Data Processing Agreement (DPA)

1.1 Definitions

• "Data Controller": Research institutions, individual researchers, and organizations using SnapGenius to collect data for research purposes;
• "Data Processor": FIRAT and SnapGenius platform acting on behalf of the Data Controller;
• "Personal Data": Any information relating to an identified or identifiable research participant or data subject;
• "Processing": Any operation performed on personal data including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction;
• "Research Data": All data collected through SnapGenius forms for research purposes, including both personal and non-personal data;
• "Subprocessor": Any third-party processor engaged by FIRAT to assist in providing SnapGenius services.

1.2 Scope and Application

This DPA applies to all processing of personal data by FIRAT on behalf of Data Controllers using SnapGenius for research activities. It covers:

• Data collection through forms, surveys, and questionnaires;
• Data storage, organization, and retrieval operations;
• Data analysis and reporting functionalities;
• Data export, import, and migration activities;
• All ancillary processing required for platform functionality;
• Processing by authorized subprocessors and service providers.

2.1 Data Controller Obligations

As the Data Controller, researchers and institutions agree to:

• Establish and maintain appropriate lawful basis for all data processing activities;
• Obtain valid, informed consent from research participants where required;
• Ensure compliance with applicable research ethics requirements and institutional review board approvals;
• Implement appropriate technical and organizational measures for data protection;
• Provide clear and comprehensive privacy notices to data subjects;
• Handle data subject rights requests and coordinate with FIRAT as necessary;
• Determine data retention periods and deletion schedules based on research requirements;
• Notify FIRAT immediately of any restrictions on data processing or subject rights requests;
• Ensure personnel accessing data have appropriate training and confidentiality obligations;
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

2.2 Data Processor Obligations

As the Data Processor, FIRAT commits to:

• Process personal data only on documented instructions from the Data Controller;
• Ensure personnel processing personal data are bound by confidentiality obligations;
• Implement appropriate technical and organizational security measures;
• Engage subprocessors only with prior written authorization from Data Controllers;
• Assist Data Controllers in fulfilling data subject rights requests;
• Assist Data Controllers in ensuring compliance with security, breach notification, and impact assessment obligations;
• Delete or return personal data upon termination of services as instructed;
• Make available all information necessary to demonstrate compliance;
• Allow for and contribute to audits and inspections by Data Controllers;
• Maintain detailed records of all processing activities and security measures.

3.1 General Processing Instructions

FIRAT shall process personal data exclusively for the following purposes:

• Providing SnapGenius platform services including form creation, data collection, and storage;
• Facilitating data analysis, visualization, and reporting as requested by Data Controllers;
• Ensuring platform security, performance optimization, and technical maintenance;
• Supporting data export, import, and migration activities;
• Providing customer support and technical assistance;
• Complying with legal obligations and regulatory requirements;
• Protecting the rights and interests of Data Controllers and data subjects.

3.2 Prohibited Processing Activities

FIRAT is expressly prohibited from:

• Using personal data for any purpose other than providing SnapGenius services;
• Selling, renting, or otherwise commercializing personal data;
• Processing data for FIRAT's own research or development purposes without explicit consent;
• Combining research data with other datasets for profiling or behavioral analysis;
• Using personal data for marketing, advertising, or promotional activities;
• Sharing personal data with unauthorized third parties;
• Training AI models or machine learning algorithms on personal data without consent;
• Retaining personal data beyond the specified retention periods.

3.3 Data Categories and Processing Activities

4.1 Technical Security Measures

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit;
• Access Controls: Multi-factor authentication, role-based access, and principle of least privilege;
• Network Security: Firewalls, intrusion detection systems, and DDoS protection;
• Data Isolation: Logical separation of research data with access controls;
• Backup Security: Encrypted backups with regular testing and geographic distribution;
• Monitoring: 24/7 security monitoring with automated threat detection;
• Vulnerability Management: Regular security assessments and patch management;
• Incident Response: Documented procedures for security incident handling.

