Data Processing Agreement
Last updated: February 2026
This page outlines the standard terms of our Data Processing Agreement under GDPR Article 28. The actual DPA is executed separately as part of each customer agreement. Contact vilmer@batchcortex.com to request a signed copy.
1. Roles and Responsibilities
The Customer (“Data Controller”) determines the purposes and means of processing personal data. BatchCortex (“Data Processor”) processes personal data only on documented instructions from the Controller, as described in this agreement and the corresponding service agreement.
2. Processing Purposes
- Real-time batch monitoring and sensor data ingestion
- Anomaly detection and AI-generated deviation reports
- Escalation notifications (email, SMS, voice call)
- Electronic signatures for batch sign-off (21 CFR Part 11)
- Audit trail and compliance record keeping
3. Categories of Personal Data
- Employee names and email addresses (account profiles)
- Phone numbers (escalation alerts, with explicit consent)
- Electronic signatures (batch sign-off records)
- Login timestamps and usage activity
BatchCortex does not process special category data (health, biometric, etc.). Sensor readings from manufacturing equipment are not personal data.
4. Sub-Processors
BatchCortex uses the following sub-processors. The Controller will be notified in advance of any changes to this list.
| Provider | Location | Purpose |
|---|---|---|
| Supabase | EU (Stockholm) | Database, authentication |
| Mistral AI | France | AI report generation |
| Twilio | EU (Ireland) | SMS and voice call delivery |
| Sentry | EU (Frankfurt) | Error monitoring (technical data only) |
| Resend | EU (Ireland) | Transactional email delivery |
| Vercel | EU (Frankfurt) | Website and application hosting |
| PostHog | EU (Frankfurt) | Product analytics (eu.i.posthog.com) |
5. Data Retention
Personal data is retained for the duration of the service agreement. GMP batch records may be subject to regulatory retention requirements (typically 1 year after batch expiry or 5 years after release, whichever is longer). Upon contract termination, personal data is deleted within 30 days unless retention is required by law.
6. Security Measures
- Encryption at rest and in transit (TLS 1.3)
- Row-level security (RLS) enforced at the database level
- Role-based access control (QA, QP, Admin)
- Immutable audit trail with SHA-256 hash on every record
- Service role keys never exposed to the frontend
- Invite-only onboarding — no public registration
7. Data Breach Notification
In the event of a personal data breach, BatchCortex will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, categories of data affected, approximate number of records, and measures taken to mitigate the breach.
8. Data Subject Rights
BatchCortex will assist the Controller in fulfilling data subject access requests (DSARs) under GDPR Articles 15–22. This includes requests for access, rectification, erasure, restriction, data portability, and objection to processing. Requests will be addressed within 30 days.
9. Contact
To request a signed DPA or discuss data processing terms, contact: vilmer@batchcortex.com