Data Processing Agreement

Last updated: 20 May 2026

A signed Data Processing Agreement (DPA) governs every engagement in which FractaLPK processes a client’s dataset. This page summarises its content. A full PDF template is available on request.

Roles

• Data Controller: the client (you), who determines the purpose and means of the processing.
• Data Processor: FractaLPK (F.A.T. Laboratories, Population Analysis Unit), which processes the dataset on the client’s written instructions only.

Sub-processors

To deliver the service, FractaLPK relies on the following data processors. Each operates under a contract that includes the obligations required by GDPR Article 28:

Sub-processor	Purpose	Location
Render Inc.	Application hosting, PDF generation, worker	EU (Frankfurt, Germany)
Upstash	Transient job queue (Redis)	EU (Frankfurt, Germany)
Resend	Transactional email delivery (magic-link + PDF)	EU (Frankfurt, Germany)
IONOS SE	Domain registration and DNS	EU (Germany)
Stripe Payments Europe Ltd.	Payment processing (when checkout is enabled)	EU (Ireland), with standard contractual clauses for any US transfer

All sub-processors are bound by GDPR-compliant data processing agreements. Clients will be notified of any change in sub-processors with at least 30 days’ advance notice, giving the right to object.

Minimum Technical & Organisational Measures

• TLS 1.2+ encryption for all data in transit.
• Encryption at rest on the analysis servers.
• Access restricted to the named operator (Carlos A. Pérez Aparicio).
• Infrastructure physically located in the European Union (Frankfurt, Germany region). No data is transferred or stored outside the European Economic Area (EEA) except where standard contractual clauses cover incidental transfers via payment processors.
• Secure deletion of the client dataset within 1 hour of report generation, consistent with the ephemeral processing model described in the Privacy Policy §5. No long-term storage of client datasets occurs.
• Audit trail of all access events retained for the duration of the engagement.

Obtain the DPA Template

The full DPA template, aligned with GDPR Article 28, is available as a PDF on request. Send your organisation name and the intended compound / dataset to the address below and we will respond within 2 business days.

Request DPA template →