Legal · Data products · DPA
Data Processing Addendum — Daystrom Data
The GDPR Article 28 addendum governing personal data that Daystrom OÜ processes on a business customer's behalf when operating their account and API usage. A template that takes effect only once accepted or countersigned.
Last updated: 2026-06-23
TEMPLATE NOTICE — not yet in force. THIS IS A TEMPLATE. It is not legal advice and is not yet a binding agreement: a Data Processing Addendum takes effect only once both parties have signed (or accepted) it. Until countersigned by an authorised representative of both Daystrom OÜ and the Customer, it imposes no obligations. Square-bracketed items marked
[counsel to complete]flag decisions that must be settled before this template is offered. Where this Addendum and the Daystrom Data Terms of Use conflict on the subject of personal-data processing, this Addendum prevails; on all other matters the Terms of Use prevail.
"Daystrom Data" means the family of public-database products operated by Daystrom OÜ (Apex DB, RxAtlas, TrialBase, Strata, RecallRadar, and others), together with their snapshots and REST/MCP APIs (the "Service").
1. Parties, scope and relationship
1.1 Parties. This Data Processing Addendum (the "Addendum" or "DPA") is entered into between Daystrom OÜ, a private limited company (osaühing) registered in the Estonian Commercial Register under code 17537299, VAT EE102999776, registered at Tornimäe tn 5, Kesklinna linnaosa, Tallinn 10145, Harju maakond, Estonia (the "Processor", "we", "us", operator of Daystrom Data), and the business customer identified in the order or account that accepts it (the "Controller", "Customer", "you"). It supplements and forms part of the Daystrom Data Terms of Use and any order for the Daystrom Data snapshots, REST API, and MCP API (together, the "Service").
1.2 Purpose. This Addendum sets out the terms required by Article 28(3) of Regulation (EU) 2016/679 (the "GDPR") and equivalent provisions of the UK GDPR for the limited cases in which we process personal data on your behalf as your processor.
1.3 Narrow scope — what this DPA does and does not cover. The Service is principally the licensing of datasets and access to them. For the personal data CONTAINED IN the datasets — for example, where a dataset compiles, from public registries, the names, affiliations or contact details of trial sponsors, investigators, or product manufacturers and responsible parties — we act as an independent CONTROLLER (we decide the purposes and means of that compilation), and you, in turn, act as a separate and independent controller of any personal data you extract or reuse from the dataset. That controller-to-controller relationship is NOT governed by this Addendum; it is addressed in the Daystrom Data Terms of Use and Privacy Policy. Each party is independently responsible for its own lawful basis for processing personal data drawn from the datasets.
1.4 What this DPA does cover. This Addendum applies ONLY where, and to the extent that, we process personal data on your documented instructions in the course of operating your account and serving your API usage — namely the account, authentication, and usage data of your organisation and its authorised users (defined in Annex 1 as the "Customer Personal Data"). In respect of that Customer Personal Data, you are the controller and we are your processor.
1.5 Roles. Each party will comply with its own obligations under Data Protection Law. "Data Protection Law" means the GDPR, the UK GDPR, the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and any other data-protection or privacy law applicable to a party's processing under this Addendum. Terms such as "controller", "processor", "data subject", "personal data", "personal data breach", and "supervisory authority" have the meanings given in the GDPR.
2. Subject-matter, duration, nature and purpose of processing (Art. 28(3) opening)
2.1 The required particulars of the processing — its subject-matter and duration, its nature and purpose, the type of personal data, and the categories of data subjects — are set out in Annex 1 (Details of Processing) and incorporated into this Addendum. In summary:
(a) Subject-matter: our provision of the Service (account access to Daystrom Data snapshots and the REST and MCP APIs) to you.
(b) Duration: for the term of your order or account, and for any wind-down, return, or deletion period described in Section 11, after which processing ceases.
(c) Nature and purpose: hosting and operating your account; passwordless (magic-link) authentication of your authorised users; issuing and verifying API access tokens; authenticating, routing, rate-limiting, and metering API and MCP requests; preventing abuse and securing the Service; and producing the usage records needed for billing and support. We do not process Customer Personal Data for our own purposes, and we never sell it or use it to train models.
