Legal
Data Processing Agreement
Last updated: April 8, 2026
1. Scope
This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Controller") and Createnano LLC ("Processor") and governs the processing of personal data by the Processor on behalf of the Controller when using the NanoSynthc service.
This DPA applies to the extent that Processor processes personal data on behalf of Controller that is subject to the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), or any other applicable data protection law.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law
- Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
- Sub-processor: Any third party engaged by Processor to process personal data on behalf of Controller
3. Processing Purpose & Instructions
Processor shall process personal data only for the purpose of providing the NanoSynthc service, specifically:
- Receiving and processing uploaded CSV files to extract statistical profiles
- Generating synthetic data based on extracted statistical properties
- Storing statistical profiles for subsequent generation requests
Processor shall process personal data only on documented instructions from Controller. If Processor believes an instruction violates applicable data protection law, it shall promptly inform Controller.
4. Nature of Data Processed
Categories of data subjects: Individuals whose data may be included in uploaded CSV files (e.g., customers, patients, employees of Controller).
Types of personal data: As determined by the Controller's uploaded data, which may include names, demographics, financial data, health data, or other categories.
Important: The output of NanoSynthc (synthetic data) does not contain personal data. Synthetic records are mathematically generated and do not correspond to any real individual.
5. Security Measures
Processor implements the following technical and organizational measures:
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit
- Access controls with role-based permissions
- Bcrypt password hashing and SHA-256 API key hashing
- Automated deletion of uploaded files after 30 days
- Regular security audits and penetration testing
- Employee training on data protection
- Incident response procedures
6. Sub-processors
Processor uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA |
| Vercel, Inc. | Web hosting | USA |
| Amazon Web Services | Infrastructure (Enterprise) | Region selected by customer |
Processor will notify Controller at least 30 days before adding a new sub-processor. Controller may object within 14 days.
7. Data Subject Rights
Processor shall assist Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Processor shall notify Controller promptly if it receives a data subject request directly.
8. Data Breach Notification
Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories of data affected, estimated number of individuals affected, and measures taken to address the breach.
9. International Transfers
For transfers of personal data from the EEA/UK to the USA, Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (2021/914). A copy of the applicable SCCs is available upon request.
10. Audit Rights
Controller has the right to audit Processor's compliance with this DPA. Processor shall make available all information necessary to demonstrate compliance. Audits shall be conducted with reasonable notice and during business hours.
11. Deletion & Return
Upon termination of the Service or upon Controller's request, Processor shall delete all personal data processed on behalf of Controller within 30 days, unless retention is required by applicable law. Processor shall certify deletion upon request.
12. Contact
For DPA-related inquiries, contact our Data Protection Officer at dpo@createnano.com.
Createnano LLC · 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110