Levo.ai launches production security modules Read more

Levo, Inc. Data Processing Agreement

Last updated January 01, 2023

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other applicable agreement) between Levo, Inc. (“Processor”) and the customer identified in such agreement

(“Controller”).

Levo, Inc. operates under a privacy-by-design framework aligned with the EU GDPR, UK GDPR, and Swiss FADP. This DPA explains how Levo processes personal data on behalf of customers in connection with its API and AI security services.

2. GDPR Compliance

Levo, Inc. maintains an ISO/IEC 27001:2022-aligned Information Security Management System and continuously applies GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, integrity, and accountability.


Internal governance includes:

  • Appointed Data Protection Officer (DPO)
  • Annual DPIAs for core systems
  • Vendor risk management & sub-processor review
  • Regular independent compliance audits

3. Roles and Scope

  • Controller - determines purposes and means of processing.
  • Processor (Levo, Inc.) - processes personal data only under the Controller’s documented instructions.

Processing is limited to what is necessary for the provision, maintenance, and improvement of Levo’s Services.

4. Technical & Organizational Measures

Levo ensures data security and confidentiality through:

  • Encryption (AES-256 at rest / TLS 1.2+ in transit)
  • Role-based access controls & MFA
  • Continuous vulnerability scanning and penetration testing
  • 24 × 7 monitoring and incident response plan
  • Annual employee privacy training and background checks
  • Multi-region backups and disaster recovery

5. Sub processors

Levo engages trusted partners who meet GDPR-equivalent security standards.


Levo notifies customers 30 days in advance of any Sub-processor change and remains fully responsible for their compliance.

6. International Transfers

For data exported from the EEA, UK, or Switzerland, Levo relies on:

  • EU Standard Contractual Clauses (EU 2021/914) – Module 2 (Controller → Processor)
  • UK Addendum and Swiss Addendum, as applicable

Supplementary safeguards (encryption, regional isolation, and strict access controls) ensure GDPR-level protection for all transfers.

7. Data Retention & Deletion

Levo retains personal data only for the Agreement’s duration and deletes or returns all data within 30 days of termination, unless retention is legally required.

8. Personal Data Breach Notification

Levo will notify the Controller within 72 hours of becoming aware of a breach likely to impact personal data, including known details, effects, and remediation measures.

9. Audit & Verification

Customers may verify Levo’s compliance by reviewing independent third-party certifications (ISO 27001, SOC 2 Type II) or, where legally required, by conducting an audit with 30 days’ notice.

10. Contact Information

Levo, Inc. 548 Market Street, San Francisco, CA 94104, USA
📧 info@levo.ai

11. Governing Law

  • For U.S. customers: State of California, USA.
  • For EU/EEA customers: Ireland.

12. Standard Contractual Clauses

The EU SCCs (Module 2) and relevant annexes are incorporated by reference into this DPA and govern all international transfers.