specimenOS

Data Processing Agreement

Last Updated: May 12, 2026

1. Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service between Cannomic ("Processor", "we", "us") and the Customer ("Controller", "you") and governs how Cannomic processes personal data on behalf of the Customer as a data processor under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

2. Definitions

  • Customer (Controller) — The entity that has agreed to the Terms of Service and determines the purposes and means of processing personal data through the Service.
  • Cannomic (Processor) — Cannomic, the operator of SpecimenOS, which processes personal data on behalf of the Customer.
  • Personal Data — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • Processing — Any operation or set of operations performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • Sub-processor — A third party engaged by Cannomic to process personal data on behalf of the Customer.
  • Data Subject — An identified or identifiable natural person whose personal data is processed.
  • Supervisory Authority — An independent public authority established by an EU/EEA member state pursuant to Article 51 of the GDPR.

3. Scope & Roles

The Customer acts as the data controller and determines the purposes and means of processing personal data. Cannomic acts as the data processor and processes personal data only on behalf of and in accordance with the documented instructions of the Customer.

Cannomic processes personal data solely as instructed by the Customer and only as necessary to provide the SpecimenOS platform (the "Service"). Cannomic shall not process personal data for any other purpose unless required to do so by applicable law, in which case Cannomic shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).

4. Processing Instructions

Cannomic processes personal data solely to provide the SpecimenOS platform. The scope of processing includes:

  • Storage of personal data in secure databases
  • Retrieval and display of personal data within the Service
  • Organization and structuring of data across workspaces
  • Regular backup and disaster recovery operations
  • Deletion of data upon Customer request or account termination

The Customer's complete processing instructions are set out in the Terms of Service and this DPA. Any additional or amended instructions must be agreed in writing by both parties.

5. Confidentiality

Cannomic ensures that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited to those employees, contractors, and agents who require access to perform their duties in connection with the Service.

6. Security Measures

Cannomic implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including:

  • Encryption at rest and in transit — All data is encrypted using TLS 1.2 or higher for data in transit and AES-256 encryption for data at rest.
  • Row-level security (RLS) — Database-level enforcement ensuring workspace data isolation. Each workspace's data is accessible only to authorized members of that workspace.
  • Role-based access controls — Granular permissions enforced across Director, Supervisor, and Grower roles with 23 permission flags.
  • Regular backups — Automated backups with point-in-time recovery capability.
  • Access logging and audit trails — Append-only audit logs tracking all data mutations, administrative actions, and access events.
  • Secure authentication — Authentication managed through Supabase Auth with password hashing, session management, and configurable authentication levels.
  • Infrastructure isolation — Logical separation between workspaces at the database and application layers.

7. Sub-processors

The Customer authorizes Cannomic to engage the following sub-processors to assist in providing the Service:

  1. Supabase — Database hosting, authentication, and real-time data services
  2. Vercel — Application hosting, edge networking, and serverless compute
  3. Stripe — Payment processing and subscription management
  4. Resend — Transactional email delivery (authentication emails, notifications)

Cannomic shall notify the Customer of any intended changes to its sub-processors (additions or replacements) at least 30 days prior to the change taking effect, providing the Customer an opportunity to object.

The Customer may object to a new sub-processor within 14 days of receiving notice. If the Customer objects on reasonable grounds related to data protection, Cannomic shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative can be provided, the Customer may terminate the affected Service component.

8. Data Subject Requests

Cannomic shall assist the Customer in fulfilling its obligations to respond to data subject requests exercising their rights under Chapter III of the GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restriction of processing
  • Right to object

If Cannomic receives a data subject request directly, Cannomic shall promptly notify the Customer and shall not respond to the request without the Customer's prior authorization, unless legally required to do so.

9. Data Breach Notification

Cannomic shall notify the Customer of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • The nature of the personal data breach, including where possible the categories and approximate number of data subjects and personal data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
  • The name and contact details of Cannomic's point of contact for further information

Cannomic shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

10. International Transfers

Personal data is processed and stored in the United States. Where personal data originating from the European Union, European Economic Area, or the United Kingdom is transferred to the United States, such transfers are governed by the EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

Cannomic implements supplementary technical and organizational measures where required to ensure that the level of protection of personal data is not undermined by the transfer, including encryption, access controls, and pseudonymization where appropriate.

11. Audit Rights

The Customer may audit Cannomic's compliance with this DPA subject to the following conditions:

  • The Customer shall provide at least 30 days written notice prior to any audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with Cannomic's operations.
  • Audits shall be limited to no more than once per calendar year, unless a data breach or supervisory authority investigation requires additional audits.
  • Cannomic shall provide the Customer with all relevant records, documentation, and information reasonably necessary to demonstrate compliance with this DPA.

12. Data Return & Deletion

Upon termination or expiration of the Customer's subscription, the Customer may export all of their data from the Service within 30 days of termination.

After the 30-day period, Cannomic shall permanently delete all of the Customer's personal data from its systems, including all copies and backups, except where retention is required by applicable law or regulation. Where legal retention is required, Cannomic shall isolate and protect the data from any further processing and shall delete it upon expiration of the retention period.

13. Duration

This DPA is effective as of the date the Customer accepts the Terms of Service and shall remain in effect for the duration of the Customer's subscription. This DPA shall automatically terminate when all personal data has been deleted or returned in accordance with Section 12.

14. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for obligations that cannot be limited under applicable data protection law.

15. Contact

For questions or requests regarding this Data Processing Agreement, please contact us:

    Data Processing Agreement | SpecimenOS | specimenOS