(d) Type of personal data and categories of data subjects: as itemised in Annex 1. We do not intend or require you to route special categories of personal data (GDPR Art. 9) or criminal-offence data (Art. 10) through your account; if you do so you must tell us in advance, and we may decline.
2.2 You confirm that your instructions to process Customer Personal Data, including via your configuration and use of the Service, comply with Data Protection Law, and that you have established a lawful basis for the processing you instruct.
3. Processing only on documented instructions (Art. 28(3)(a))
3.1 We will process Customer Personal Data only on your documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by Union or Member State law to which we are subject; in such a case we will inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 Your instructions are documented by, and limited to, this Addendum, the Terms of Use, your order, and your configuration and operation of the Service through its standard interfaces. Any additional or different instruction must be agreed in writing and may be subject to additional charges or declined where not technically feasible.
3.3 We will inform you if, in our opinion, an instruction infringes Data Protection Law. We are not obliged to, and will not, perform a general legal review of your instructions, and this notice does not transfer your controller responsibilities to us.
4. Confidentiality (Art. 28(3)(b))
4.1 We ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 We limit access to Customer Personal Data to personnel who need it to provide, secure, support, or bill the Service, and that access is subject to confidentiality obligations that survive the end of their engagement.
5. Security of processing (Art. 28(3)(c) and Art. 32)
5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 (Security Measures).
5.2 Those measures address, as appropriate, the matters in Art. 32(1): pseudonymisation and encryption; the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore availability and access to personal data in a timely manner after an incident; and a process for regularly testing, assessing and evaluating the effectiveness of the measures.
5.3 In assessing the appropriate level of security we take account in particular of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
5.4 Annex 2 describes our current measures. We may update them as the Service evolves provided the updates do not materially reduce the overall level of security.
6. Sub-processors (Art. 28(2) and 28(3)(d))
6.1 General authorisation. You give us a general written authorisation to engage sub-processors to process Customer Personal Data, subject to this Section. Our current sub-processors and the function each performs are listed in Annex 3 (Sub-processors).
6.2 Flow-down. Where we engage a sub-processor to carry out specific processing activities on your behalf, we impose on it, by a written contract, data-protection obligations that are materially the same as those set out in this Addendum, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Where a sub-processor fails to fulfil its data-protection obligations, we remain fully liable to you for the performance of that sub-processor's obligations.
6.3 Changes and objection. We will notify you of any intended addition or replacement of a sub-processor — by updating the list in Annex 3 / on the published sub-processor page and, where you have subscribed to change notifications, by the notice method on file — at least 30 days before the new sub-processor begins processing Customer Personal Data, giving you the opportunity to object on reasonable, data-protection grounds. If you object within that period, we will work with you in good faith to address the objection; if we cannot, you may terminate the affected part of the Service in accordance with the Terms of Use.
6.4 The sub-processor list in Annex 3 is the same list maintained for the Daystrom Data Privacy Policy and is kept in lockstep with it.
7. Assistance with data-subject requests (Art. 28(3)(e))
7.1 Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as this is possible, in fulfilling your obligation to respond to requests by data subjects exercising their rights under Chapter III of the GDPR (Articles 12 to 23) — including the rights of access, rectification, erasure, restriction, data portability, and objection — in respect of Customer Personal Data.
7.2 If a data subject sends such a request directly to us in respect of Customer Personal Data, we will not respond to it ourselves (other than to acknowledge it where appropriate) but will, without undue delay, inform you and direct the data subject to you, so that you as controller can respond.
7.3 Reasonable assistance of this kind is included in the Service; assistance that is excessive in volume or complexity may be subject to a reasonable charge, notified to you in advance.
8. Assistance with the Controller's security, breach, DPIA and consultation obligations (Art. 28(3)(f))
8.1 Taking into account the nature of processing and the information available to us, we assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR, namely: security of processing (Art. 32); notification of a personal data breach to the supervisory authority (Art. 33) and communication to data subjects (Art. 34); data protection impact assessments (Art. 35); and prior consultation with the supervisory authority (Art. 36).
