Data Processing Agreement

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Terms of Service or, where used in their GDPR / UK GDPR / CCPA sense, the meaning given in those laws.

• "Customer" means the entity that accesses the Service under the Terms of Service, whether directly via a Holistic Quality-issued API key or via a marketplace (e.g., RapidAPI).
• "Holistic Quality", "we", "us", "our" means Holistic Quality LLC, an Ohio limited liability company, having its principal place of business at Lebanon, Ohio, United States.
• "Service" means the ALETHEIA chemical safety reference API and related SDKs, dashboards, and documentation made available at api.aletheia.holisticquality.io.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by Holistic Quality on behalf of the Customer in connection with the Service. The scope of Personal Data processed in connection with the Service is intentionally narrow and is described in Annex I.
• "Controller", "Processor", "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in Article 4 GDPR.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs (version B1.0) issued by the UK Information Commissioner.

2. Scope and Roles

This DPA applies to the Processing of Personal Data by Holistic Quality on behalf of the Customer in connection with the Service.

For the avoidance of doubt:

• The Customer is the Controller of Personal Data submitted to the Service through the Customer's account (including any Personal Data the Customer or its end users provide in API request payloads).
• Holistic Quality is the Processor of that Personal Data and acts solely on documented instructions from the Customer, as set out in the Terms of Service, this DPA, and any subsequent written instructions.
• Holistic Quality is an independent Controller for Personal Data it collects directly for its own purposes (e.g., account email at the time of key issuance, billing records, security logs identifying the account-holder). The handling of that controller-level data is governed by the Privacy Policy and is outside the scope of this DPA.

The Service is a stateless reference API. The Service does not require Personal Data in API request payloads in order to function. Where a Customer chooses to submit Personal Data (for example, by including a recipient name in a compound-context query), that submission is the Customer's instruction to the Processor to Process that Personal Data for the purpose of returning the requested API response.

3. Processor Obligations

Holistic Quality shall:

1. Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law; in such case, Holistic Quality will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2. Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (see Section 4).
3. Implement the technical and organizational measures set out in Annex III and any further measures required under Article 32 GDPR.
4. Respect the conditions for engaging Sub-processors set out in Section 5.
5. Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights laid down in Chapter III GDPR (see Section 8).
6. Assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation) taking into account the nature of Processing and the information available to Holistic Quality.
7. At the choice of the Customer, delete or return all Personal Data after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage (see Section 11).
8. Make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, and allow for and contribute to audits, including inspections, as set out in Section 10.

Holistic Quality shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes the GDPR or other applicable data-protection provisions.

4. Confidentiality

Holistic Quality shall ensure that any natural person acting under its authority who has access to Personal Data does not Process that data except on instructions from the Customer, unless required to do so by Union or Member State law. Holistic Quality has implemented role-based access controls, audit logging of administrative actions, and contractual confidentiality obligations binding all personnel with access to Customer Personal Data. As of the Effective Date, the only personnel with administrative access to Customer Personal Data is the founder and operator, Levi Robey.

5. Sub-processors

The Customer authorizes Holistic Quality to engage the Sub-processors listed in Annex II and at /privacy/subprocessors (the "Sub-processor Page") for the Processing activities described in this DPA. The Sub-processor Page is the canonical, version-controlled list of Sub-processors and is updated when a Sub-processor is added, removed, or replaced.

Holistic Quality shall:

1. Notify the Customer of any intended changes concerning the addition or replacement of a Sub-processor at least 30 days in advance, giving the Customer the opportunity to object to such changes. Notice is delivered (a) by updating the Sub-processor Page, and (b) where the Customer has provided a notification email address (via the contact form with intent "partnership" or "enterprise", or via the email on file for direct-issued keys), by email.
2. If the Customer objects to a Sub-processor change on reasonable data-protection grounds within 14 days of notice, the Parties shall negotiate in good faith a solution. Where no resolution is reached, the Customer may terminate the affected portion of the Service for cause and without penalty, subject to a pro-rata refund of pre-paid, unused fees.
3. Impose on each Sub-processor, by means of a written contract, data-protection obligations no less protective than those imposed on Holistic Quality by this DPA, including the obligation to implement appropriate technical and organizational measures.
4. Remain fully liable to the Customer for the performance of each Sub-processor's data-protection obligations.

6. International Transfers

Holistic Quality LLC is based in the United States. Personal Data may be transferred to, stored in, or accessed from the United States or other jurisdictions outside the European Economic Area, the United Kingdom, or Switzerland in connection with the operation of the Service and the Sub-processors listed in Annex II.

