Back to Home

Data Processing Agreement (DPA)

GDPR Article 28 Compliance for B2B Customers

Contact: privacy@optixlog.com

This DPA is automatically effective when you use OptixLog services

This agreement is binding upon use of our services. No separate signature is required.

Quick Summary

Your Role

You (Customer) are the Data Controller - you decide what data to process and how.

Our Role

OptixLog is the Data Processor - we process data according to your instructions.

Data Location

Currently: AWS us-east-2 (Ohio, USA) via Supabase with Standard Contractual Clauses (SCCs)

EU Compliance

GDPR Article 28 compliant, SCCs for EU-US transfers, sub-processor transparency

Document Sections

1. Introduction and Scope2. Definitions3. Roles and Responsibilities4. Details of Processing5. Sub-processors6. International Data Transfers7. Security Measures8. Data Subject Rights9. Data Retention and Deletion10. Breach Notification

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Customer ("Controller") and OptixLog ("Processor") and governs the processing of Personal Data in connection with the OptixLog photonics simulation platform (the "Service").

GDPR Compliance: This DPA meets the requirements of Articles 28 and 46 of the General Data Protection Regulation (EU 2016/679).

3. Roles and Responsibilities

Controller (You)

  • Determine purposes and means of processing
  • Ensure lawful basis exists (GDPR Article 6)
  • Provide privacy notices to data subjects
  • Obtain necessary consents
  • Handle data subject requests
  • Conduct Data Protection Impact Assessments

Processor (OptixLog)

  • Process data only on your instructions
  • Ensure personnel confidentiality
  • Implement security measures
  • Assist with data subject requests
  • Assist with breach notifications
  • Delete or return data upon termination

4. Details of Processing

Subject Matter

Provision of OptixLog photonics simulation platform and related services

Types of Personal Data

  • Account Data: Names, email addresses, user IDs, IP addresses
  • Professional Data: Job role, research area, organization name
  • Usage Data: Session timestamps, API logs, storage metrics
  • Project Content: Simulation code, config files (if containing personal data)

Categories of Data Subjects

Employees, contractors, students, researchers, collaborators of Controller

5. Sub-processors

OptixLog uses the following vetted sub-processors. All have executed Data Processing Agreements with Standard Contractual Clauses (SCCs).

Sub-processorServiceLocationSafeguards
Supabase/AWSDatabase & storageUS (Ohio)DPA + SCCs, ISO 27001, SOC 2
StripePayment processingUS (global)DPA + SCCs, PCI DSS Level 1
GoogleOAuth authUS (global)Google Cloud DPA + SCCs
OpenAICode analysis (optional)USOpenAI DPA, SOC 2
VercelHosting & analyticsUS + global CDNVercel DPA, ISO 27001

Sub-processor Changes

We will notify you at least 30 days in advance of any new sub-processor via email and notice on this page. You have 30 days to object on reasonable data protection grounds.

6. International Data Transfers

When Personal Data is transferred from the EEA to the United States, OptixLog relies on:

  • Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914
  • Additional safeguards: Encryption in transit (TLS 1.3) and at rest, access controls, contractual commitments to challenge government data requests
  • Sub-processor compliance: All US-based sub-processors have executed SCCs

7. Security Measures

OptixLog implements the following technical and organizational measures (GDPR Article 32):

Technical

  • HTTPS/TLS 1.3 encryption in transit
  • Database encryption at rest
  • Password hashing (bcrypt/Argon2)
  • API key hashing
  • Rate limiting
  • Network isolation (VPC)

Organizational

  • Role-based access control (RBAC)
  • Employee training
  • Confidentiality agreements (NDAs)
  • Incident response plan
  • Vendor due diligence
  • Regular security audits

8. Data Subject Rights

OptixLog will assist Controller in fulfilling data subject requests:

Access:Export user data via self-service or API
Rectification:Update via account settings
Erasure:Delete account workflow
Portability:Provide data in JSON format

Response time: Within 5 business days of Controller's request

9. Data Retention and Deletion

During Service Term

Personal Data retained for as long as Controller's account is active

Upon Termination

Option 1 (default): Delete all Personal Data within 90 days

Option 2: Return Personal Data to Controller in JSON format, then delete

Exceptions

  • Financial records: Retained 7 years for tax/legal compliance
  • Backups: Retained 30 days (backup retention period)
  • Anonymized data: No longer Personal Data, may be retained

10. Personal Data Breach Notification

In the event of a Personal Data breach, OptixLog will:

  1. Notify Controller within 72 hours of becoming aware of the breach via email
  2. Provide details: nature of breach, categories/number of affected data subjects, likely consequences, mitigation measures
  3. Cooperate with Controller's breach investigation and Supervisory Authority inquiries

Note: Controller is responsible for notifying affected data subjects and Supervisory Authority as required by GDPR Articles 33-34.

Related Documents

Privacy Policy
By using OptixLog services, Controller agrees to the terms of this Data Processing Agreement.