Legal

Data Processing Agreement

For institutional customers (hospitals, universities, research networks) who need a signed DPA under GDPR Article 28 or UK GDPR before deploying Symmathy.

Request signed copy

Summary

Symmathy (Symmathy LLC, Wyoming, USA) acts as a Processor for personal data your users submit through the Service (search queries, uploaded document text, account information). You (the institution) are the Controller. We process that data only on your documented instructions, restricted to the purposes set out in our Privacy Policy and these terms.

Sub-processors

Lovable Cloud — hosting, database, authentication, file storage, edge compute.
Google (via Lovable AI Gateway) — Gemini models for summarization and Q&A.
OpenAI (via Lovable AI Gateway) — GPT models for summarization and Q&A.
Source databases — PubMed, Europe PMC, Cochrane, ClinicalTrials.gov, J-STAGE, LILACS (BVS/BIREME), DOAJ, HAL, OpenAlex, CrossRef. These receive only the search query, not user identity.

We notify you of changes to this list 30 days before they take effect.

Security measures (Article 32)

TLS 1.2+ in transit; encryption at rest for all stored data;
Row-level security so user A cannot read user B's data;
Service-role keys held only on server-side infrastructure;
Logical separation of customer data per Supabase project;
Logging and monitoring of authentication events;
Personnel access on a need-to-know basis with documented offboarding;
Incident response with notification within 72 hours of becoming aware of a personal-data breach.

International transfers

Sub-processors located outside the EEA/UK are bound by the European Commission's Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum where applicable.

Data subject rights

We assist you with data subject access, rectification, erasure, restriction, and portability requests within 30 days. End users can also delete their own account data directly from the Library page.

Term and deletion

The DPA continues for as long as we process personal data on your behalf. Upon termination, we delete or return all personal data within 60 days unless retention is required by applicable law.

How to execute

Download the Markdown copy above (full text), have your DPO review it.
Email connect@symmathy.org with your institution's name, controller details, and any redlines.
We countersign and return a PDF copy via email within 5 business days.

Operator notice

This template is a starting point, not a finalized contract. Material terms (jurisdiction, sub-processor list, security exhibit) must be reviewed by qualified counsel before being executed with any customer.

← Back to home