To the extent any such transfer involves a transfer of Personal Data from the EEA, the UK, or Switzerland to a country outside the EEA / UK / Switzerland that has not received an adequacy decision under Article 45 GDPR (or the UK or Swiss equivalents), the Parties agree as follows:

1. EU transfers. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), are incorporated into this DPA by reference and apply to such transfers. The Parties select the optional Clause 7 (docking clause) and Option 1 under Clause 9 (general written authorization for Sub-processors). Annex I.A of the SCCs is populated as set out in Annex I of this DPA; Annex I.B is the description in Annex I; the competent Supervisory Authority for the purposes of Clause 13 is the supervisory authority of the EU Member State in which the Customer is established or, where the Customer is not established in the EU, the supervisory authority of the Member State in which the Customer's EU representative is appointed.
2. UK transfers. The UK International Data Transfer Addendum (IDTA), version B1.0, is incorporated by reference and applies to transfers governed by the UK GDPR.
3. Swiss transfers. Until the Swiss Federal Council recognizes the SCCs as providing adequate safeguards, the SCCs as incorporated above apply with the adaptations published by the Federal Data Protection and Information Commissioner: references to the GDPR shall be understood as references to the Swiss Federal Act on Data Protection (FADP) and references to EU Member States shall be understood as references to Switzerland.

In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

7. Security Measures (TOMs)

Holistic Quality has implemented and shall maintain the technical and organizational measures set out in Annex III, which are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in compliance with Article 32 GDPR.

Holistic Quality may modify or update those measures from time to time provided that the modifications and updates do not degrade the overall security of the Service.

8. Data Subject Requests

Taking into account the nature of the Processing, Holistic Quality shall assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making) under Chapter III GDPR.

If Holistic Quality receives a request directly from a Data Subject relating to Personal Data Processed by Holistic Quality on behalf of the Customer, Holistic Quality shall, without undue delay, forward the request to the Customer and shall not respond to the request itself, except to acknowledge receipt and direct the Data Subject to the Customer, unless legally compelled to do so.

Where the Service offers self-serve erasure (currently available at POST /api/account/erase for direct-issued keys), the Customer or its Data Subject may exercise erasure directly without operator intervention.

9. Personal Data Breach

Holistic Quality shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Customer's Personal Data. Notice will be delivered to the email address on file for the Customer's account or, where no account email is on file (e.g., RapidAPI gateway users), via the breach-disclosure mechanism of the gateway.

The notice shall include, to the extent then known:

• the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the security contact (currently safety@holisticquality.io);
• the likely consequences of the Personal Data Breach;
• the measures taken or proposed to be taken by Holistic Quality to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the information cannot be provided in a single communication, it may be provided in phases without further undue delay.

10. Audits

Holistic Quality shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR. The Customer may exercise its audit right by:

1. reviewing the Sub-processor Page, the Privacy Policy, and the published security disclosures at /.well-known/security.txt;
2. requesting a copy of the most recent independent penetration-test summary or SOC-equivalent attestation, where available, by submitting a written request via the enterprise contact form;
3. requesting an on-site audit conducted by the Customer or an independent third-party auditor mandated by the Customer, subject to reasonable advance notice (no less than 30 days), confidentiality obligations, and reimbursement of Holistic Quality's reasonable costs of supporting the audit. On-site audits are restricted to once per twelve-month period, except where a Personal Data Breach has occurred or a Supervisory Authority requires more frequent inspection.

Audits shall not be conducted in a manner that compromises the confidentiality or security of other customers' data or the Service itself.

11. Return or Deletion

At the choice of the Customer, expressed in writing, Holistic Quality shall delete or return all the Personal Data to the Customer after the end of the provision of services relating to Processing, and shall delete existing copies unless Union or Member State law requires storage of the Personal Data.

If no instruction is received within 30 days of termination, Holistic Quality shall delete the Personal Data within a further 30 days, except where retention is required to comply with legal obligations (e.g., billing and tax records) or for the establishment, exercise, or defense of legal claims.

Backups containing Personal Data are retained for a maximum of 90 days from the last write to that backup. Deletion within backups is achieved by aging the backup out of rotation rather than by selective erasure of individual records, which would compromise backup integrity.

12. CCPA Service-Provider Terms

To the extent Holistic Quality Processes Personal Information (as defined in the CCPA) of California residents on behalf of the Customer, Holistic Quality acts as a Service Provider under Cal. Civ. Code § 1798.140(ag) and the Parties agree as follows:

• Holistic Quality shall Process Personal Information only for the limited and specified purpose of providing the Service to the Customer as described in this DPA and the Terms of Service.
• Holistic Quality shall not sell or share (as defined in the CCPA) any Personal Information.
• Holistic Quality shall not retain, use, or disclose Personal Information for any commercial purpose other than the specified business purposes set out in this DPA, including the commercial purpose of providing services to another person.
• Holistic Quality shall not retain, use, or disclose Personal Information outside of the direct business relationship between Holistic Quality and the Customer.
• Holistic Quality shall not combine Personal Information received from the Customer with Personal Information received from or on behalf of any other person or collected from Holistic Quality's own interactions with the Data Subject, except as permitted under § 1798.140(ag)(1)(A)-(C).
• Holistic Quality certifies that it understands the restrictions in this Section 12 and shall comply with them.
• The Customer may take reasonable and appropriate steps to ensure that Holistic Quality uses Personal Information consistent with the Customer's CCPA obligations, and may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

13. Liability and Indemnity

Each Party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes either Party's liability where such limitation or exclusion is prohibited by applicable law (including with respect to Data Subjects' rights under Article 79 GDPR or equivalent provisions of UK GDPR or other applicable laws).

