Onlyscience Logo

Data Processing Agreement

Effective Date: 28 May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between:

Onlyscience Ltd ("Processor," "Onlyscience," "we," "us")

and

The customer using the Service ("Controller," "Customer," "you")

This DPA applies where Onlyscience processes personal data on behalf of Customers in connection with the Service.

1. Definitions

The terms "controller", "processor", "personal data", "processing", and "data subject" have the meanings given under applicable data protection law.

"Customer Data" means data uploaded to the Service by or on behalf of the Customer.

"Applicable Data Protection Law" means UK GDPR, EU GDPR where applicable, and related data protection legislation.

2. Roles of the Parties

The Customer acts as the controller of Customer Data. Onlyscience acts as the processor when processing Customer Data on behalf of the Customer.

Onlyscience may also act as an independent controller for operational business data such as:

  • account administration;
  • billing;
  • platform analytics;
  • support communications.

3. Nature and Purpose of Processing

Onlyscience processes Customer Data for the purpose of:

  • providing the Service;
  • hosting and storing Customer Data;
  • generating analytical outputs and forecasts;
  • maintaining platform functionality and security;
  • providing customer support.

Processing activities may include:

  • collection;
  • storage;
  • organisation;
  • analysis;
  • retrieval;
  • deletion.

4. Categories of Data

Customer Data may include:

  • marketing performance data;
  • advertising data;
  • sales and revenue data;
  • business operational data;
  • limited personal data uploaded by Customers.

Data subjects may include:

  • customers;
  • employees;
  • marketing audiences;
  • business contacts.

Customers remain responsible for ensuring uploaded data is lawfully processed.

5. Processor Obligations

Onlyscience shall:

  • process Customer Data only on documented instructions from the Customer;
  • ensure personnel with access to Customer Data are subject to confidentiality obligations;
  • implement reasonable technical and organisational security measures;
  • assist Customers with reasonable data protection requests where practicable;
  • notify Customers without undue delay upon becoming aware of a confirmed personal data breach affecting Customer Data.

6. Security Measures

Security measures may include:

  • encryption in transit;
  • encryption at rest;
  • logical segregation of customer data;
  • authentication controls;
  • audit logging;
  • restricted personnel access.

Onlyscience does not guarantee that the Service is immune from all security risks or vulnerabilities.

7. Subprocessors

The Customer authorises Onlyscience to use subprocessors involved in providing the Service. Subprocessors may include:

  • Supabase;
  • Google Cloud;
  • Stripe;
  • HubSpot;
  • Vercel;
  • Render;
  • GitHub.

Onlyscience may add or replace subprocessors from time to time. Onlyscience shall ensure subprocessors are subject to appropriate contractual data protection obligations.

8. International Transfers

Where Customer Data is transferred internationally, Onlyscience shall implement appropriate safeguards where required by applicable law.

9. Customer Responsibilities

Customers are responsible for:

  • ensuring they have lawful grounds to process Customer Data;
  • providing required notices to data subjects;
  • obtaining necessary permissions and consents;
  • complying with applicable data protection law.

Customers must not upload unlawful data.

10. Data Subject Requests

Taking into account the nature of the processing, Onlyscience shall provide reasonable assistance to Customers in responding to data subject requests where legally required.

11. Data Retention and Deletion

Customer Data is retained for the duration of the subscription unless otherwise requested. Following termination:

  • Customer Data may remain available for retrieval for up to 30 days;
  • thereafter Customer Data may be deleted or anonymised.

Onlyscience may retain aggregated and anonymised analytics that do not identify Customers or individuals.

12. Audits

Formal onsite audits are not supported.

Upon reasonable written request, Onlyscience may provide information reasonably necessary to demonstrate compliance with this DPA.

13. Liability

Liability under this DPA is subject to the liability limitations contained in the applicable Terms of Service. Nothing in this DPA limits liability that cannot legally be limited.

14. Governing Law

This DPA is governed by the laws of England and Wales.

15. Contact

Questions relating to this DPA may be sent to:

Email: info@onlyscience.io

Onlyscience