The Customer controls its workspace purposes and instructions. The identified LabRat operator processes Customer Personal Data only to provide and secure the service, under confidentiality, security, subprocessor, assistance, deletion, audit, and transfer obligations.
Scope, effective date, and precedence
This Data Processing Addendum (“DPA”) forms part of a written order form, enterprise agreement, or other LabRat service agreement (“Main Agreement”) only when that agreement identifies the legal LabRat operator and Customer and expressly incorporates this DPA. It does not create a paid service relationship by itself.
This DPA applies to personal data submitted to or generated in a Customer workspace and processed by LabRat on Customer’s behalf (“Customer Personal Data”). It does not govern information for which the LabRat operator independently determines purposes and means, such as its own account administration, fraud prevention, legal compliance, and direct billing records; that processing is described in the Privacy Policy.
If this DPA conflicts with the Main Agreement on protection of Customer Personal Data, this DPA controls. Mandatory data-protection law and incorporated Standard Contractual Clauses control over both.
Roles and documented instructions
Customer is a controller or processor, as applicable. The identified LabRat operator is Customer’s processor or subprocessor for Customer Personal Data. If Customer is a processor, Customer confirms that the relevant controller authorizes Customer’s instructions, LabRat’s appointment, and the subprocessors used for the service.
Customer instructs LabRat to process Customer Personal Data only to provide, secure, support, maintain, and switch the configured service; fulfill documented support or rights requests; and comply with applicable law. The Main Agreement, Customer’s authorized product configuration and use, and documented support requests are the complete instructions unless the parties agree otherwise in writing.
LabRat will not sell Customer Personal Data, use it for cross-context behavioral advertising, or use workspace content to train a general model for an unrelated purpose. LabRat will promptly inform Customer if an instruction appears to violate applicable data-protection law, unless law prohibits that notice, and may suspend the affected instruction while the parties resolve it.
Customer responsibilities
- Provide lawful, fair, and transparent instructions and establish the legal basis for Customer Personal Data.
- Give required notices and obtain required permissions for users, invited members, research subjects, source material, and connected providers.
- Use roles, workspace membership, provider settings, Local Runtime roots, and exports in a manner appropriate to the risk.
- Do not submit special-category, criminal-offence, children’s, or similarly sensitive data unless the Main Agreement expressly authorizes it after an appropriate assessment and safeguards.
- Respond to LabRat requests needed to verify authority, narrow a request, manage an incident, or complete deletion and switching.
Confidentiality and security
LabRat ensures that people authorized to process Customer Personal Data are bound by confidentiality and receive access only as needed for their duties. LabRat maintains measures appropriate to the service risk and reviews them as the service changes.
| Control area | Current measures |
|---|---|
| Access and isolation | Supabase Auth, verified sessions, workspace roles, tenant-scoped Worker authorization, row-level protections, and restricted administrative access. |
| Transport and secrets | TLS in transit; provider secrets encrypted at rest; secrets masked in product responses and deliberately omitted from data exports. |
| Availability and recovery | Provider availability controls, protected backups subject to provider lifecycle, scheduled processing, and documented service/deletion recovery checks. |
| Monitoring and testing | Minimized operational logging, error handling, dependency/build checks, tenant-isolation tests, privacy lifecycle tests, and incident escalation. |
| Data minimization | Selected-context AI/search routing, optional analytics default off, sanitized analytics fields, role-limited exports, and retention schedules. |
Subprocessors
Customer gives general written authorization for the subprocessors listed on the Subprocessor List and for optional providers Customer deliberately enables. LabRat remains responsible for each subprocessor’s performance of processor obligations to the extent required by applicable law.
LabRat will post the intended addition or replacement of a material core subprocessor before it begins processing Customer Personal Data and, where a reliable customer contact is available and the change is material, use a service or email notice at least 15 days in advance when practicable. Customer may object during that period on reasonable data-protection grounds. The parties will seek a commercially reasonable alternative; if none is available, Customer may stop the affected feature or terminate the affected service without penalty.
Rights, security incident, DPIA, and regulator assistance
Taking account of the nature of processing and information available, LabRat will reasonably assist Customer with data-subject requests, security duties, breach notifications, data-protection impact assessments, and prior consultations. If LabRat receives a request concerning Customer Personal Data, it will direct the requester to Customer and notify Customer where permitted, unless Customer authorizes a direct response.
After confirming a personal data breach affecting Customer Personal Data, LabRat will notify Customer without undue delay and provide available information about the nature, likely consequences, affected data and subjects, containment, and remediation. Customer remains responsible for notices required from it as controller.
Return, export, and deletion
During the service term, authorized users can use available product exports. On termination or a verified switching request, LabRat will make eligible Customer data available through the supported export route and, at Customer’s choice where technically supported, delete or return Customer Personal Data after the retrieval period, unless applicable law requires limited retention.
Protected backup copies are isolated from ordinary use and expire through the provider backup lifecycle. Records required for security, fraud, billing, legal claims, or legal compliance remain restricted to those purposes for the required period.
Information and audits
LabRat will make information reasonably necessary to demonstrate compliance with this DPA available to Customer. Customer may request an audit no more than once in a twelve-month period on reasonable advance notice, using current independent reports, questionnaires, and remote evidence first. Any further inspection must be necessary because of a confirmed incident, regulator request, or material compliance concern, preserve other customers’ confidentiality and system security, and avoid unreasonable disruption.
Customer bears its audit costs unless the audit identifies a material LabRat breach of this DPA. Nothing in this section restricts a competent supervisory authority.
International transfers
Where Customer Personal Data is transferred from the EEA to a country without an applicable adequacy decision and no other lawful transfer mechanism applies, the 2021 EU Standard Contractual Clauses are incorporated by reference: Module Two for controller-to-processor transfers and Module Three for processor-to-processor transfers. The parties will complete the required annex information using the Main Agreement, this DPA, the processing details below, and the current Subprocessor List.
LabRat will use supplementary contractual, organizational, or technical measures appropriate to the hosted route and will provide reasonably available transfer information for Customer’s assessment. Customer-selected Local BYOK, custom endpoints, and destination services remain subject to Customer’s own transfer assessment.
Annex 1 — processing details
| Item | Description |
|---|---|
| Subject matter and duration | Providing the configured LabRat research workspace for the Main Agreement term, plus the export, deletion, backup, and legally required retention periods. |
| Nature and purpose | Collecting, organizing, storing, retrieving, transmitting, generating, securing, supporting, exporting, and deleting Customer workspace data to provide the requested service. |
| Data subjects | Customer users, invited workspace members, prospects, customers, competitors, source authors, research participants, and other people Customer includes in submitted or public-source material. |
| Personal data | Names, business contact details, account and membership IDs, source URLs and public profile context, workspace notes and research content, prompts and outputs, usage/security metadata, support context, and billing references. |
| Sensitive data | Not intended. Processing requires prior written authorization, a lawful basis, and documented safeguards when the service and Main Agreement expressly support it. |
| Frequency | Continuous for stored workspace data and event-driven for authentication, user actions, AI/search routing, exports, support, and deletion. |
| Customer instructions | Main Agreement, authorized use and configuration, documented support requests, and lawful written instructions accepted by LabRat. |
Contact and unresolved operator details
The legal names, addresses, signatures, governing law, and competent courts must be supplied by the Main Agreement. Until the LabRat operator profile is completed and verified, this page is a ready contractual template but cannot substitute for an identified contracting party.