Data Processing Agreement (DPA)
Last updated: 2026-05-14
Article 28 GDPR contract terms that apply when AssayCore processes personal data on your behalf as part of the LIMS Services.
1. Scope and roles
This Data Processing Agreement (DPA) supplements the Master Services Agreement and Terms & Conditions between you ("Controller") and AssayCore ("Processor") for processing of personal data carried out by AssayCore on your behalf in the course of delivering the LIMS Services. Where AssayCore is processing personal data for its own purposes (e.g. account billing, marketing, support analytics), AssayCore acts as an independent controller of that data, as described in our Privacy Policy.
2. Subject-matter and duration
Processor will process personal data only on documented instructions from Controller for the duration of the Services and until deletion or return per Section 9. Personal data is processed solely for the purpose of providing, securing and supporting the LIMS Services.
3. Categories of data and data subjects
Data subjects: patients, animal owners, lab staff, end-customers of Controller's lab, courier personnel, contractors and suppliers of Controller. Categories of personal data: identifiers (name, DOB, MRN, ID number), contact data (email, phone, address), professional identifiers (license number, role), and — only when applicable to Controller's use case — clinical/diagnostic data, animal-owner data, sample chain-of-custody timestamps, and audit-trail event records. Special categories: health data (Med, Vet, Micro) is processed only where Controller has a lawful basis under Article 9 GDPR / 45 CFR 164 / equivalent.
4. Sub-processors
Controller authorises Processor to engage sub-processors listed in the Sub-processor List below. Material changes to the list are notified at least 30 days in advance via email or in-product banner; Controller may object on reasonable grounds. Current sub-processors: Paddle.com Market Ltd (payments, Merchant of Record, UK), Verifone (2Checkout) Inc. (alternative card processor, US), Resend Inc. (transactional email, US), Plausible Insights OÜ (privacy-friendly analytics, EE), AWS / Hetzner / chosen IaaS as set out in the SOW (deployment region per Controller's instruction).
5. Security measures
Processor implements appropriate technical and organisational measures including encryption in transit (TLS 1.2+ with HSTS) and at rest (PostgreSQL TDE, pgcrypto for sensitive fields), single-sign-on via Keycloak (OIDC/SAML), role-based access control with least-privilege, immutable audit log (append-only), row-level security per tenant, signed-and-stored backup encryption, secret scanning in CI (gitleaks), dependency vulnerability scanning, SBOM generation (CycloneDX), incident response runbook with 24 h customer notification for confirmed personal data breach, and annual penetration testing of the production cloud envelope.
6. Personnel and confidentiality
Personnel authorised to process personal data are bound by written confidentiality undertakings (or are subject to an appropriate statutory obligation of confidentiality) and receive training on data protection and security at least annually.
7. International transfers
Personal data is hosted in the deployment region chosen by Controller. For unavoidable transfers outside the EEA/UK, the Parties rely on EU Standard Contractual Clauses 2021/914 (Modules 2 and 3) and the UK International Data Transfer Addendum where applicable, together with a Transfer Impact Assessment documented per case.
8. Data subject rights and assistance
Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, to respond to data subject rights requests (access, rectification, erasure, restriction, portability, objection) and to fulfil Articles 32–36 GDPR obligations. Standard turnaround for assistance: 5 business days; SLA tier subscribers may have shorter SLAs as set out in the order form.
9. Deletion or return
On termination of the Services or upon Controller's earlier written request, Processor will, at Controller's choice, delete or return all personal data to Controller and delete existing copies, unless EU, UK or Member-State law requires storage of the personal data. The default deletion window is 30 days from the termination date; archival logs containing pseudonymised event metadata may be retained for up to 12 months for security and dispute resolution.
10. Audit
Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for, and contribute to, audits, including inspections, conducted by Controller or another auditor mandated by Controller. By default this consists of (a) the most recent third-party security report and (b) responses to a customer security questionnaire (CAIQ Lite or equivalent) within 10 business days. Onsite audits are limited to once per 12 months with 30 days' notice except where required by a Supervisory Authority.
11. Personal-data-breach notification
Processor will notify Controller without undue delay and in any event within 48 hours after becoming aware of a personal data breach affecting Controller's data, providing the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects.
12. Liability
Liability under this DPA is governed by the limitation-of-liability terms of the Master Services Agreement and Terms & Conditions. Nothing in this DPA limits any liability that cannot be limited under applicable law (including liability for gross negligence, wilful misconduct, fraud, death or personal injury caused by negligence, and infringement of data-subject rights under Article 82 GDPR).
13. Governing law
This DPA is governed by the law specified in the Master Services Agreement. Where Controller is established in the EEA or UK and the agreement is silent, this DPA is governed by the laws of Ireland for EEA Controllers and the laws of England and Wales for UK Controllers, without prejudice to the rights of data subjects under their local law.
To execute this DPA as a signed counterpart, email info@assaycore.pro with your legal entity, registered address, and Controller signatory. Standard turnaround is 3 business days.