-product use of Customer Personal Data requires a lawful basis, Customer instruction or permission where required, minimisation, privacy review, and human approval before release. Pseudonymised data remains personal data and must not be treated as anonymous.

Order of precedence and liability

If this DPA conflicts with the Terms, this DPA controls for processing of Customer Personal Data. If this DPA conflicts with standard contractual clauses or other mandatory transfer terms, those mandatory transfer terms control for the relevant transfer.

Liability arising under this DPA is subject to the liability limits, exclusions, and remedies in the applicable agreement unless Data Protection Laws require otherwise.

Contact

Data processing questions can be sent through the contact routes published on the Lirena website, including demo@lirena.ie.