Data Processing Agreement (Template)
This template is provided for universities and research institutions engaging SpinScience.org services. It must be reviewed and adapted to the specific service configuration.
1. Parties
Controller: [Institution / University legal name]
Processor: Universita Popolare Nikola Tesla (SpinScience.org)
2. Subject Matter and Duration
Processing concerns hosting, indexing, moderation support, and publication workflows for research outputs, for the term of the service agreement and related archival/legal retention periods.
3. Nature and Purpose of Processing
- Receive and manage research-related submissions and metadata.
- Publish and maintain repository records and persistent identifiers where applicable.
- Provide technical operations, security controls, and support services.
4. Categories of Data Subjects and Personal Data
- Data subjects: researchers, contributors, institutional contacts, reviewers/editors where applicable.
- Data categories: identity/contact data, professional affiliation metadata, submission-related content and logs.
5. Controller Instructions
Processor processes personal data only on documented instructions from the Controller, unless otherwise required by applicable law.
6. Confidentiality and Personnel
Processor ensures authorized personnel are bound by confidentiality obligations and receive data protection training proportionate to their role.
7. Security Measures
- Access control and authentication for administrative functions.
- Transport security and hardening practices.
- Logging, monitoring, and abuse prevention controls.
- Backup and recovery procedures appropriate to service criticality.
8. Subprocessors and International Transfers
Processor may engage subprocessors for hosting and infrastructure. Processor maintains an up-to-date subprocessor list and ensures transfer mechanisms (including SCCs where required) for non-EEA processing.
9. Assistance with Data Subject Rights
Processor assists Controller with requests related to access, rectification, erasure, restriction, portability, and objection, as required under GDPR.
10. Personal Data Breach Handling
Processor notifies Controller without undue delay after becoming aware of a personal data breach and provides available information to support legal notification duties.
11. Deletion or Return
At contract end, Processor deletes or returns personal data under Controller instruction, except where retention is required by law or justified for archival/scientific integrity purposes under documented legal grounds.
12. Audit and Information Rights
Processor makes available information necessary to demonstrate compliance and supports reasonable audits, subject to confidentiality, security, and proportionality safeguards.
13. Contact for DPA Finalization
For a fillable version and signature workflow, contact info@unitesla.eu.
Template Version: 1.0 - February 7, 2026