data processing addendum · v0

data processing addendum

last updated: 2026-05-20 · effective: TBD

v0 — pending counsel review. reflects current panel practices. wording may change after legal review. questions: use the contact form (topic: privacy).

this addendum ("DPA") forms part of the terms of service between the operator ("controller") and panel ("processor", UltraInstinct0x). it governs processing of personal data submitted by the controller to panel and applies whenever the controller is subject to GDPR, UK-GDPR, or KVKK.

countersigned PDFs available on request for paid operators: use the contact form (topic: legal). v0 wording is in effect for v0 contracts; future updates trigger 30-day notice.

1 — definitions

capitalized terms (Controller, Processor, Data Subject, Personal Data, Processing, Sub-Processor, Supervisory Authority) carry their GDPR Art. 4 meaning. "Applicable Law" means GDPR, UK-GDPR, and KVKK as applicable to the operator.

2 — scope + subject matter

3 — controller responsibilities

4 — processor obligations (Art. 28)

panel will:

5 — sub-processors

list, notice mechanism, and objection process are at /legal/sub-processors. panel remains liable for sub-processor performance.

6 — international transfers

panel is hosted in Frankfurt, DE. data exports outside the EU/EEA (e.g. to US-based sub-processors such as GitHub) rely on the EU Standard Contractual Clauses (2021/914), modules 2 or 3 as applicable, and on the UK addendum for UK transfers. SCCs are incorporated by reference; countersigned copies available on request.

7 — data-subject rights

panel exposes the following to enable direct DSAR fulfillment by raters:

controllers may also submit batch DSAR requests via the contact form (topic: privacy); response within 30 days.

8 — audits

controller may, no more than once per 12 months, request a copy of panel's most recent security documentation (annex II) and ask reasonable written questions. on-site audits are not available in v0; once SOC 2 attestation is in place, the SOC 2 report will satisfy this section. controllers in regulated verticals may negotiate additional audit rights as part of an enterprise contract.

9 — return / deletion on termination

on termination of the operator account, the controller may export judgments for 30 days. after 30 days, operator-controlled unit content is deleted within 14 days, except where retention is required by law. aggregated, anonymized signal already incorporated into panel datasets persists.

annex I — processing details

annex II — technical + organizational measures

annex III — sub-processors

see /legal/sub-processors (incorporated by reference).