8.2 Such assistance is provided to the extent the relevant matter relates to our processing of Customer Personal Data and is not reasonably available to you by other means.
9. Personal data breach notification (Art. 28(3)(f), Art. 33(2))
9.1 We notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event consistent with the timeframe stated in our breach-notification commitment (the target is without undue delay and in any event within 48 hours of our becoming aware).
9.2 The notification will, to the extent known and as it becomes available, describe the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; the likely consequences; the measures taken or proposed to address it and to mitigate its adverse effects; and the name and contact details of our point of contact for more information. Where we cannot provide all the information at once, we may provide it in phases without undue further delay.
9.3 Our notification to you is not an acknowledgement of fault or liability. You remain responsible for any notification to a supervisory authority or to data subjects required of you as controller under Articles 33 and 34.
10. International transfers (Chapter V; Art. 28(3)(a))
10.1 We and our sub-processors operate in the EU and may also process Customer Personal Data in the United States and other third countries, as indicated in Annex 3. Some sub-processors offer EU and US regions; where relevant, the region in use is indicated in Annex 3 or the documentation.
10.2 Where we, or a sub-processor, transfer Customer Personal Data to a country outside the EEA that is not the subject of an adequacy decision under Art. 45, the transfer is made under an appropriate Chapter V safeguard. Our primary mechanism is the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"), which are incorporated into this Addendum by reference and completed as set out in Annex 4 (Transfer Mechanism), together with any supplementary measures required following a transfer impact assessment. For transfers subject to the UK GDPR, the EU SCCs as supplemented by the UK Information Commissioner's International Data Transfer Addendum apply. For transfers to recipients certified under an applicable adequacy framework (where in force), that framework may be relied upon.
10.3 The module and roles of the EU SCCs are completed in Annex 4; in the controller-to-processor relationship under this Addendum, Module Two (controller to processor) applies, and Module Three (processor to processor) applies between us and our sub-processors. Where there is any conflict between the EU SCCs and this Addendum, the EU SCCs prevail in respect of the transfer they govern.
10.4 You authorise us to carry out and enter into transfers and the associated SCCs on the basis described in this Section as part of your documented instructions under Section 3.
11. Return or deletion at end of processing (Art. 28(3)(g))
11.1 At your choice, we delete or return all Customer Personal Data to you after the end of the provision of services relating to processing, and delete existing copies, unless Union or Member State law requires storage of the personal data.
11.2 Unless you request return in a commonly used format within 30 days of termination or expiry, we will delete Customer Personal Data within the retention periods stated in our retention commitment, after which it is removed from active systems and from routine backups in the ordinary backup-expiry cycle.
11.3 We may retain Customer Personal Data to the extent, and for as long as, required by applicable law (for example, billing, tax, and accounting records), and only for that purpose; such retained data remains subject to the confidentiality and security terms of this Addendum.
11.4 Where you choose return, we provide the data in a structured, commonly used, machine-readable format and then delete our copies in accordance with this Section.
12. Audit and information rights (Art. 28(3)(h))
12.1 We make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this Addendum, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
12.2 Practical exercise. To protect the security and confidentiality of our systems and of other customers' data, audit rights are exercised as follows: in the first instance we satisfy an audit request by providing our then-current documentation, security descriptions, and any third-party certifications or audit reports we hold. Where that is not sufficient to address a specific, reasonable concern, you (or your mandated, independent auditor who is not a competitor of ours and is bound by confidentiality) may conduct an audit on reasonable prior written notice of at least 30 days, no more than once in any 12-month period (except where required by a supervisory authority or following a personal data breach), during business hours, in a manner that does not disrupt the Service or compromise other customers' data, and at your cost.
12.3 In accordance with Art. 28(3) second subparagraph, we will inform you if, in our opinion, an instruction relating to an audit infringes Data Protection Law.
