Data Processing Agreement

1. Introduction and agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer that uses Experiment OS ("Controller") and Another Web is Possible(opens in new window) ("Processor", "we", "us"). It applies when Processor processes personal data on behalf of Controller in connection with the Experiment OS service ("Service").

By using the Service, Controller agrees to this DPA. If Controller requires a signed copy of this DPA (e.g. for internal records or a master agreement), contact us at jon@anotherwebispossible.co.uk.

Terms used in this DPA (e.g. personal data, processing, data subject, controller, processor) have the meanings given in UK GDPR and the UK Data Protection Act 2018 unless otherwise defined here.

2. Subject matter, duration and processing details

Subject matter: Processor provides the Service to Controller. In doing so, Processor processes personal data on behalf of Controller as set out in this DPA.

Duration: This DPA applies for as long as Processor processes personal data on behalf of Controller in connection with the Service (i.e. for the term of the Terms of Service and until deletion or return of data as set out in section 8).

Nature and purpose of processing: Provision of the Experiment OS SaaS platform (planning, running and documenting experiments; user and organisation management; billing where applicable).

Types of personal data: (a) Account and identity data (name, email address, authentication credentials or OAuth-derived identifiers). (b) Data that Controller or its users input into the Service (e.g. experiment names, hypotheses, notes, comments). (c) Billing and subscription identifiers (e.g. Stripe customer or subscription IDs); Processor does not process full payment card data. (d) Technical and usage data necessary to operate the Service (e.g. session data, logs). Experiment OS does not process end-user personal data from Controller's websites or apps; the Service is used by Controller's personnel only.

Categories of data subjects: Controller's personnel (employees, contractors or other authorised users) who use the Service.

3. Processor obligations

Processor shall:

• Process personal data only on Controller's documented instructions (including as set out in the Terms of Service and this DPA), unless required to do otherwise by applicable law; in that case Processor shall inform Controller of the legal requirement before processing, unless the law prohibits such information.
• Ensure that persons authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including as described in our Trust Centre), and assist Controller in ensuring compliance with Controller's obligations regarding security of processing and breach notification under UK GDPR.
• Engage sub-processors only in accordance with section 4 and ensure that any sub-processor is bound by terms that are substantially as protective as this DPA.
• Taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures insofar as possible to fulfil Controller's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Requests may be sent to Processor at the contact details in section 11; Processor shall respond within the timeframe required by applicable law.
• Assist Controller in ensuring compliance with Controller's obligations relating to data protection impact assessments and prior consultation with the supervisory authority, where the processing is likely to result in high risk and to the extent that Controller does not have the necessary information.
• At Controller's choice, delete or return all personal data to Controller at the end of the provision of the Service (see section 8), and delete existing copies unless applicable law requires storage.
• Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (including inspections) conducted by Controller or an auditor mandated by Controller, subject to reasonable notice and no more than once per year unless required by a supervisory authority or following a personal data breach. Processor may satisfy audit obligations by providing up-to-date attestations, certifications or summary documentation where appropriate.

Processor shall immediately inform Controller if, in Processor's opinion, an instruction infringes UK GDPR or other applicable data protection law.

4. Sub-processors

Controller authorises Processor to engage the following sub-processors to carry out processing activities on behalf of Controller:

• Supabase (database, authentication, storage). Security and compliance information is available at supabase.com/docs/guides/security(opens in new window).
• Stripe (payment processing). Processor does not pass full payment card data to Controller's environment; Stripe handles payment data. Security: stripe.com/security(opens in new window).
• Vercel (hosting and edge network; cookieless analytics). Security: vercel.com/security(opens in new window).
• OAuth providers (Google, GitHub, LinkedIn) for optional social login; Processor receives only email and name from the provider for account creation and sign-in.

Processor shall maintain an up-to-date list of sub-processors at the Trust Centre. If Processor appoints a new sub-processor or replaces one, Processor shall notify Controller (e.g. by updating the Trust Centre and, where feasible, by email to the contact address associated with Controller's account) at least 14 days before the new or replacement sub-processor processes Controller's personal data. Controller may object to the change on reasonable grounds relating to data protection by notifying Processor within 14 days of the notice. If Controller objects and the parties cannot agree on a solution, Controller may terminate the affected part of the Service or the Terms of Service on reasonable notice.

Processor remains fully liable to Controller for the performance of sub-processors.

5. International transfers

Personal data is stored in the United Kingdom and/or the European Economic Area (e.g. via Processor's infrastructure provider's regions). Processor does not routinely transfer Controller's personal data to countries outside the UK or EEA.

If Processor does transfer personal data to a country that has not been recognised as providing an adequate level of data protection, Processor shall ensure that appropriate safeguards are in place (e.g. UK IDTA, EU standard contractual clauses, or binding corporate rules) and that data subjects have enforceable rights and effective legal remedies. Processor shall inform Controller of any such transfer and the safeguards used on request.

6. Liability

Each party's liability under or in connection with this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA excludes or limits either party's liability for fraud, or for death or personal injury caused by negligence, or where otherwise not permitted by law.

7. Term

This DPA starts when Controller first uses the Service (or when the Terms of Service are accepted, if earlier) and continues until Processor no longer processes personal data on behalf of Controller in connection with the Service, except that sections that by their nature should survive (including sections 6 and 8) shall survive termination.

8. Deletion and return on termination

When the Terms of Service end or Controller requests deletion of personal data, Processor shall delete or return to Controller all personal data processed on behalf of Controller (at Controller's choice, communicated to Processor in writing or via the Service). Unless Controller requests return, Processor shall delete the data. Processor shall complete deletion or return within 30 days of the end of the provision of the Service or of Controller's request, unless applicable law requires retention; in that case Processor shall retain the data only to the extent and for the period required and shall continue to protect it in accordance with this DPA.

Controller may request return or deletion at any time by contacting Processor at the email in section 11 or via account settings where available.

9. Governing law and disputes

This DPA is governed by the laws of England and Wales. Any disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, without prejudice to data subjects' rights under UK GDPR to lodge a complaint with a supervisory authority or to bring a claim in their country of residence.

10. Changes to this DPA

Processor may update this DPA from time to time to reflect changes in the Service, law or our practices. We will post the updated DPA on this page and update the "Last updated" date. If a change materially reduces Controller's rights or Processor's obligations, we will notify Controller (e.g. by email to the address associated with Controller's account) at least 30 days before the change takes effect. Continued use of the Service after the change constitutes acceptance of the updated DPA. If Controller does not agree, Controller may terminate the Service before the change takes effect.

11. Contact

For questions about this DPA, data subject requests, or processing of personal data:

Another Web is Possible (Experiment OS)
Email: jon@anotherwebispossible.co.uk

For security and compliance information, see our Trust Centre.