Data Processing Agreement

Last updated: [DATE]

Note: This is a summary of key terms. The full DPA is available as a PDF download for institutional review.

1. Parties

Controller: You (the customer)
Processor: [Soak Legal Entity]

2. Subject Matter

Processing of research data (qualitative transcripts, documents) for the purpose of LLM-assisted qualitative analysis.

3. Categories of Data

  • Qualitative research transcripts
  • Research documents (PDF, DOCX, TXT)
  • Vector embeddings derived from documents
  • Analysis outputs (themes, codes, quotes, narratives)

4. Categories of Data Subjects

Research participants as determined by the Controller. We do not know the identity of data subjects unless included in uploaded content.

5. Processing Purposes

  • Automated qualitative analysis using LLMs
  • Semantic search and comparison
  • Result storage and export

6. Duration

Processing continues for the duration of the service agreement. Data is deleted within 30 days of account termination or deletion request.

7. Security Measures

See our Security Overview for technical and organisational measures.

8. Subprocessors

We use subprocessors to provide the service. See our Subprocessor List.

We will notify you of new subprocessors with 30 days notice. You may object to new subprocessors; if we cannot accommodate, you may terminate.

9. International Transfers

By default, processing occurs in the EU. If data is transferred outside the EU/EEA (e.g., US processing region selected), we rely on:

  • Standard Contractual Clauses (SCCs)
  • Subprocessor DPAs with equivalent protections

10. Data Subject Rights

Controller handles data subject requests. We will assist with:

  • Access requests
  • Deletion requests
  • Data portability

Response within 30 days of Controller request.

11. Deletion

On Controller request or account termination:

  • Data deleted from production systems within 30 days
  • Data deleted from backups within 90 days
  • Deletion certificate available on request (Team+ tiers)

12. Breach Notification

We will notify Controller of any personal data breach within 48 hours of becoming aware, including:

  • Nature of the breach
  • Categories of data affected
  • Likely consequences
  • Measures taken

13. Audit

We will cooperate with reasonable audit requests, subject to:

  • Reasonable notice (30 days)
  • Confidentiality obligations
  • Scope limited to compliance verification

Download

Download Full DPA (PDF)