GDPR Compliance Policy

Last updated: August 31, 2025

The General Data Protection Regulation (GDPR) is a comprehensive privacy law in the European Union that grants EU citizens and residents fundamental rights over their personal data. FIRAT (Foresight Institute of Research and Translation) and SnapGenius are fully committed to GDPR compliance and maintaining the highest standards of data protection for research activities.

Controller Information

Pursuant to Article 13 GDPR, the following information identifies the data controller and data protection officer:

Data Controller: FIRAT - Foresight Institute of Research and Translation
Legal Representative: Chief Executive Officer
Business Address: [To be updated with FIRAT's registered address]
Data Protection Officer: Chief Privacy Officer
DPO Contact: dpo@firat.rw
EU Representative: [If applicable - TBD based on FIRAT location]

For data protection inquiries, please contact our Data Protection Officer who will respond within 72 hours for urgent matters and 5 business days for general inquiries.

GDPR Compliance Framework

Yes, SnapGenius is fully GDPR compliant and implements comprehensive privacy-by-design principles:

Data Protection Principles

  • Lawfulness: All processing based on legitimate legal grounds with clear lawful bases;
  • Purpose Limitation: Data processed only for specific, explicit research purposes;
  • Data Minimisation: Only necessary data collected for stated research objectives;
  • Accuracy: Procedures to ensure data accuracy and correction mechanisms;
  • Storage Limitation: Data retained only as long as necessary for research purposes;
  • Security: State-of-the-art technical and organizational security measures;
  • Accountability: Comprehensive documentation and audit trails maintained.

Technical Safeguards

  • End-to-end encryption for all data transmission (TLS 1.3);
  • AES-256 encryption for data at rest with hardware security modules;
  • Data centers located within the EU with strict access controls;
  • Multi-factor authentication and role-based access controls;
  • Regular penetration testing and security audits;
  • Automated data loss prevention and monitoring systems;
  • Secure backup and disaster recovery procedures;
  • Privacy-preserving analytics and pseudonymization capabilities.

Organizational Measures

  • ISO 27001 certified information security management system;
  • SOC 2 Type II compliance for service organization controls;
  • Regular staff training on data protection and research ethics;
  • Data Protection Impact Assessments (DPIAs) for high-risk processing;
  • Incident response team with 24/7 breach detection capabilities;
  • Privacy-by-design principles integrated in development lifecycle;
  • Regular compliance audits and third-party assessments.

Data Processing Agreement (DPA)

By creating a SnapGenius account, research institutions and individual researchers automatically agree to our comprehensive Data Processing Agreement. Key provisions include:

  • Clear delineation of controller and processor responsibilities;
  • Specific instructions for research data processing activities;
  • Confidentiality obligations for all personnel accessing data;
  • Technical and organizational security measures requirements;
  • Procedures for handling data subject rights requests;
  • International transfer safeguards and adequacy mechanisms;
  • Breach notification procedures and timeline requirements;
  • Subprocessor management and approval processes;
  • Data retention and deletion procedures;
  • Audit rights and compliance verification mechanisms.

The complete DPA is available at /legal/dpa and can be executed as a separate agreement for institutional requirements.

Research Data Handling

SnapGenius provides research-grade data handling with enhanced protections for human subjects research:

Data Controller Responsibilities

  • Researchers and institutions act as data controllers for collected research data;
  • Responsibility for obtaining valid informed consent from research participants;
  • Ensuring appropriate legal basis for processing (consent, legitimate interest, etc.);
  • Maintaining ethics approval documentation and compliance records;
  • Determining data retention periods based on research and regulatory requirements;
  • Responding to data subject rights requests from research participants;
  • Implementing additional security measures for sensitive data categories.

FIRAT as Data Processor

  • Processes research data strictly according to researcher instructions;
  • Provides secure infrastructure and technical safeguards;
  • Assists with data subject rights fulfillment within technical capabilities;
  • Maintains detailed processing logs and audit trails;
  • Ensures subprocessor compliance with GDPR requirements;
  • Supports data portability and export functionality;
  • Implements data retention and deletion procedures as instructed.

Data Subject Rights Support

  • Technical tools to facilitate access requests and data portability;
  • Automated systems for data rectification and updates;
  • Secure deletion capabilities with cryptographic verification;
  • Consent management tools for research participant consent tracking;
  • Audit trails for all data processing activities and changes;
  • Integration with institutional consent management systems;
  • Support for pseudonymization and anonymization techniques.