4.2 Organizational Security Measures

• Personnel Security: Background checks, confidentiality agreements, and regular training;
• Access Management: Formal user provisioning and de-provisioning procedures;
• Data Center Security: Physical access controls, environmental monitoring, and 24/7 surveillance;
• Vendor Management: Due diligence and contractual security requirements for subprocessors;
• Business Continuity: Disaster recovery plans and business continuity procedures;
• Compliance Monitoring: Regular internal audits and compliance assessments;
• Documentation: Comprehensive security policies and procedure documentation;
• Change Management: Controlled change processes for system modifications.

4.3 Research-Specific Protections

• Pseudonymization and anonymization capabilities for sensitive research data;
• Consent management tools for tracking participant consent and preferences;
• Data loss prevention systems to prevent unauthorized data exfiltration;
• Audit trails for all data access and modification activities;
• Secure data sharing mechanisms for multi-institutional collaborations;
• Integration with institutional identity and access management systems;
• Support for research data governance and ethics compliance requirements.

5.1 Authorized Subprocessors

FIRAT may engage the following categories of subprocessors to provide SnapGenius services. All subprocessors are bound by GDPR-compliant data processing agreements:

5.2 Subprocessor Changes and Notifications

• FIRAT will provide 30 days advance notice of any new subprocessors or changes to existing arrangements;
• Notifications will be sent via email to the primary account contact and posted on the platform;
• Data Controllers may object to new subprocessors within 30 days of notification;
• If a Data Controller objects, FIRAT will work to provide alternative arrangements or allow contract termination;
• A current list of subprocessors is maintained at https://snapgenius.dev/legal/subprocessors;
• All subprocessor changes are documented with effective dates and impact assessments.

5.3 Subprocessor Compliance Requirements

All subprocessors must meet the following minimum requirements:

• Signed data processing agreement with equivalent protections to this DPA;
• Implementation of appropriate technical and organizational security measures;
• Compliance with applicable data protection laws and regulations;
• Submission to regular security and compliance audits;
• Provision of certifications and compliance documentation;
• Commitment to support data subject rights and breach notification obligations;
• Agreement to deletion or return of data upon contract termination.

6.1 Transfer Mechanisms and Safeguards

When personal data is transferred outside the European Economic Area (EEA), FIRAT ensures appropriate safeguards are in place:

• EU Adequacy Decisions: Transfers to countries with adequacy decisions (UK, Japan, Canada, etc.);
• Standard Contractual Clauses (SCCs): EU Commission approved SCCs for non-adequate countries;
• Binding Corporate Rules: For multinational research organizations with approved BCRs;
• Certification Schemes: Transfers under approved certification and codes of conduct;
• Additional Safeguards: Supplementary measures including encryption and access controls;
• Transfer Impact Assessments: Case-by-case evaluation of transfer risks and mitigation measures.

6.2 Data Localization Options

FIRAT provides flexible data residency options for enhanced compliance:

• EU-Only Processing: Option to restrict all processing to EU/EEA data centers;
• Country-Specific Restrictions: Ability to specify approved countries for data processing;
• Real-Time Tracking: Transparency about current data location and processing activities;
• Regional Backup Controls: Geographic restrictions on backup and disaster recovery locations;
• Compliance Reporting: Regular reports on data location and transfer activities;
• Emergency Procedures: Protocols for data repatriation in case of legal or regulatory changes.

6.3 Government Access and Legal Disclosure

• FIRAT will resist overbroad government data requests and seek protective orders where appropriate;
• Data Controllers will be notified of government data requests unless legally prohibited;
• Transparency reports will be published annually detailing government access requests;
• Legal challenges will be mounted against requests that lack proper legal basis;
• Technical measures (encryption, key management) limit government access capabilities;
• Data minimization and retention policies reduce exposure to government access risks.

7.1 Rights Fulfillment Support

FIRAT provides comprehensive technical and administrative support for data subject rights:

• Right of Access: Automated data export tools and comprehensive data inventories;
• Right to Rectification: Direct editing capabilities with audit trails and verification;
• Right to Erasure: Secure deletion tools with cryptographic verification of removal;
• Right to Data Portability: Standard export formats (JSON, CSV, XML) with metadata;
• Right to Restrict Processing: Processing flags and access control mechanisms;
• Right to Object: Granular consent and preference management tools;
• Rights related to Automated Decision-making: Transparency and review mechanisms for AI features.