13. Liability, term and miscellaneous
13.1 Liability. Each party's liability arising out of or related to this Addendum is subject to the limitations and exclusions of liability set out in the Daystrom Data Terms of Use, and any reference there to the liability of a party means the aggregate liability of that party under the Terms of Use and this Addendum together. Nothing in this Addendum limits liability that cannot be limited under Data Protection Law, including a data subject's rights to compensation under Art. 82.
13.2 Term. This Addendum takes effect when accepted or countersigned and continues for as long as we process Customer Personal Data on your behalf. Sections that by their nature should survive (including confidentiality, deletion/return, and liability) survive termination.
13.3 Conflict and order of precedence. In the event of conflict on the processing of personal data: (1) the EU SCCs (for the transfers they govern), then (2) this Addendum, then (3) the Terms of Use.
13.4 Changes. We may update this Addendum to reflect changes in Data Protection Law, guidance, sub-processors, or the Service, provided no update materially reduces your protections; the current version is published with the Daystrom Data legal documents and dated.
13.5 Governing law and jurisdiction. This Addendum is governed by the law of, and disputes are subject to the courts of, the jurisdiction specified in the Daystrom Data Terms of Use (Estonia), except where Data Protection Law or the EU SCCs require otherwise.
13.6 Signatures. This Addendum is accepted by acceptance of the Terms of Use and order, or, where a signed copy is required, by the authorised representatives of both parties below.
For the Processor (Daystrom OÜ, operator of Daystrom Data): name ____, title ____, date ____. For the Controller (Customer): name ____, title ____, date ____, on behalf of [legal entity] ____.
Contact for data-protection matters under this Addendum: data@daystromworks.com.
Annex 1 — Details of Processing
Controller: the Customer. Processor: Daystrom OÜ (operator of Daystrom Data).
Subject-matter: provision of the Daystrom Data Service (snapshots, REST API, MCP API) to the Customer.
Duration: the term of the Customer's order or account, plus the return/deletion period in Section 11.
Nature of the processing: collection, recording, storage, organisation, structuring, consultation, use, transmission, restriction, erasure, and destruction of Customer Personal Data by automated means, for the operation of the account and Service.
Purpose of the processing: account hosting and operation; passwordless (magic-link) authentication of authorised users; issuance and verification of API access tokens (stored only as SHA-256 hashes); authentication, routing, rate-limiting, metering and abuse-prevention of API/MCP requests; security and integrity of the Service; and generation of usage records for billing and support. The Processor does not process Customer Personal Data for its own purposes and does not sell it or use it to train models.
Type of personal data: (i) account and authentication data — the email addresses of the Customer's authorised users and account/organisation identifiers; (ii) credential data — hashed (SHA-256) API access tokens and related token metadata; (iii) usage and connection data — IP addresses, request and usage logs, timestamps, endpoints called, and volumetric/metering data used for rate-limiting, abuse prevention, and billing. Payment-card data is processed by the payment provider and is not stored by the Processor. The processing is not intended to include special categories of personal data (Art. 9) or criminal-offence data (Art. 10).
Categories of data subjects: the Customer's authorised users, administrators, and billing contacts whose account, credential, and usage data flow through the Service.
Frequency: continuous, for the duration of the account.
Note — out of scope: personal data CONTAINED IN the licensed datasets (e.g. trial sponsors, or parties named in recall notices) is processed by the Processor as an independent controller and is not Customer Personal Data under this Addendum (see Section 1.3).
Annex 2 — Technical and Organisational Security Measures (Art. 32)
The Processor maintains, at a minimum, the following measures, kept current as the Service evolves and without materially reducing the overall level of security:
Encryption: personal data is encrypted in transit (TLS) over public networks and encrypted at rest by the managed hosting and database providers. API access tokens are never stored in plaintext — only their SHA-256 hashes are retained.
Access control: access to systems and Customer Personal Data is restricted on a least-privilege, need-to-know basis to authorised personnel bound by confidentiality; administrative access uses strong authentication.
Pseudonymisation and minimisation: tokens are stored as hashes; logs are kept to what is needed for security, rate-limiting, abuse prevention, and billing, and are retained for limited periods.
Confidentiality, integrity, availability, resilience: the Service runs on managed, redundant infrastructure providing resilience and the ability to restore availability and access to personal data in a timely manner after an incident.
Backups and restoration: managed backups support timely restoration; restoration procedures are part of provider operations.
Testing and evaluation: a process for regularly reviewing and assessing the effectiveness of the measures, including dependency and configuration review.
Vendor assurance: sub-processors are selected for, and contractually required to maintain, appropriate technical and organisational measures (Annex 3).
Incident response: documented breach-detection and notification procedures consistent with Section 9.
[counsel to complete before launch: confirm which formal certifications (e.g. provider SOC 2 / ISO 27001 reports) may be referenced here, and finalise encryption-at-rest and backup-retention specifics to match the production configuration.]
Annex 3 — Authorised Sub-processors
The Processor engages the following sub-processors to process Customer Personal Data. This list is the same as, and kept in lockstep with, the sub-processor list in the Daystrom Data Privacy Policy.
- Vercel Inc. — application hosting, CDN/edge delivery, and Blob storage for snapshot delivery. Regions: US and EU. Processes: account/usage data in transit and at rest; snapshot delivery.
- Neon Inc. — managed PostgreSQL database. Regions: US and EU. Processes: account, hashed-token, and usage data at rest.
- Resend Inc. — delivery of passwordless authentication (magic-link) and transactional emails. Region: US (transfers under the EU SCCs in Resend's DPA). Processes authorised-user email addresses for the purpose of sending login links and service notifications.
- Google LLC (Google Workspace) — business email hosting for support, security, and corrections enquiries (data@, security@, corrections@ addresses). Regions: US and EU. Processes: email message content and metadata for messages sent to our contact addresses.
Vercel Web Analytics and Speed Insights (cookieless, first-party website measurement) run without setting
a cross-site identifier and process only aggregate visitor telemetry, not Customer Personal Data under this
Addendum. Payment providers (Stripe, Coinbase) are NOT sub-processors of Customer Personal Data: they act
as independent (separate) controllers for payment processing under their own terms (per Stripe's published
DPA) and are addressed in the Privacy Policy as controller-to-controller recipients, not listed here.
Google Analytics and Google Ads are consent-gated website analytics/advertising recipients that receive
visitor data only after the visitor opts in; they do not process the Customer's authorised-user account
data under this Addendum and so are not listed here. [counsel to complete: confirm exact contracting legal entities and regions for sub-processors above, and confirm Google Workspace DPA coverage.]
Annex 4 — Transfer Mechanism (EU Standard Contractual Clauses)
For transfers of Customer Personal Data to a third country without an adequacy decision, the parties incorporate the EU SCCs (Commission Implementing Decision (EU) 2021/914), completed as follows:
Module: Module Two (controller to processor) applies between the Customer (data exporter, controller) and the Processor (data importer, processor). Module Three (processor to processor) applies between the Processor and its sub-processors.
- Clause 7 (docking):
[counsel to complete — select whether the optional docking clause applies] - Clause 9 (sub-processors): Option 2, general written authorisation, with the change-notice period in Section 6.3.
- Clause 11 (redress): the optional independent-dispute-resolution body:
[counsel to complete — include or omit]. - Clause 17 (governing law): the law of
[counsel to complete — suggest Estonia, consistent with governing-law clause in Terms of Use]. - Clause 18 (forum and jurisdiction): the courts of
[counsel to complete — suggest Estonia per Terms of Use]. - Annex I (parties, description of transfer): completed by reference to Annex 1 of this Addendum.
- Annex II (technical and organisational measures): completed by reference to Annex 2 of this Addendum.
- Annex III (list of sub-processors): completed by reference to Annex 3 of this Addendum.
UK transfers: the EU SCCs as supplemented by the UK ICO International Data Transfer Addendum (Version B1.0). Swiss transfers: the EU SCCs as adapted by the Swiss FDPIC, where applicable.
Where any of the above selections are not yet made, the SCCs apply with their default/most-protective option pending finalisation by counsel before launch.