Onlyscience Logo

Data Processing Agreement (Beta)

This Data Processing Agreement ("DPA") forms part of the agreement between:

Onlyscience Ltd

Registered address: 3 Highpath Way, Basingstoke, RG24 9SU

("Processor", "Onlyscience", "we", "us")

and

The customer identified in the applicable order, signup, or beta access confirmation

("Controller", "you")

This DPA applies to the processing of Customer Data in connection with the beta version of the Onlyscience platform (the "Service").

1. Definitions

For the purposes of this DPA, the terms "personal data", "processing", "controller", and "processor" have the meanings given to them in the UK General Data Protection Regulation ("UK GDPR").

"Customer Data" means data uploaded to the Service by or on behalf of the Controller.

2. Roles of the parties

2.1 The Controller determines the purposes and means of the processing of Customer Data.

2.2 Onlyscience processes Customer Data solely on behalf of and in accordance with the documented instructions of the Controller, as set out in this DPA and the use of the Service.

2.3 Onlyscience acts as a data processor. The Controller acts as a data controller.

3. Scope and nature of processing

3.1 Nature of the processing

Processing consists of the automated analysis, storage, and presentation of Customer Data in order to generate analytical outputs within the Service.

3.2 Purpose of the processing

The purpose of processing is to provide marketing performance analysis and insights to the Controller during a beta trial.

3.3 Categories of data

Customer Data consists primarily of marketing performance metrics and KPIs.

Personal data is not required for the Service and should not be included in uploads.

3.4 Categories of data subjects

Where personal data is incidentally included, data subjects may include customers, users, or employees of the Controller.

4. Beta context

4.1 The Service is provided on a beta / pre-commercial basis.

4.2 No service level agreements, uptime guarantees, or warranties are provided.

4.3 Processing is limited to what is necessary to operate and evaluate the beta Service.

5. Processor obligations

Onlyscience shall:

  1. process Customer Data only on documented instructions from the Controller;
  2. ensure that persons authorised to process Customer Data are subject to appropriate confidentiality obligations;
  3. implement appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing, loss, or disclosure;
  4. not intentionally access or download Customer Data locally unless expressly authorised by the Controller (e.g. for debugging or support);
  5. assist the Controller in responding to data subject requests where applicable; and
  6. notify the Controller without undue delay upon becoming aware of a personal data breach affecting Customer Data.

6. Sub-processors

6.1 The Controller authorises Onlyscience to engage the following sub-processors:

  • Supabase – hosting, database, and storage (EU/UK region)
  • Stripe – payment processing
  • Google Analytics – usage analytics
  • Google Workspace (Gmail) – customer communications
  • GitHub – private source code hosting (no customer data stored intentionally)

6.2 Onlyscience shall ensure that sub-processors are bound by data protection obligations substantially similar to those set out in this DPA.

6.3 Onlyscience remains responsible for the acts and omissions of its sub-processors.

7. International data transfers

7.1 Customer Data is stored and processed within the UK and/or European Union only.

7.2 Onlyscience does not intentionally transfer Customer Data outside the UK or EU during the beta period.

8. Security measures

8.1 Onlyscience implements reasonable technical and organisational measures appropriate to the nature of the processing and the beta context, including:

  • encrypted connections (HTTPS/TLS);
  • logical separation of customer data;
  • access controls limiting data access to authorised personnel only.

8.2 Onlyscience does not represent that the Service is free from all security risks.

9. Data retention and deletion

9.1 Customer Data is retained only for as long as necessary to provide the Service.

9.2 Upon written request from the Controller, or upon termination of beta access, Onlyscience shall delete Customer Data within 30 days, unless retention is required by law.

9.3 Onlyscience may retain aggregated and anonymised insights derived from Customer Data for product improvement purposes, provided such data cannot reasonably be used to identify the Controller or any individual.

10. Assistance and cooperation

Onlyscience shall provide reasonable assistance to the Controller in relation to:

  • responding to data subject rights requests; and
  • demonstrating compliance with this DPA,

taking into account the nature of the processing and the beta context.

11. Audit rights

11.1 Given the beta nature of the Service, formal audits are not supported.

11.2 Upon reasonable request, Onlyscience shall provide information necessary to demonstrate compliance with this DPA.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations set out in the applicable terms governing the Service.

12.2 Nothing in this DPA limits liability that cannot be limited under applicable law.

13. Governing law

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

14. Contact

For data protection enquiries under this DPA, contact:

Email: info@onlyscience.io

Onlyscience