Data Processing Agreement (DPA)

Last Updated: January 29, 2026

1. Definitions

In this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person;
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion;
• "Data Subject" means the individual to whom Personal Data relates;
• "Sub-processor" means any third party engaged by the Processor to process Personal Data;
• "Data Protection Laws" means all applicable laws relating to data protection including GDPR, UK GDPR, CCPA, and any national implementing legislation;
• "Standard Contractual Clauses (SCCs)" means the standard contractual clauses for international data transfers adopted by the European Commission.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor will process Personal Data on behalf of the Controller for the purpose of providing consulting services in AI/ML software development and regulatory affairs as described in the main service agreement.

2.2 Nature of Processing

The nature of processing activities may include:

• Collection and storage of client contact information
• Processing of project-related data
• Analysis of biotech/healthcare data as required for consultancy projects
• Communication and collaboration activities
• Compliance documentation and record-keeping

2.3 Categories of Data Subjects

The categories of Data Subjects may include:

• Client employees and representatives
• End users of client products and services
• Research participants (where applicable)
• Healthcare professionals (where applicable)

2.4 Types of Personal Data

The types of Personal Data processed may include:

• Name, contact details, job title
• Professional credentials and qualifications
• Project-related communications
• Technical data and usage information
• Special category data (health data) where specifically agreed

3. Processor Obligations

3.1 Lawful Processing

The Processor shall:

• Process Personal Data only on documented instructions from the Controller;
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
• Take appropriate technical and organizational measures to ensure security of processing;
• Assist the Controller in responding to Data Subject requests;
• Delete or return all Personal Data upon termination of services, unless required by law to retain it;
• Make available all information necessary to demonstrate compliance with this DPA.

3.2 Security Measures

The Processor implements the following security measures:

• Encryption: 256-bit SSL/TLS encryption for data in transit; AES-256 encryption for data at rest
• Access Control: Role-based access control (RBAC); Multi-factor authentication (MFA)
• Network Security: Firewalls, intrusion detection systems, and regular penetration testing
• Physical Security: Secure data center facilities with ISO 27001 certification
• Business Continuity: Regular backups, disaster recovery procedures, and redundant systems
• Employee Training: Regular data protection and security awareness training

4. Sub-processors

4.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors, subject to the requirements of this Section 4.

4.2 List of Sub-processors

Current Sub-processors include:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and hosting	USA/EU (client choice)
Google Cloud Platform	Cloud computing services	USA/EU (client choice)
Microsoft Azure	Cloud services and collaboration tools	USA/EU (client choice)
Cloudflare	CDN and security services	Global

4.3 Sub-processor Requirements

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

5. International Data Transfers

5.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA/UK, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) where applicable
• Transfer Impact Assessments (TIAs) as required
• Supplementary measures where necessary

5.2 Data Localization

Upon request, the Processor can ensure that Personal Data is processed exclusively within the EEA/UK or other specified jurisdictions, subject to additional terms.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure / "right to be forgotten" (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)
• Rights related to automated decision-making (Article 22 GDPR)

7. Data Breach Notification

7.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a Personal Data breach.

7.2 Notification Content

The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Name and contact details of the Data Protection Officer
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests should be submitted with at least 30 days' notice, and audits shall be conducted during normal business hours with minimal disruption to operations.

9. Regulatory Compliance

9.1 GDPR Compliance

This DPA is designed to meet the requirements of Article 28 of the GDPR.

9.2 HIPAA Business Associate Agreement

For clients subject to HIPAA, a separate Business Associate Agreement (BAA) is available upon request to address Protected Health Information (PHI).

9.3 FDA 21 CFR Part 11

For projects involving electronic records and signatures subject to FDA regulations, appropriate controls are implemented to ensure compliance with 21 CFR Part 11.

10. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days, unless legal retention requirements apply.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the main service agreement.

12. Governing Law

This DPA shall be governed by the laws specified in the main service agreement, without regard to conflict of law principles. For EU/EEA Data Subjects, the provisions of the GDPR shall prevail in case of conflict.

13. Contact Information