Data Processing Agreement

For the purposes of this DPA:

This DPA applies to the processing of personal data by NeuroBazar in the course of providing the Midcore Service to the Customer. The scope of processing includes:

NeuroBazar shall:

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process personal data have committed themselves to confidentiality
• Implement appropriate technical and organizational security measures as described in Section 7
• Not engage another processor without prior specific or general written authorization of the Controller
• Assist the Controller in responding to data subject requests, taking into account the nature of processing
• Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs)
• At the choice of the Controller, delete or return all personal data upon termination of the Agreement
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

NeuroBazar will assist the Controller in fulfilling its obligations to respond to data subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection.

If NeuroBazar receives a request directly from a data subject, NeuroBazar will promptly notify the Controller (unless prohibited by law) and will not respond to the request directly unless authorized to do so by the Controller or required by applicable law.

NeuroBazar will implement technical measures to enable the Controller to fulfill data subject requests, including data export functionality, account deletion capabilities, and processing restriction mechanisms.

The Controller provides general authorization for NeuroBazar to engage sub-processors. NeuroBazar will notify the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.

NeuroBazar imposes data protection obligations on each sub-processor no less protective than those in this DPA. NeuroBazar remains fully liable for the acts and omissions of its sub-processors.

Current Sub-Processors

To the extent that processing involves the transfer of personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, NeuroBazar will ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module Two: Controller to Processor)
• UK International Data Transfer Addendum where applicable
• Supplementary measures including encryption in transit and at rest, access controls, and data minimization
• Data Transfer Impact Assessments conducted for each transfer destination

For US-based processing, NeuroBazar relies on the EU-US Data Privacy Framework where applicable, supplemented by SCCs as a fallback mechanism.

NeuroBazar implements and maintains the following technical and organizational measures:

For a comprehensive overview of our security practices, see our Security page.

In the event of a personal data breach, NeuroBazar will:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Provide the Controller with sufficient information to meet any obligations to report or inform data subjects
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
• Document the breach including its facts, effects, and remedial actions taken

NeuroBazar will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller (or its appointed auditor) may conduct audits, subject to the following conditions:

• The Controller provides at least 30 days' written notice of any audit request
• Audits are conducted during normal business hours and no more than once per calendar year
• The auditor agrees to reasonable confidentiality obligations
• The Controller bears the cost of any audit, unless the audit reveals material non-compliance by NeuroBazar
• NeuroBazar may satisfy audit requests by providing SOC 2 Type II reports, penetration test results, or equivalent third-party certifications

This DPA takes effect when the Controller agrees to the Midcore Terms of Service and remains in effect for the duration of the Agreement.

Upon termination of the Agreement, NeuroBazar will, at the Controller's choice:

• Return all personal data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete all personal data, including all existing copies, within 30 days of termination

NeuroBazar may retain personal data to the extent required by applicable law, provided that NeuroBazar ensures the confidentiality of such data and processes it only for the purpose required by law.

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement, except that:

• Neither party excludes or limits its liability for damages arising from breaches of this DPA to the extent such limitation would be prohibited by Data Protection Laws
• NeuroBazar shall be liable for damages caused by processing that does not comply with Data Protection Laws or this DPA
• NeuroBazar shall be exempt from liability if it proves that it is not responsible for the event giving rise to the damage

For questions about this DPA or to exercise any rights hereunder, contact:

To request a signed copy of this DPA or the Standard Contractual Clauses, email legal@midcore.dev.

See also: Privacy Policy · Terms of Service · Security