Data Processing Addendum
This DPA forms part of the Didymos Master Subscription Agreement ("MSA") between Didymos Limited ("Didymos", "Processor", "we", "us") and the entity agreeing to the MSA ("Customer", "Controller", "you"). It applies whenever Customer Data contains Personal Data as defined below.
Definitions
Unless otherwise defined in the MSA, capitalised terms have the meanings given below.
Term
Meaning
Applicable Data Protection Laws
(i) UK GDPR and Data Protection Act 2018; (ii) EU GDPR 2016/679; (iii) Swiss FADP 2020; (iv) U.S. privacy laws designating “service‑provider” or “processor” contracts (e.g., CPRA, ColoPA, VCDPA, CTDPA); and any implementing regulations, each as amended or replaced.
Personal Data
Any information relating to an identified or identifiable natural person that is processed under the MSA.
Standard Contractual Clauses (or “SCCs”)
EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (modules 2 and 3) as completed in Appendix A.
UK Addendum
The template issued by the UK ICO (B.1.0, 21 March 2022) attached in Appendix B.
Sub‑processor
Any third party engaged by Didymos to process Personal Data on behalf of Customer.
Security Incident
A confirmed unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Scope, subject-matter, nature & purpose
The subject‑matter, nature, purpose and duration of the processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.
Obligations of Didymos (Processor)
3.1 Processing on documented instructions
Didymos will process Personal Data only (a) in accordance with Customer’s documented instructions in the MSA, Order Forms, this DPA and Customer’s configuration of the Service; or (b) where required by law (in which case Didymos will inform Customer, unless legally prohibited).
3.2 Confidentiality
Didymos ensures persons authorised to process Personal Data are bound by confidentiality obligations.
3.3 Security
Didymos implements and maintains the technical and organisational measures (“TOMs”) described in Annex II and will not materially diminish them during the Subscription Term.
3.4 Sub‑processors
Didymos may engage Sub‑processors listed in our Service Providers & Subprocessors document. Didymos will: (a) impose data‑protection terms no less protective than this DPA; (b) remain liable for each Sub‑processor’s performance; and (c) notify Customer at least 30 days before adding or replacing a Sub‑processor, giving Customer the right to object on reasonable grounds.
3.5 International transfers
If Didymos or a Sub‑processor processes Personal Data outside the UK/EEA/adequate countries, the parties will rely on the SCCs (Appendix A) and, where the UK GDPR applies, the UK Addendum (Appendix B). Didymos will provide supplementary measures where required to ensure essentially equivalent protection.
3.6 Assistance with data‑subject requests
Taking into account the nature of the processing, Didymos will assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data‑subject rights under Applicable Laws. If a request is made directly to Didymos, Didymos will promptly forward it to Customer unless prohibited by law.
3.7 Data‑protection impact assessments
Didymos will provide reasonable assistance to Customer in conducting DPIAs and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Didymos.
3.8 Audit & records
Didymos will make available information necessary to demonstrate compliance with this DPA and allow for audits (including inspections) conducted by Customer or an auditor mutually agreed, no more than once per 12‑month period, with 30 days’ notice, during UK business hours, subject to reasonable confidentiality and cost‑recovery terms.
3.9 Security Incidents
Didymos will notify Customer without undue delay and in any event within 24 hours of confirming a Security Incident affecting Personal Data and will provide timely information as it becomes known or as reasonably requested by Customer to meet any breach‑notification obligations.
3.10 Return & deletion
Upon Customer’s written request or 30 days after Account closure (Section 10.5 MSA), Didymos will delete or return all Personal Data (including copies) save to the extent retention is required by law.
Obligations of Customer (Controller)
1) Customer represents that it has a valid legal basis to process and instruct Didymos to process Personal Data.
2) Customer will not instruct Didymos to process Personal Data in violation of Applicable Data Protection Laws.
3) Customer is responsible for (a) its Authorised Users’ use of the Service; (b) secure configuration of environments (e.g., access controls); and (c) providing required privacy notices to Data Subjects.
Liability & indemnities
Liability under this DPA is governed by the limitations and exclusions in Section 9 of the MSA. However, nothing in the MSA or this DPA limits either party’s liability under the SCCs to the extent such limitation is not permitted.
Term & termination
This DPA remains in effect for the duration of the Account Term and Subscription Term(s) and until deletion of all Personal Data by Didymos.
