Data Processing Agreement (DPA)

Effective Date: November 16, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller") and ProteinIQ ("Processor," "we," "us," or "our"). This DPA applies when ProteinIQ processes Personal Data on behalf of Customer.

1. Definitions

For purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including the GDPR, CCPA, and other applicable laws.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Processing" has the meaning given in applicable Data Protection Laws.
• "Subprocessor" means any third party appointed by ProteinIQ to process Personal Data.

2. Scope and Applicability

2.1 Application

This DPA applies only to the extent that ProteinIQ processes Personal Data on behalf of Customer in connection with Customer's use of the Service.

2.2 Data Controller and Processor

• Customer acts as the Data Controller for any Personal Data of its users, employees, or research subjects that Customer uploads or processes using the Service.
• ProteinIQ acts as the Data Processor when processing such Personal Data on Customer's behalf.

2.3 Scientific Data

To the extent Customer uploads de-identified scientific data (protein sequences, structural data, etc.) that does not relate to identifiable individuals, such data is not Personal Data and is not governed by this DPA.

3. Customer Instructions and Compliance

3.1 Processing Instructions

ProteinIQ will process Personal Data only:

• As necessary to provide the Service as described in the Terms of Service
• On documented instructions from Customer (including via the Service interface)
• As required by applicable law

3.2 Customer Responsibilities

Customer represents and warrants that:

• It has all necessary rights and consents to provide Personal Data to ProteinIQ
• It complies with all applicable Data Protection Laws
• Its instructions to ProteinIQ comply with applicable Data Protection Laws
• It has obtained all required consents from data subjects

4. Data Processing Details

4.1 Types of Personal Data

ProteinIQ may process the following categories of Personal Data on Customer's behalf:

Account Data:

• Email addresses
• Names
• User identifiers
• Account preferences

Usage Data:

• IP addresses
• User agent information
• Activity logs
• Credit usage records

Contact Data (if provided):

• Organization name
• Job title
• Phone number
• Country

Scientific Metadata (if contains personal identifiers):

• File names
• Project descriptions
• Tags and annotations

4.2 Data Subjects

Personal Data may relate to:

• Customer's employees, contractors, or team members
• Customer's research subjects (if identifiable information is included)
• Customer's clients or end-users

4.3 Purpose of Processing

ProteinIQ processes Personal Data for the following purposes:

• Providing the computational bioinformatics services
• Authentication and access control
• Customer support and communications
• Billing and payment processing
• Service improvement and analytics
• Security and fraud prevention
• Compliance with legal obligations

5. Data Storage and Security

5.1 Data Location

Personal Data is stored and processed in:

Primary Storage:

• Database: PostgreSQL via Prisma ORM, hosted in US East (Washington, D.C. region)
• Object Storage: Cloudflare R2 (S3-compatible), US East region
• Application Hosting: Vercel, US East region

Backups: Stored in the same geographic region as primary data.

5.2 Data Residency

Unless otherwise agreed in writing, all Personal Data is stored and processed in the United States. Customer acknowledges and consents to this data location.

For EU customers: By using the Service, you acknowledge that Personal Data will be transferred to and processed in the United States, which may not provide the same level of data protection as the EU. We implement appropriate safeguards as described in Section 6.

5.3 Security Measures

ProteinIQ implements appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for database and file storage
• Secure authentication via Clerk (industry-standard OAuth/OIDC)
• Access controls and role-based permissions
• Regular security monitoring and logging
• Automated backup systems

Organizational Measures:

• Limited access to Personal Data (need-to-know basis)
• Confidentiality obligations for personnel
• Security incident response procedures
• Regular security reviews and updates
• Vendor security assessments

5.4 Security Incidents

In the event of a Personal Data breach, ProteinIQ will:

• Notify Customer without undue delay (within 72 hours of becoming aware)
• Provide details of the breach, affected data, and potential impact
• Describe measures taken to address the breach
• Cooperate with Customer's investigation and regulatory reporting

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes ProteinIQ to engage the following Subprocessors:

6.2 Subprocessor Obligations

ProteinIQ ensures that Subprocessors:

• Are bound by data protection obligations equivalent to this DPA
• Implement appropriate technical and organizational security measures
• Only process Personal Data as instructed by ProteinIQ
• Are subject to audit and compliance monitoring

6.3 Changes to Subprocessors

ProteinIQ will provide Customer with at least 30 days' notice before:

• Adding new Subprocessors
• Replacing existing Subprocessors

Customer may object to a new Subprocessor on reasonable data protection grounds. If we cannot accommodate Customer's objection, Customer may terminate the affected Service.

Current Subprocessor list: Available in Section 6.1 above.