7.2 Technical Implementation

• Self-service portal for data subjects to exercise rights directly;
• Automated identity verification and authentication systems;
• Real-time status tracking for rights requests and fulfillment progress;
• Integration with Data Controller workflow management systems;
• Audit trails for all rights-related activities and decision rationale;
• Automated compliance checking and deadline management;
• Secure communication channels for sensitive rights requests.

7.3 Response Timeframes and Procedures

• Initial acknowledgment of rights requests within 24 hours;
• Technical assistance provided within 5 business days for standard requests;
• Complex requests supported within 15 business days with interim updates;
• Emergency requests (data breaches, safety concerns) handled within 4 hours;
• Escalation procedures for disputed or challenging rights requests;
• Documentation and audit trails maintained for all rights fulfillment activities.

8.1 Breach Detection and Response

FIRAT maintains a comprehensive security incident response program:

• 24/7 automated monitoring and anomaly detection systems;
• Incident response team activation within 1 hour of breach detection;
• Immediate containment and isolation procedures to prevent further access;
• Forensic investigation to determine scope, cause, and impact of breach;
• Risk assessment and impact analysis for affected data and individuals;
• Coordinated response with law enforcement and regulatory authorities as required.

8.2 Notification Procedures and Timelines

• Data Controller Notification: Within 24 hours of breach discovery with preliminary assessment;
• Regulatory Notification: Within 72 hours to relevant supervisory authorities (handled by Data Controller);
• Data Subject Notification: When high risk to rights and freedoms exists (coordinated with Data Controller);
• Ongoing Updates: Regular progress reports during investigation and remediation process;
• Final Report: Comprehensive post-incident report with lessons learned and preventive measures;
• Public Disclosure: Transparent communication about significant breaches affecting multiple researchers.

8.3 Breach Content and Support

Breach notifications will include the following information where available:

• Nature and scope of the personal data breach;
• Categories and approximate number of data subjects affected;
• Categories and approximate number of personal data records concerned;
• Likely consequences of the breach for data subjects;
• Measures taken or proposed to address the breach and mitigate adverse effects;
• Contact information for additional details and support;
• Timeline of events and discovery process;
• Technical details relevant to Data Controller's risk assessment.

9.1 Data Retention Principles

• Personal data retained only as long as necessary for specified research purposes;
• Data Controllers determine retention periods based on research requirements and legal obligations;
• Automated retention policy enforcement with configurable retention schedules;
• Regular review and assessment of data retention requirements;
• Documentation of retention decisions and justifications;
• Support for varying retention periods for different data categories.

9.2 Secure Deletion Procedures

• Cryptographically secure deletion with verification and audit trails;
• Multi-pass overwriting of storage media using DoD 5220.22-M standards;
• Secure destruction of backup copies within 30 days of deletion request;
• Certificate of destruction provided for all deleted data;
• Regular purging of system logs and temporary files containing personal data;
• Physical destruction of decommissioned storage hardware.

9.3 End of Service Data Handling

Upon termination of this agreement or SnapGenius services:

• Data Controllers have 90 days to export all personal data;
• FIRAT will provide technical assistance for data export and migration;
• All personal data will be securely deleted 90 days after service termination;
• Backup copies and system logs will be purged within 120 days;
• Certificate of destruction will be provided to Data Controllers;
• Emergency data recovery services available for 30 days post-termination (with additional fees).

10.1 Audit Rights and Procedures

Data Controllers have the right to audit FIRAT's data processing activities:

• Annual compliance audits conducted by qualified third-party auditors;
• Right to conduct additional audits with reasonable notice (minimum 30 days);
• Access to relevant documentation, policies, and procedures;
• Right to interview personnel involved in data processing activities;
• Inspection of technical and organizational security measures;
• Review of subprocessor compliance and security arrangements;
• Audit reports shared with Data Controllers within 30 days of completion.

