← docs

Data Processing Agreement

Template — review required.This Data Processing Agreement (DPA) is provided to help researchers meet their obligations under Article 28 GDPR. It should be reviewed by your institution’s data protection officer or legal counsel before being relied upon or executed. To request a counter-signed copy for your institution, contact yury.shevchenko@uni.kn.

Last update: 18 June 2026

1. Parties and roles

This DPA governs the processing of personal data carried out by Samply on behalf of the researcher who creates and runs a study ("the Study").

  • Controller: the researcher and/or their institution, who determines the purposes and means of processing the personal data collected through their Study.
  • Processor:the iScience research group, University of Konstanz, Universitätsstraße 10, 78464 Konstanz, Germany, operating the Samply platform ("Samply"), which processes personal data on the Controller’s documented instructions.

For Samply’s own account and operational data (researcher accounts, billing), Samply acts as an independent controller as described in the Privacy Policy.

2. Subject matter, nature and purpose of processing

Samply processes personal data solely to provide the Service: scheduling and delivering notifications to Study participants, recording participants’ responses and notification events, and making the resulting data available to the Controller. Processing lasts for the duration of the Study and the retention periods set out in the Privacy Policy, unless the Controller deletes the data sooner.

3. Categories of data subjects and personal data

  • Data subjects: Study participants; the Controller and any collaborators.
  • Personal data: pseudonymous participant identifier (Samply ID), account email and (optionally) name, device push token, language and timezone, notification delivery and interaction events, survey/response metadata, optional participant code and group, location/geofencing events where the Study enables them, and payment data where compensation is configured.
  • Special-category data: not collected by the platform itself. The Controller is responsible for any special-category data gathered via linked external surveys.

4. Obligations of the processor (Art. 28(3))

  • Documented instructions. Samply processes participant personal data only on the Controller’s documented instructions, including the configuration of the Study, unless required otherwise by EU or Member State law.
  • Confidentiality. Persons authorised to process the data are bound by confidentiality.
  • Security. Samply implements appropriate technical and organisational measures pursuant to Art. 32 (see Section 6).
  • Sub-processors. Samply engages the sub-processors listed in Section 7 and imposes equivalent data-protection obligations on them. Samply will inform the Controller of intended changes and give the Controller the opportunity to object.
  • Assistance with data-subject rights. Taking into account the nature of the processing, Samply assists the Controller with appropriate measures to respond to requests under Chapter III GDPR (access, rectification, erasure, portability, objection). Participants can also export their own data and delete their account directly in the Service.
  • Assistance with Arts. 32–36. Samply assists the Controller in ensuring security of processing, breach notification, and data protection impact assessments.
  • Deletion or return. On termination of the Service or on the Controller’s instruction, Samply deletes or returns the personal data. Deleting a Study removes its responses, queued and scheduled notifications, job records, and consent records; see "Erasure of studies and accounts" in the Privacy Policy.
  • Audits. Samply makes available the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates.

5. Controller obligations

The Controller is responsible for establishing a lawful basis for the Study (including participant consent and ethics/IRB approval where required), for the lawfulness of its instructions, and for the content of any external survey it links to. The Controller must not enter special-category or directly identifying data into free-text fields unless it has a lawful basis and appropriate safeguards.

6. Technical and organisational measures (Art. 32)

  • Encryption of data in transit (TLS); access restricted to authenticated, role-checked accounts.
  • Participant research data is keyed by a pseudonymous Samply ID; contact details are not shown to researchers except where a participant opts into payments.
  • Passwords are stored hashed (bcrypt); session and API tokens are time-limited.
  • Access to participant data and exports is recorded in an internal audit log.
  • Configurable retention with automatic deletion after the periods stated in the Privacy Policy.
  • Regular review of the measures; the Controller acknowledges these may be updated to maintain an appropriate level of security.

7. Sub-processors

Samply uses the following sub-processors. The current, maintained list (with the data shared and the transfer mechanism for each) is kept in the project’s sub-processor register.

  • MongoDB Atlas — database hosting.
  • Postmark — transactional and notification email.
  • Stripe — participant compensation / payouts (only when enabled).
  • Expo / Apple Push / Google FCM — push-notification delivery.
  • Cloudflare Turnstile — bot protection at sign-up.
  • University of Konstanz — web/app hosting.

8. International transfers

Where a sub-processor processes personal data outside the EEA, transfers take place only on the basis of an adequacy decision, EU Standard Contractual Clauses, or another valid transfer mechanism under Chapter V GDPR. The Controller can request the current transfer basis for each sub-processor.

9. Personal data breaches

Samply notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s Study data, and provides the information the Controller needs to meet its own notification obligations under Arts. 33–34.

10. Term, termination and deletion

This DPA applies for as long as Samply processes personal data on behalf of the Controller. On termination, the Controller may export its Study data and must delete Studies it no longer needs; remaining data is deleted according to the retention periods in the Privacy Policy. Consent records may be retained as proof of consent where a legal basis requires.

11. Contact

Data protection contact: Yury Shevchenko, iScience / University of Konstanz — yury.shevchenko@uni.kn. See also the Privacy Policy and Terms & Conditions.