7. Data Subject Rights

7.1 Customer Responsibility

Customer is responsible for responding to data subject requests. ProteinIQ will assist Customer in fulfilling obligations to respond to requests to exercise data subject rights, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

7.2 ProteinIQ Assistance

Upon Customer's written request, ProteinIQ will provide reasonable assistance to enable Customer to respond to data subject requests, including:

• Providing access to Personal Data
• Enabling data export
• Enabling data deletion or anonymization
• Restricting processing as requested

7.3 Fees

ProteinIQ may charge reasonable fees for assistance beyond simple data export or deletion, based on the time and resources required.

8. Data Retention and Deletion

8.1 Retention During Service

ProteinIQ retains Personal Data for as long as necessary to provide the Service and as required by applicable law.

8.2 Retention Periods

Account Data: Retained while account is active

Usage Logs: Anonymized after 90 days (see Section 8.4)

Uploaded Data: Retained until Customer deletes it or terminates account

Backups: 30-day retention for disaster recovery, then purged

8.3 Data Deletion Upon Termination

Within 30 days of account termination or upon Customer's written request, ProteinIQ will:

Delete:

• Email addresses and names
• Authentication credentials and Clerk IDs
• Contact information
• Uploaded scientific data and results
• Files stored in object storage

Purge:

• Backups containing Customer's Personal Data (after 30-day retention period)

Exception: Data may be retained longer if required by law, regulatory obligations, or to resolve disputes.

8.4 Anonymization Alternative

As an alternative to deletion, ProteinIQ may anonymize certain usage data:

Anonymized Data:

• Usage logs (user identifiers replaced with random hashes)
• Job metadata (dissociated from identifiable users)
• Aggregate statistics and analytics

Criteria for Anonymization:

• Data cannot be re-identified using reasonable means
• No direct or indirect identifiers remain
• Complies with GDPR standards for anonymization

Anonymized data is no longer considered Personal Data and may be retained indefinitely for platform improvement, research, and analytics.

9. International Data Transfers

9.1 Transfer Mechanisms

For transfers of Personal Data from the EU to the United States, ProteinIQ relies on:

• Standard Contractual Clauses (SCCs): European Commission-approved standard contractual clauses (Module 2: Controller-to-Processor)
• Adequacy Decisions: Where applicable, reliance on adequacy decisions recognized by the European Commission
• Supplementary Measures: Additional safeguards including encryption, access controls, and security audits

9.2 Data Transfer Impact Assessment

ProteinIQ has conducted a Transfer Impact Assessment (TIA) and determined that:

• US law does not provide an equivalent level of protection to GDPR
• Supplementary measures (encryption, access restrictions) mitigate risks
• Subprocessors in the US are subject to contractual protections

9.3 Customer Consent

By using the Service, Customer consents to the transfer of Personal Data to the United States and other locations where our Subprocessors operate.

10. Audits and Compliance

10.1 Audit Rights

Upon reasonable written notice and no more than once per year, Customer may:

• Request documentation demonstrating ProteinIQ's compliance with this DPA
• Conduct or appoint an independent auditor to conduct an audit of ProteinIQ's data protection practices

10.2 Audit Conditions

Audits must:

• Be conducted during normal business hours
• Not interfere with ProteinIQ's operations
• Be subject to confidentiality obligations
• Be at Customer's expense

10.3 Security Certifications

ProteinIQ may provide evidence of compliance through:

• Third-party security certifications (if available)
• Attestation reports
• Subprocessor audit reports and certifications

11. Data Protection Impact Assessments

Upon Customer's written request, ProteinIQ will provide reasonable cooperation and assistance with Data Protection Impact Assessments (DPIAs) required under Article 35 of the GDPR.

12. Liability and Indemnification

12.1 Liability Limitations

Each party's liability under this DPA is subject to the liability limitations in the Terms of Service.

12.2 Customer Indemnification

Customer will indemnify ProteinIQ against claims arising from:

• Customer's violation of Data Protection Laws
• Customer's instructions that violate applicable law
• Customer's failure to obtain required consents

13. Term and Termination

13.1 Term

This DPA takes effect on the date Customer accepts the Terms of Service and continues until termination of the Service.

13.2 Effect of Termination

Upon termination, ProteinIQ's data deletion obligations under Section 8.3 apply.

14. General Provisions

14.1 Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

14.2 Amendments

ProteinIQ may update this DPA to reflect changes in Data Protection Laws or our data practices. Material changes require 30 days' notice.

14.3 Severability

If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in full effect.

14.4 Governing Law

This DPA is governed by the laws specified in the Terms of Service, except where Data Protection Laws require otherwise.

15. Contact Information

For data protection inquiries or to exercise your DPA rights:

Email: privacy@proteiniq.io Data Protection Officer: Available upon request Address: Available upon written request to privacy@proteiniq.io

---

Standard Contractual Clauses

For EU customers, the Standard Contractual Clauses approved by the European Commission (Module 2: Controller-to-Processor) are hereby incorporated by reference and form an integral part of this DPA.

---

By using the Service, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement.