Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the FlaskTrack Terms of Service and applies whenever Customer Data contains personal information subject to applicable privacy or data protection laws.
This DPA describes the responsibilities of FlaskTrack and its customers with respect to the processing of personal information through the FlaskTrack platform.
Contents
- Roles of the Parties
- Scope of Processing
- Customer Responsibilities
- FlaskTrack Responsibilities
- Processing Instructions
- Confidentiality
- Security Measures
- Subprocessors
- International Transfers
- Data Subject Requests
- Incident Notification
- Data Retention & Deletion
- Audit Rights
- Limitation of Liability
- Contact Information
1. Roles of the Parties
The Customer determines:
- The purpose of processing
- The legal basis for processing
- The categories of personal information collected
- The retention requirements for customer records
- The individuals granted access to information
FlaskTrack processes information solely on behalf of and under the instructions of the Customer as necessary to provide the Service.
2. Scope of Processing
FlaskTrack may process information submitted, uploaded, generated, or stored within the platform.
Categories of information may include:
- User account information
- Email addresses
- Organization information
- Laboratory records
- Research documentation
- Compliance records
- Audit records
- Uploaded files
- Operational metadata
Processing activities may include:
- Collection
- Storage
- Organization
- Retrieval
- Transmission
- Backup
- Deletion
3. Customer Responsibilities
Customers are responsible for ensuring that all information submitted to FlaskTrack is collected and processed lawfully.
Customers are responsible for:
- Obtaining required consents
- Providing required notices
- Responding to regulatory obligations
- Managing user access
- Defining retention policies
- Determining lawful processing purposes
Customers must not submit information they are not legally authorized to process.
4. FlaskTrack Responsibilities
FlaskTrack agrees to:
- Process information only as instructed by customers
- Maintain appropriate safeguards
- Restrict access to authorized personnel
- Assist with deletion requests where practical
- Maintain reasonable security measures
- Notify customers of qualifying security incidents
FlaskTrack does not determine the legal basis for customer processing activities.
5. Processing Instructions
Customer instructs FlaskTrack to process information solely for purposes necessary to provide the Service, including:
- Hosting the platform
- Providing user authentication
- Storing customer records
- Generating reports
- Providing support services
- Maintaining security and reliability
- Performing backup and recovery activities
FlaskTrack shall not process Customer Data for unrelated commercial purposes.
6. Confidentiality
Personnel with access to Customer Data are subject to confidentiality obligations and access restrictions appropriate to their responsibilities.
Customer Data will not be disclosed except as necessary to:
- Provide the Service
- Comply with legal obligations
- Investigate abuse or security incidents
- Protect the security of the platform
7. Security Measures
FlaskTrack maintains administrative, technical, and organizational safeguards designed to protect Customer Data.
These measures may include:
- TLS encryption in transit
- Password hashing
- Role-based permissions
- Audit logging
- Infrastructure monitoring
- Access restrictions
- Backup systems
Additional information regarding security controls is available in the Security & Infrastructure Policy.
8. Subprocessors
FlaskTrack may engage third-party service providers to assist in operation of the Service.
| Provider | Purpose |
|---|---|
| DigitalOcean | Hosting, databases, networking, storage |
| Stripe | Payment processing |
| Email Providers | Transactional email delivery |
Subprocessors are required to provide protections appropriate to the services they perform.
9. International Transfers
Customer information may be processed in jurisdictions where FlaskTrack or its subprocessors operate.
Customers acknowledge and authorize such transfers where necessary to provide the Service.
10. Data Subject Requests
Customers remain responsible for responding to requests from individuals regarding:
- Access requests
- Correction requests
- Deletion requests
- Portability requests
- Processing objections
FlaskTrack will provide reasonable assistance, where technically feasible, to support customer compliance efforts.
11. Incident Notification
FlaskTrack maintains procedures for identifying and responding to security incidents.
Where required by law or contractual obligations, customers will be notified of confirmed incidents involving Customer Data within a commercially reasonable timeframe.
Notification timing may be affected by:
- Incident investigation requirements
- Containment efforts
- Legal obligations
- Law enforcement requests
12. Data Retention & Deletion
Customer Data remains available while accounts remain active.
Upon account termination or deletion requests, information may be removed from active systems within a commercially reasonable period.
Information may temporarily remain within backup systems before final removal.
Certain records may be retained where required for:
- Legal obligations
- Fraud prevention
- Security investigations
- Accounting requirements
13. Audit Rights
FlaskTrack may make available documentation describing security and privacy practices.
Customers may submit reasonable requests regarding operational controls, security practices, and subprocessors.
Requests that would compromise platform security, customer confidentiality, or proprietary information may be limited.
14. Limitation of Liability
This DPA is subject to the limitation of liability provisions contained within the FlaskTrack Terms of Service.
15. Contact Information
Questions regarding this Data Processing Addendum may be directed to:
privacy@santurcesoftware.com