R2H
Back to Home

Data Processing Agreement

Last updated: 04.05.2026

This Data Processing Agreement ("DPA") forms part of the Rodent2Human Terms of Service, Order Form, Enterprise Agreement, Master Services Agreement, or any other written agreement governing the Customer's use of the Rodent2Human or Clarisyn services, as applicable (the "Agreement").

This DPA applies only to the extent that Rodent2Human processes Customer Personal Data on behalf of the Customer in connection with the Service.

1. Parties

Customer: The organization, institution, company, or individual that has agreed to the Agreement and uses the Service ("Customer").

Processor: Rodent2Human ("Rodent2Human," "Company," "we," "us," or "our"), the provider of the Clarisyn platform.

Contact email: ravzanazli@rodent2human.com

Address: SE2 9HB

For enterprise customers requiring a signed DPA, please contact: ravzanazli@rodent2human.com

2. Definitions

In this DPA:

"Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, the EU GDPR, UK GDPR, the UK Data Protection Act 2018, and any national implementing legislation.

"Customer Content" means all data, queries, prompts, documents, files, datasets, reports, instructions, or other materials submitted to or processed through the Service by or on behalf of Customer.

"Customer Personal Data" means any Personal Data contained in Customer Content that Rodent2Human processes on behalf of Customer in connection with the Service.

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Processor" means the entity that processes Personal Data on behalf of a Controller.

"Subprocessor" means any third party engaged by Rodent2Human to process Customer Personal Data on behalf of Customer in connection with the Service.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

"Processing" or "process" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.

"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Service" means the Rodent2Human website, platform, Clarisyn service, AI-powered tools, reports, outputs, and related services provided under the Agreement.

"SCCs" means the Standard Contractual Clauses approved by the European Commission under Implementing Decision (EU) 2021/914, as amended, replaced, or superseded from time to time.

"UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner's Office under the UK Data Protection Act 2018, as amended, replaced, or superseded from time to time.

The terms "controller," "processor," "personal data," "data subject," "processing," and "supervisory authority" have the meanings given to them under Applicable Data Protection Laws.

3. Scope and Roles of the Parties

3.1 Scope

This DPA applies where Rodent2Human processes Customer Personal Data on behalf of Customer in connection with the Service.

3.2 Roles of the Parties

Customer acts as a Controller of Customer Personal Data.

Where Customer processes Customer Personal Data on behalf of a third-party Controller, Customer acts as a Processor and Rodent2Human acts as Customer's Subprocessor.

Rodent2Human acts as a Processor or Subprocessor, as applicable, with respect to Customer Personal Data processed under this DPA.

3.3 Customer Responsibility

Customer is responsible for:

•       Complying with Applicable Data Protection Laws;

•       Providing all required notices to Data Subjects;

•       Obtaining all required consents, permissions, and legal bases for processing;

•       Ensuring that Customer Personal Data may lawfully be submitted to and processed through the Service;

•       Ensuring that Customer's instructions to Rodent2Human comply with Applicable Data Protection Laws.

Rodent2Human is not responsible for determining whether Customer's instructions comply with Applicable Data Protection Laws. However, if Rodent2Human reasonably believes that an instruction infringes Applicable Data Protection Laws, Rodent2Human will notify Customer, unless prohibited by law.

4. Processing Instructions

Rodent2Human will process Customer Personal Data only:

•       To provide, operate, maintain, secure, and support the Service;

•       In accordance with the Agreement, this DPA, and Customer's documented instructions;

•       As instructed by Customer or authorized users through their use and configuration of the Service;

•       As required by Applicable Data Protection Laws.

Customer's documented instructions include the Agreement, this DPA, any applicable Order Form or enterprise agreement, and instructions submitted by Customer or authorized users through the Service.

Rodent2Human will not process Customer Personal Data for its own independent purposes, except where permitted under the Agreement, this DPA, or Applicable Data Protection Laws.

5. Details of Processing

The details of the processing are set out in Annex A.

6. Confidentiality

Rodent2Human will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

Rodent2Human will limit access to Customer Personal Data to personnel who need access to provide, secure, support, or maintain the Service.

7. Security Measures

Rodent2Human will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

These measures include, as appropriate:

•       Encryption of Personal Data in transit using TLS/HTTPS;

•       Encryption of Personal Data at rest where appropriate;

•       Role-based access controls;

•       Authentication and access management;

•       Logical separation of Customer data;

•       Logging and monitoring;

•       Security review and vulnerability management;

•       Incident response procedures;

•       Confidentiality obligations for personnel and service providers;

•       Measures to maintain the ongoing confidentiality, integrity, availability, and resilience of the Service.

Rodent2Human may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

8. Security Incident Notification

If Rodent2Human becomes aware of a Security Incident affecting Customer Personal Data, Rodent2Human will:

•       Notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of the Security Incident;

•       Provide information reasonably available to Rodent2Human to help Customer meet its own notification obligations;

•       Take reasonable steps to contain, investigate, and mitigate the Security Incident;

•       Provide updates to Customer as further relevant information becomes available.

Rodent2Human's notification of a Security Incident is not an admission of fault or liability.

Customer is responsible for determining whether a Security Incident must be notified to a supervisory authority or Data Subjects.

9. Subprocessors

9.1 General Authorization

Customer gives Rodent2Human general authorization to engage Subprocessors to process Customer Personal Data in connection with the Service.

9.2 Subprocessor Obligations

Rodent2Human will enter into written agreements with Subprocessors that impose data protection obligations no less protective, in substance, than those set out in this DPA.

Rodent2Human remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Laws.

9.3 Current Subprocessors

Current Subprocessors may include:

•       Anthropic — AI model inference and query processing — United States

•       Cloud hosting provider — cloud hosting, infrastructure, storage, and security — location depending on selected provider and configuration

•       Mixpanel — analytics and product usage analysis — United States / international

•       Payment processor, if applicable — payment processing and billing — location depending on provider

•       Authentication o