10.2 Compliance Documentation

FIRAT maintains comprehensive compliance documentation including:

• Records of processing activities under Article 30 GDPR;
• Technical and organizational security measure documentation;
• Data Protection Impact Assessments (DPIAs) for high-risk processing;
• Subprocessor due diligence and compliance assessments;
• Security incident logs and breach response documentation;
• Training records and personnel security clearance documentation;
• Certification and attestation reports from independent auditors.

10.3 Continuous Monitoring and Improvement

• Regular review and updates of data protection policies and procedures;
• Monitoring of regulatory developments and compliance requirements;
• Implementation of lessons learned from audits and security incidents;
• Stakeholder feedback integration into compliance program improvements;
• Proactive risk assessments and mitigation strategy development;
• Regular training and awareness programs for all personnel.

11.1 Primary Contacts

11.2 Escalation Procedures

• Level 1: Technical support and routine compliance questions;
• Level 2: Data Protection Officer for privacy and data subject rights matters;
• Level 3: Legal Counsel for contractual disputes and regulatory issues;
• Emergency: 24/7 security hotline for data breaches and security incidents;
• Executive: Chief Executive Officer for strategic and policy matters.

11.3 Response Time Commitments

• Emergency security incidents: Immediate response (within 1 hour)
• Data breach notifications: Within 24 hours
• Data subject rights requests: Within 5 business days
• Compliance inquiries: Within 10 business days
• Audit requests: Within 15 business days
• Contract modifications: Within 30 business days

11A.1 Maximum Liability Caps

CRITICAL NOTICE: To provide cost-effective research services, FIRAT's liability under this DPA is strictly limited as follows:

• Per Incident Cap: Maximum liability of $10,000 USD per data processing incident;
• Annual Aggregate Cap: Total liability not exceeding $50,000 USD per calendar year;
• Subscription-Based Cap: In no event shall liability exceed 12 months of fees paid by the affected Data Controller;
• Regulatory Penalty Sharing: FIRAT liability for regulatory fines limited to penalties directly attributable to processor failures;
• Force Majeure Exclusion: No liability for failures due to circumstances beyond reasonable control.

11A.2 Excluded Damages and Consequential Losses

FIRAT shall not be liable for:

• Loss of research funding, grants, or publication opportunities;
• Reputational damage to research institutions or individual researchers;
• Costs of alternative research methods or data re-collection;
• Participant recruitment delays or research timeline disruptions;
• Institutional oversight or accreditation issues;
• Lost profits, business opportunities, or competitive advantages;
• Incidental, consequential, punitive, or special damages of any kind;
• Third-party claims against Data Controllers for research conduct;
• Data subject complaints or legal actions against research institutions;
• Compliance costs for additional security measures or policy changes.

11A.3 Liability Allocation and Cure Periods

• Notice and Cure: 30-day cure period for technical compliance violations before liability attaches;
• Shared Fault: Liability reduced proportionally when Data Controller actions contribute to damages;
• Mitigation Duty: Data Controllers must take reasonable steps to minimize damages;
• Insurance Offset: FIRAT liability reduced by amounts recovered from insurance or third parties;
• Liquidated Damages: Specific monetary penalties for defined breach scenarios (detailed in Schedule A);
• Statute of Limitations: Claims must be brought within 12 months of discovery or be forever barred.

11B.1 Comprehensive Controller Indemnification

Data Controllers agree to defend, indemnify, and hold harmless FIRAT from all claims, damages, costs, and expenses (including reasonable attorney fees) arising from:

• Research activities, participant interactions, or data collection practices;
• Failure to obtain valid informed consent or appropriate ethics approvals;
• Violations of research ethics standards or institutional policies;
• Processing instructions that violate applicable data protection laws;
• Misrepresentation of research purposes or data processing activities;
• Unauthorized data sharing or collaboration arrangements;
• Data subject complaints or regulatory investigations of research practices;
• Export control violations or international data transfer restrictions;
• Integration with unauthorized third-party services or data sources;
• Publication of research results or data analysis methodologies.

