Data Processing Addendum (DPA)

Last Updated: March 4, 2026

Between: SlymeLab ("Processor" / "Service Provider") and the customer entity ("Customer" / "Controller" / "Business")

This Data Processing Addendum ("DPA") forms part of the applicable agreement between Customer and SlymeLab governing Customer's use of SlymeLab services (the "Agreement"). This DPA applies to the extent SlymeLab processes Personal Data on behalf of Customer in connection with the Services.

If there is a conflict between the Agreement and this DPA on data protection matters, this DPA controls.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual processed under the Services
  • Customer Data: Data (including Personal Data) submitted to the Services by or on behalf of Customer
  • Processing: Has the meaning given under applicable Data Protection Laws
  • Data Protection Laws: Laws applicable to the processing of Personal Data under the Agreement, including (where applicable) the EU/UK GDPR, and U.S. state privacy laws
  • Subprocessor: A third party appointed by SlymeLab to process Personal Data on behalf of Customer

2. Roles of the Parties

  • Customer is the Controller (or "Business") of Customer Data
  • SlymeLab is the Processor (or "Service Provider") processing Customer Data on Customer's documented instructions

3. Scope of Processing

3.1 Customer Instructions

SlymeLab will process Customer Data only to provide the Services, as described in the Agreement and Customer's documented instructions, unless required by law. If legally required to process beyond Customer's instructions, SlymeLab will (where permitted) notify Customer.

3.2 Details of Processing

The processing details are described in Schedule 1 (Description of Processing).

4. SlymeLab Obligations

SlymeLab will:

  • Implement appropriate technical and organizational measures to protect Customer Data as described in the Security Addendum and Schedule 2
  • Ensure personnel authorized to process Customer Data are bound by confidentiality obligations
  • Not sell Customer Data and not retain, use, or disclose Customer Data outside providing the Services, except as permitted by applicable law and the Agreement
  • Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and provide information reasonably necessary for Customer to meet legal obligations (subject to security and confidentiality)

5. Customer Obligations

Customer will:

  • Ensure it has a valid legal basis to collect and provide Customer Data to SlymeLab
  • Provide any required notices to and obtain any required consents from data subjects
  • Ensure its instructions comply with Data Protection Laws
  • Configure and use the Services in a manner consistent with Data Protection Laws (including limiting submission of unnecessary Personal Data)

6. Subprocessors

6.1 Authorization

Customer provides general authorization for SlymeLab to engage Subprocessors to process Customer Data.

6.2 Subprocessor Protections

SlymeLab will impose data protection obligations on Subprocessors at least as protective as this DPA for the relevant processing.

6.3 Subprocessor Changes and Objection

SlymeLab will maintain a list of Subprocessors (or make it available upon request). Where required, SlymeLab will provide notice of material Subprocessor changes. Customer may object on reasonable data protection grounds by notifying SlymeLab promptly. If the objection cannot be resolved, either party may terminate the affected Services as a last resort (subject to the Agreement).

7. International Transfers

7.1 Transfer Mechanism

Where Customer Data is transferred internationally in a manner restricted by Data Protection Laws, the parties will rely on an approved transfer mechanism, such as:

  • EU Standard Contractual Clauses ("EU SCCs") and, where applicable, the UK Addendum
  • Another lawful transfer basis recognized under applicable law

7.2 Transfer Impact and Safeguards

SlymeLab will implement supplementary safeguards as appropriate given the nature of the transfer and risks.

8. Assistance with Data Subject Requests

Taking into account the nature of processing, SlymeLab will provide reasonable assistance to enable Customer to respond to data subject requests (access, deletion, correction, etc.) for Customer Data, to the extent legally required and technically feasible. Customer is responsible for responding to requests. SlymeLab may charge reasonable fees for excessive or repetitive requests.

9. Assistance with DPIAs and Regulatory Requests

SlymeLab will provide reasonable assistance with:

  • Data protection impact assessments (DPIAs) where required
  • Consultations with regulators

To the extent related to SlymeLab's processing of Customer Data and as legally required.

10. Deletion and Return of Customer Data

Upon termination or expiration of the Services, SlymeLab will, in accordance with the Agreement:

  • Delete or return Customer Data
  • Delete remaining copies within a reasonable period

Unless retention is required by law or for legitimate purposes permitted under the Agreement (e.g., backups for limited periods).

11. Audits and Assessments

Customer may audit SlymeLab's compliance with this DPA only:

  • Upon reasonable written notice
  • No more than once per year (unless a material incident occurs)
  • Subject to confidentiality and reasonable security constraints

SlymeLab may satisfy audit requests by providing: (i) third-party audit reports or security attestations where available, and/or (ii) responses to reasonable security questionnaires, before allowing on-site audits.

12. Liability

Liability under this DPA will be subject to the liability limitations and exclusions in the Agreement, to the fullest extent permitted by law.

13. Contact

All privacy requests under this DPA: contact@slymelab.com