14. Term and Termination

This DPA enters into force on the Effective Date and applies for so long as Holistic Quality Processes Personal Data on behalf of the Customer, and thereafter to the extent necessary to perform any post-termination obligations (including Section 11 deletion/return).

Holistic Quality may amend this DPA from time to time to reflect changes in applicable law or to add safeguards. Material changes (defined as changes that materially reduce the rights of the Customer or materially reduce Holistic Quality's obligations) will be notified at least 30 days in advance by updating this page and (where the Customer has provided a notification email) by email; non-material changes take effect on posting. The Customer may terminate the affected portion of the Service for cause and without penalty if it does not accept a material change.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Ohio, United States, without regard to its conflict-of-laws principles, except that to the extent the SCCs are incorporated under Section 6, the choice of law and jurisdiction provisions of the SCCs (Clauses 17 and 18) prevail over this Section 15 with respect to the matters they cover.

Annex I — Subject-Matter, Duration, Categories

Annex II — Sub-Processors

The canonical, version-controlled list of Sub-processors is published at /privacy/subprocessors. As of the Effective Date, the categories are:

• Infrastructure — Vercel Inc. (USA): hosting and edge delivery. Cloudflare Inc. (USA): CDN, DNS, edge security.
• Data layer — Upstash Inc. (USA, with data stored in eu-west-1 Ireland for account records): Redis (account state, rate limits).
• Operational tooling — Resend Inc. (USA): transactional email. Stripe Inc. (USA): billing and subscription management (paid tiers only).
• Marketplace — RapidAPI Inc. (USA): API gateway and billing (RapidAPI customers only).

Each Sub-processor is engaged under written contracts that incorporate the EU Standard Contractual Clauses (Module Three or Module Four, as applicable) for transfers outside the EEA, or rely on an adequacy decision where one applies. Per-processor transfer-mechanism status is maintained at /api/compliance.

Annex III — Technical and Organizational Measures

The following measures apply to all Processing of Customer Personal Data and are designed to meet the requirements of Article 32 GDPR.

A. Pseudonymization and encryption

• Personal Data in transit is protected with TLS 1.2 or later between the Data Subject's client and the Service, between the Service and its Sub-processors, and between internal Service components. HSTS with max-age=63072000; preload is enforced on all public surfaces.
• API keys are stored in hashed form only (SHA-256 of the raw key); the raw key is shown to the issuing customer once at issuance and never persisted in raw form.
• Data at rest in the data layer (Upstash Redis) is encrypted using provider-managed keys (AES-256).
• Backups are encrypted at rest with provider-managed keys.

B. Confidentiality, integrity, availability, resilience

• Multi-region active deployment (currently iad1, sfo1, lhr1) for resilience; automatic failover via Vercel's edge routing.
• Fail-closed authentication: rate-limit and API-key validation use a Redis-backed store; if the store is unreachable, requests are denied rather than allowed.
• Role-based access controls on all administrative interfaces; production access limited to the operator listed in Section 4.
• Audit logging of administrative actions with append-only semantics.
• UUIDv7 request identifiers on every request to support tracing and audit.
• Content-Security-Policy with nonce-based script enforcement on user-facing surfaces; X-Frame-Options DENY; X-Content-Type-Options nosniff.
• Origin validation on POST endpoints; signed unsubscribe URLs using HMAC-SHA256.
• Dependency-vulnerability scanning on every deploy; published security disclosure policy at /.well-known/security.txt.

C. Restoration and testing

• Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident: backups taken daily; recovery objectives RPO ≤ 24 hours, RTO ≤ 4 hours for account-state data.
• Regular (no less than annual) testing of restore procedures and incident-response playbooks.

D. Process for regular review

• Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures: internal coherence audits run alongside every major deploy (most recent: 2026-05-14-hq-coherence.md, 2026-05-14-business-readiness.md); independent penetration test commissioned annually or after any material change in scope.

E. Sub-processor controls

• Written contracts with all Sub-processors imposing data-protection obligations no less protective than this DPA.
• Sub-processor list maintained at /privacy/subprocessors and updated within 7 days of any change.
• Annual review of Sub-processor security postures based on their published documentation, SOC 2 reports (where available), and material incidents.