11B.2 Processing Risk Acknowledgment

Data Controllers explicitly acknowledge and accept the following processing risks:

• Technical limitations in data validation and quality control;
• Potential for participant data entry errors or fraudulent responses;
• Inherent cybersecurity risks in cloud-based data processing;
• Regulatory changes affecting data processing legality or requirements;
• Third-party service dependencies and potential service disruptions;
• International data transfer risks and varying protection standards;
• AI and automated processing limitations and potential biases;
• Data backup and recovery limitations during system failures.

11B.3 Risk Mitigation Responsibilities

To minimize risks, Data Controllers shall:

• Maintain appropriate cyber liability and research insurance coverage;
• Implement institutional data governance and oversight procedures;
• Conduct regular security training for research personnel;
• Perform periodic data protection impact assessments;
• Establish backup and alternative research methodology procedures;
• Monitor regulatory developments affecting research data processing;
• Maintain emergency contact and incident response procedures;
• Document all processing activities and compliance measures.

11C.1 Regulatory Change Management

Regulatory Evolution Clause: Data protection laws continue to evolve rapidly. FIRAT commits to reasonable adaptation efforts but cannot guarantee compliance with future regulatory changes.

• Best efforts compliance with new regulations within 12 months of effective date;
• Data Controllers notified of material compliance challenges within 60 days;
• Mutual agreement required for additional compliance costs exceeding 25% of subscription fees;
• Right to terminate without penalty if compliance becomes technically or economically infeasible;
• Data Controllers responsible for jurisdiction-specific regulatory requirements;
• Regular compliance reviews and updates to processing procedures as needed.

11C.2 Force Majeure and Service Continuity

FIRAT shall not be liable for processing delays or failures due to:

• Natural disasters, pandemics, or public health emergencies;
• Government actions, sanctions, or export control changes;
• Critical infrastructure failures or major cyberattacks;
• Subprocessor bankruptcies or service discontinuations;
• International conflicts or diplomatic restrictions;
• Currency restrictions or international payment system failures;
• Strikes, labor disputes, or workforce unavailability;
• Supply chain disruptions affecting critical technology components.

11C.3 Service Continuity and Alternative Arrangements

• Best efforts to maintain service continuity during force majeure events;
• Alternative processing arrangements where technically and legally feasible;
• Priority service restoration for critical research activities;
• Assistance with data export and migration to alternative platforms if necessary;
• Regular communication and status updates during service disruptions;
• Post-incident analysis and resilience improvement measures.

12.1 Agreement Effective Date and Duration

This DPA becomes effective upon Data Controller's acceptance of SnapGenius Terms of Service and remains in effect for the duration of the service relationship. The agreement automatically renews with service renewals and can be terminated by either party with 30 days written notice.

12.2 Modifications and Updates

• Material changes to this DPA will be communicated 60 days in advance;
• Minor updates for compliance or technical improvements may be implemented with 30 days notice;
• Data Controllers may object to changes and terminate the agreement if necessary;
• Version history and change logs maintained for transparency;
• Legal and regulatory updates implemented as required to maintain compliance.

12.3 Governing Law and Dispute Resolution

• This DPA is governed by the laws of [FIRAT's jurisdiction] and EU data protection law;
• Disputes will be resolved through good faith negotiation and mediation;
• Data protection authorities retain jurisdiction over GDPR compliance matters;
• Data Controllers retain rights to lodge complaints with supervisory authorities;
• Emergency procedures available for urgent data protection concerns.

13.1 Comprehensive Liability Summary

FINAL NOTICE: This DPA is part of FIRAT's mission to provide cost-effective research tools to academic institutions. To maintain this accessibility, comprehensive liability limitations are essential.

13.2 Data Controller Risk Acceptance

13.3 Dispute Resolution and Enforcement

• Mandatory Arbitration: All disputes subject to binding arbitration under ICC Rules;
• Venue: Arbitration proceedings conducted in Geneva, Switzerland;
• Governing Law: Swiss data protection law governs processor obligations;
• Class Action Waiver: No class, collective, or representative proceedings permitted;
• Injunctive Relief: Courts may grant injunctive relief to protect intellectual property;
• Fee Shifting: Prevailing party entitled to reasonable attorney fees and costs;
• Severability: Invalid provisions replaced with enforceable alternatives of similar effect;
• Statute of Limitations: All claims time-barred after 12 months from discovery.