Back to home

Data Processing Agreement (DPA)

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer" or "Controller") and Neuropredict Lab, S.L. ("Neuropredict" or "Processor").

By using the Service, you agree to this DPA.

1. Purpose

This DPA governs the processing of personal data by Neuropredict on behalf of the Customer in connection with the provision of the Neuropredict SaaS platform (the "Service").

Neuropredict processes personal data only to provide and improve the Service.

2. Roles of the Parties

  • The Customer acts as Data Controller
  • Neuropredict acts as Data Processor

If the Customer processes data on behalf of a third party, Neuropredict acts as a Sub-processor.

3. Categories of Data

Depending on how the Service is used, Neuropredict may process:

a) Categories of data subjects

  • Employees
  • Managers or directors
  • Contractors or collaborators
  • Authorized users of the Service

b) Types of personal data

  • Identification data (name, email, username, IP address)
  • Professional data (role, company, contact details)
  • Technical data (login credentials, logs, metadata)
  • Usage data (interaction logs, usage patterns, outputs)

Neuropredict does not process special categories of data unless explicitly agreed.

4. Processing Activities

Neuropredict may perform the following processing operations:

  • Collection and recording
  • Storage and organisation
  • Access and use for service provision
  • Transmission between systems
  • Restriction or deletion
  • Return or deletion upon termination

All processing is limited to what is necessary to provide the Service.

5. Instructions

Neuropredict processes personal data only:

  • In accordance with this DPA
  • In accordance with the Customer's documented instructions
  • As required by applicable law

If an instruction violates GDPR, Neuropredict will inform the Customer.

6. Confidentiality

Neuropredict ensures that all personnel authorized to process personal data are bound by confidentiality obligations.

7. Security Measures

Neuropredict implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Access controls
  • Monitoring and logging
  • Data protection safeguards

8. Sub-processors

Neuropredict may use trusted third-party providers (e.g., hosting or infrastructure services) as sub-processors.

Neuropredict ensures that:

  • Sub-processors are bound by data protection obligations
  • Processing is limited to what is necessary for the Service

9. Data Subject Rights

Neuropredict assists the Customer, where reasonably possible, in responding to requests from data subjects, including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Objection

10. Data Breaches

Neuropredict will notify the Customer of any personal data breach without undue delay and, where feasible, within 72 hours after becoming aware of it.

Neuropredict will provide reasonable assistance in managing the breach.

11. Data Retention and Deletion

Upon termination of the Service, Neuropredict will:

  • Delete or return personal data within 30 days
  • Retain data only where legally required

12. International Transfers

Neuropredict does not transfer personal data outside the European Economic Area (EEA) unless:

  • Required by law, or
  • Appropriate safeguards are in place (e.g., Standard Contractual Clauses)

13. Audits and Compliance

Neuropredict will make available information reasonably necessary to demonstrate compliance with this DPA.

Reasonable audits may be conducted, subject to prior notice and confidentiality obligations.

14. Governing Law

This DPA is governed by Spanish law and applicable EU data protection regulations (including GDPR).