Data Processing Agreement

Applied to LabRat Laboratories

This Data Processing Agreement (the "DPA") is an addendum to the Terms & Conditions (the "Agreement") between LabRat Laboratories ("Processor" or "we," "us," or "our") and the Client ("Controller" or "you"). This DPA applies to the processing of Personal Data (as defined below) by the Processor on behalf of the Controller in connection with the Services provided under the Agreement.

 

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").  

"Controller" means the Client who determines the purposes and means of the processing of Personal Data.

"Processor" means LabRat Laboratories who processes Personal Data on behalf of the Controller.

"EEA" means the European Economic Area.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"CCPA" means the California Consumer Privacy Act of 2018, as amended by the CPRA (California Privacy Rights Act).

"PIPEDA" means the Personal Information Protection and Electronic Documents Act (Canada).

"PDPA" means the Personal Data Protection Act 2012 (Singapore).
"APPI" means the Act on the Protection of Personal Information (Japan).

 

2. Roles and Responsibilities

The Client acts as the Data Controller and is responsible for determining the purposes and means of the processing of Personal Data. LabRat Laboratories acts as the Data Processor and will process Personal Data only on the documented instructions of the Controller, as outlined in the Agreement and this DPA, and in compliance with applicable data protection laws.

 

3. Processing of Personal Data

Subject Matter of the Processing: The processing of Personal Data by the Processor on behalf of the Controller will be for the purpose of providing the Services as described in the Agreement, primarily for billing and accounting purposes related to invoices.
Categories of Personal Data: The categories of Personal Data processed may include basic contact information (such as name, email address, and billing address) provided by the Client for invoicing purposes.
Duration of the Processing: The processing will continue for the duration of the Agreement and as necessary for post-termination obligations (such as retaining records for legal and accounting purposes).


4. Processor Obligations

The Processor shall:

  • Process Personal Data only on the documented instructions of the Controller, unless required to do so by Union, Member State, or other applicable law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.   
  • Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.   
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  
    3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.  

 

  • Assist the Controller in ensuring compliance with the Controller's obligations pursuant to Articles 32 to 36 of the GDPR and similar obligations under other applicable data protection laws.   
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (Articles 12-23) and similar rights under other applicable data protection laws, such as access and correction rights under the PDPA and APPI.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with applicable laws.   
  • Inform the Controller if, in its opinion, an instruction infringes the GDPR, other Union or Member State data protection provisions, or other applicable data protection laws.
  • Ensure that any sub-processor it engages also meets the requirements of Article 28 of the GDPR and similar requirements under other applicable data protection laws. The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors.   


5. Controller Obligations

The Controller warrants that it has all necessary rights and consents to provide the Personal Data to the Processor for processing in accordance with this DPA and all applicable data protection laws.

 

 

6. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including but not limited to the rights provided under GDPR, CCPA/CPRA, PDPA (such as access and correction), and APPI (such as disclosure, correction, and suspension of use).   

 

7. Data Security

The Processor will implement and maintain reasonable and industry-standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with the requirements of applicable data protection laws.   

 

8. Data Breach Notification

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach, in compliance with the notification requirements of applicable data protection laws.

 

9. Cross-border Data Transfers

Any transfer of Personal Data outside the EEA will be conducted in accordance with the safeguards provided for in Chapter V of the GDPR. The Processor will also consider the requirements for cross-border data transfers under other applicable laws, such as the APPI's restrictions on transfers to third countries.

 

10. CCPA/CPRA Considerations

For Clients who are California residents, LabRat Laboratories acknowledges the rights provided under the CCPA/CPRA, including the right to know, the right to delete, and the right to opt-out of the sale of personal information (though LabRat Laboratories does not sell personal information).

 

11. PDPA Considerations

For Clients whose personal data is subject to the PDPA, LabRat Laboratories will adhere to the principles outlined in the Act, including consent, purpose limitation, notification, protection, and accountability.

 

12. APPI Considerations

For Clients whose personal information is subject to the APPI, LabRat Laboratories will respect the obligations regarding the purpose of use, proper acquisition, data security measures, restrictions on providing personal information to third parties, and responding to requests for disclosure, correction, and suspension of use.

 

13. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, the Processor will, at the choice of the Controller, either delete or return all Personal Data to the Controller, unless required to retain such data by Union, Member State, or other applicable law.

 

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Governing Jurisdiction of the USA, unless otherwise required by applicable data protection laws.

Please note: This is a simplified summary for your convenience.

The full legal Terms & Conditions above are the official and binding agreement.
 

Data Processing Agreement (DPA) - Translated:

This agreement specifically deals with any personal information you (the client) might share with LabRat Laboratories:

 

What LabRat Laboratories (as the Data Processor) will do with your personal information:

  1. We will only use your personal information (like your name and billing details) to provide the services you've asked for, mainly for things like sending invoices and keeping our accounts in order. We'll only do this based on your instructions as the "Controller" of your data.
  2. We will keep your personal information confidential and make sure it's safe from unauthorized access, loss, or damage using standard security measures.
  3. If you have rights under data protection laws like GDPR (if you're in Europe), CCPA/CPRA (if you're in California), PIPEDA (if you're in Canada), PDPA (if you're in Singapore), or APPI (if you're in Japan) we will help you exercise those rights (like letting you see your data, correct it, or delete it, as applicable).
  4. If there's a data breach where your personal information might be at risk, we will let you know as soon as we find out.
  5. If we use other companies to help us process your data, we'll make sure they also follow GDPR standards.
  6. We will provide you with any information you need to make sure we're following these data protection rules, and we'll even allow for audits if necessary.
  7. When our agreement ends, we will either delete or return all your personal information, unless the law requires us to keep it.
  8. We acknowledge that you have specific rights regarding your personal information under different laws.

 

What LabRat Laboratories (as the Data Processor) will not do with your personal information:

  1. We won't use your personal information for our own purposes unless you give us specific permission or if the law requires it.
  2. We will not sell your personal information under any circumstances.
  3. If you're protected by GDPR, we won't send your personal information outside of Europe without having proper safeguards in place to protect it.
  4. We are responsible for processing your data securely, but you (as the "Controller") are responsible for making sure you have the legal right to share your personal information with us in the first place (for example, getting consent where needed).

 

I hope this simplified explanation helps you understand these documents.

Questions?