International Data Transfers

FIRAT implements robust safeguards for international research collaboration:

Transfer Mechanisms

  • EU-UK Trade and Cooperation Agreement for UK transfers;
  • Standard Contractual Clauses (SCCs) for non-adequate countries;
  • Adequacy decisions where available (Japan, Canada, etc.);
  • Binding Corporate Rules for multinational research organizations;
  • Article 49 derogations for specific research situations;
  • Additional safeguards for sensitive research data transfers.

Data Localization Options

  • EU-only data processing option for maximum protection;
  • Specific country restrictions available upon request;
  • Real-time data location tracking and reporting;
  • Geographic backup and disaster recovery controls;
  • Compliance with local data residency requirements;
  • Researcher control over data transfer permissions.

Subprocessors and Third-Party Services

We maintain strict oversight of all subprocessors handling personal data. All subprocessors are bound by GDPR-compliant data processing agreements and undergo regular compliance audits:

Service ProviderService PurposeData LocationTransfer SafeguardsPrivacy Policy
Vercel Inc.Platform Hosting & CDNEU/USSCCs, Privacy Shield successorvercel.com/privacy
Supabase Inc.Database & AuthenticationEU (Frankfurt)EU-based processingsupabase.com/privacy
Upstash Inc.Redis Caching & Rate LimitingEUSCCs, EU data centersupstash.com/privacy
Polar.shPayment ProcessingEU/USPCI DSS, SCCspolar.sh/privacy
Google Cloud (AI Services)AI/ML Processing (Optional)EU (configurable)Google Cloud DPA, adequacycloud.google.com/privacy
Groq Inc.AI Processing (Fallback)USSCCs, no training data usegroq.com/privacy
Resend Inc.Transactional EmailEU/USSCCs, GDPR complianceresend.com/privacy

Subprocessor Changes: We provide 30 days advance notice of any subprocessor changes and maintain a public register of all subprocessors. Researchers may object to new subprocessors and request alternative arrangements.

Data Breach Response

FIRAT maintains a comprehensive incident response program for data protection breaches:

Detection and Response

  • 24/7 automated monitoring and anomaly detection systems;
  • Incident response team activated within 1 hour of breach detection;
  • Immediate containment and forensic investigation procedures;
  • Risk assessment and impact analysis within 24 hours;
  • Coordinated response with affected researchers and institutions.

Notification Procedures

  • Supervisory authority notification within 72 hours (Article 33 GDPR);
  • Data controller notification within 24 hours of breach detection;
  • Data subject notification when high risk to rights and freedoms exists;
  • Clear communication about breach scope, potential impact, and mitigation measures;
  • Regular updates throughout investigation and remediation process;
  • Post-incident report with lessons learned and preventive measures.

Data Subject Rights Implementation

SnapGenius provides comprehensive tools to facilitate data subject rights fulfillment:

Rights Management Portal

  • Self-service portal for data subjects to exercise their rights;
  • Automated identity verification and consent tracking;
  • Real-time status updates on rights requests processing;
  • Integration with researcher workflow management systems;
  • Audit trails for all rights-related activities and decisions.

Technical Implementation

  • Right of Access: Automated data export in machine-readable formats;
  • Right to Rectification: Direct editing capabilities with audit trails;
  • Right to Erasure: Cryptographic deletion with verification;
  • Right to Portability: Standardized data export (JSON, CSV, XML);
  • Right to Restrict Processing: Processing flags and access controls;
  • Right to Object: Opt-out mechanisms and consent withdrawal;
  • Rights related to Automated Decision-making: Human review processes for AI.

Contact Information for GDPR Matters

For all GDPR-related inquiries, rights requests, and compliance questions:

Data Protection Officer: Chief Privacy Officer
Email: dpo@firat.rw
Rights Requests: rights@firat.rw
Breach Reporting: security@firat.rw
Compliance Inquiries: compliance@firat.rw
Postal Address: [FIRAT's registered business address]
Response Times:
  • Urgent matters: Within 24 hours
  • Rights requests: Within 30 days (extendable to 90 days for complex requests)
  • General inquiries: Within 5 business days
  • Breach notifications: Within 72 hours to authorities, immediately to controllers

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.