Order of precedence
In the event of conflict: (a) SCCs and UK Addendum (where applicable) prevail over this DPA; (b) this DPA prevails over the MSA; and (c) the MSA prevails over other documents.
Annex I – Details of Processing
Item
Description
Subject‑matter
Provision of a synthetic‑user‑testing SaaS platform, including storage, retrieval, analysis, AI inference and reporting of Customer‑supplied test scenarios and artefacts.
Duration
Subscription Term + 30‑day export window.
Nature & purpose
Hosting, organising, transforming, generating synthetic feedback, analysing and transmitting data per Customer’s instructions.
Personal Data categories
Names, emails, job titles, interview transcripts, customer research reports, free‑text prompts, analytics events, device/IP data.
Data‑subject categories
Customer employees, contractors, end‑users, beta testers and any individuals whose data appears in uploaded content.
Special‑category data
Not intentionally processed; Customer must not deliberately include unless lawfully permitted and properly consented.
Transfers
Personal data exported from the EEA may be processed in the United Kingdom and/or the United States.
Personal data exported from the United Kingdom may be processed in the United States. These transfers are carried out under the EU Standard Contractual Clauses (2021/914, Modules 2 & 3) and the UK International Data Transfer Addendum.
Annex II – Technical & Organisational Measures
Infrastructure – Hosted on Supabase Managed Postgres (Frankfurt, DE) with SOC 2 Type II controls.
Network security – TLS 1.3 in transit; AES‑256 at rest; WAF & DDoS protection; VPC isolation.
Access control – Role‑based access (RBAC); SSO & MFA for employees; quarterly access reviews.
Data segregation – Logical tenancy per workspace; row‑level security enforced by Supabase policies.
Encryption keys – Managed by Supabase; encryption keys rotated annually or upon compromise.
Vulnerability management – Automated dependency scanning (Dependabot, Snyk); critical patches within 7 days.
Monitoring & logging – Centralised logs, 30‑day retention, anomaly alerts, security information & event management (SIEM).
Back‑up & DR – Continuous WAL archiving; daily encrypted base snapshots; PITR 7 days; RPO ≤ 5 min; RTO ≤ 24 h.
Incident response – Documented IRP; 24 h breach notification (Section 3.9).
Employee training – Annual security & privacy training for all staff.
Supplier management – Initial and annual security assessments of Sub‑processors; DPA and SCCs in place.
Pen‑testing – Annual third‑party penetration test; high‑severity findings remediated within 30 days.
Appendix A – EU Standard Contractual Clauses (2021/914)
The parties agree that the SCCs (modules 2 and 3) are incorporated by reference. Didymos acts as “data importer”; Customer acts as “data exporter”. The SCCs are completed as follows:
Clause 9(a) – option 2 (general authorisation); 30‑day notice.
Clause 11(a) – independent dispute‑resolution body: not applicable.
Clause 17 – governing law: Ireland.
Clause 18(b) – courts of Ireland.
Annex I.A–C & Annex II – as per Annex I and Annex II of this DPA.
Appendix B – UK Addendum (Version B.1.0)
Table 1 – Parties: Didymos (Importer); Customer (Exporter).
Table 2 – Approved SCCs: Appendix A.
Table 3 – Incorporated information: Annex I–III.
Table 4 – Liability: as per MSA Section 9.
Exporter may end the Addendum per Section 19 if the Information Commissioner’s amendments change.
Appendix C – U.S. State Privacy Rider
For “service provider” / “processor” purposes under CPRA (§ 1798.140), ColoPA, VCDPA, CTDPA and similar:
Didymos shall not sell or share Personal Data or retain, disclose or use it for any purpose other than to perform the Services.
Didymos grants Customer the right to take reasonable and appropriate steps to ensure Didymos uses Personal Data in a manner consistent with Customer’s obligations.
Didymos shall notify Customer if it determines it can no longer meet its obligations.
Didymos shall enable deletion or return of Personal Data upon request and shall notify Sub‑processors to do the same.
Signatures
Didymos Limited
Signature: _____________________
Name: ________________________
Title: _________________________
Date: _________________________
Customer
Signature: _____________________
Name: ________________________
Title: _________________________
Date: _________________________
“For self-service plans set up online through Didymos website the Customer’s click-wrap acceptance and completion of payment shall constitute execution of this DPA pursuant to UK Electronic Communications Act 2000, eIDAS Regulation 910/2014 and US E-SIGN Act 2000.”
Last Updated: 8th of June, 2025
