Data Processing Agreement

This DPA applies where ChemLifeIntel processes personal data on behalf of a customer in connection with the services. For such data, the customer acts as the controller and ChemLifeIntel acts as the processor. It supplements our Terms of Service and Privacy Policy and prevails over them in the event of conflict regarding processing of customer personal data.

We process customer personal data solely to provide, maintain, secure and support the services in accordance with the customer's documented instructions, including those set out in the agreement. We will not process customer personal data for any other purpose, and we will inform the customer if, in our opinion, an instruction infringes applicable data-protection law.

The categories of personal data and data subjects depend on how the customer uses the service. Typical categories include:

• Data subjects: the customer's authorised users and business contacts.
• Personal data: identification and contact details, account credentials, usage and log data, and the contents of communications submitted through the service.

We engage vetted sub-processors—such as cloud hosting and database infrastructure, product analytics, email delivery and payment processing—to help deliver the services. Each sub-processor is bound by written terms imposing data-protection obligations no less protective than this DPA. We maintain a current list of sub-processors and will give the customer notice of intended changes so they may object on reasonable data-protection grounds.

We implement appropriate technical and organisational measures to protect personal data, including:

• encryption of personal data in transit and at rest;
• role-based access controls and least-privilege access;
• network and application security controls and monitoring;
• regular backups and resilience measures; and
• personnel confidentiality obligations and security training.

Where processing involves transferring personal data outside the EEA, the UK or other regulated regions, we rely on lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional safeguards where required by applicable law.

Taking into account the nature of the processing, we will provide reasonable assistance to enable the customer to respond to requests from data subjects exercising their rights under applicable data-protection law. If we receive such a request directly, we will, unless legally prohibited, advise the data subject to contact the customer and notify the customer where appropriate.

We maintain procedures to detect, investigate and respond to personal-data breaches. We will notify the customer without undue delay after becoming aware of a personal-data breach affecting customer personal data, and will provide information reasonably required to help the customer meet its own notification obligations.

On reasonable written request, and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the customer or an independent auditor, no more than once per year except where required by a supervisory authority or following a material incident.

On termination or expiry of the services, and at the customer's choice, we will delete or return customer personal data, and delete existing copies, unless retention is required by applicable law. Where retention is required, we will protect the data and limit further processing to the purpose and duration mandated by that law.

To request the full Data Processing Agreement or our current sub-processor list, contact compliance@chemlifeintel.com. This summary is a template and should be reviewed by qualified legal counsel against your specific obligations before you rely on it.