Data Processing Agreement (DPA)
Last updated: 9 July 2026 · Version: 1.1
This DPA forms part of the agreement between ePotentia VOF (“Processor”) and the customer (“Controller”) for use of the MicrostructureDB platform.
1. Roles
For personal data the Controller uploads or makes available through the Platform, the Controller acts as controller and ePotentia acts as processor, processing such data only on the Controller’s documented instructions (including via use of the Platform).
2. Subject matter and nature of processing
- Subject matter: provision of the MicrostructureDB platform (storage, analysis, visualisation, and AI-assistant features for materials microstructure data).
- Duration: for the term of the customer agreement.
- Nature and purpose: hosting, storage, processing and display of uploaded data to deliver the Platform.
3. Categories of data and data subjects
- Data subjects: the Controller’s authorized users.
- Personal data: identification and contact data — first name, last name, email address (and any account metadata such as role/access level).
- Materials data uploaded by the Controller is generally not personal data; the Controller is responsible for not uploading third-party personal data without a lawful basis.
No special-category data (Art. 9) is intended to be processed.
4. Processor obligations
ePotentia will:
a. process personal data only on documented instructions; b. ensure persons authorized to process are bound by confidentiality; c. implement appropriate technical and organizational security measures (Art. 32) — see Annex 2; d. respect the conditions for engaging sub-processors (§5); e. assist the Controller, taking into account the nature of processing, with data-subject requests and with Arts. 32–36 obligations; f. at the Controller’s choice, delete or return personal data at the end of the service and delete existing copies, unless retention is required by law; g. make available information necessary to demonstrate compliance and allow for and contribute to audits.
5. Sub-processors
The Controller provides general authorization for ePotentia to engage sub-processors. Current sub-processors:
| Sub-processor | Role | Location |
|---|---|---|
| Google Cloud (Google Cloud EMEA Ltd / Google Ireland) | Hosting, database, Vertex AI | EU (europe-west4, NL) |
| Google Firebase | Authentication, transactional email | EU |
| Sentry | Error monitoring (PII-minimised) | US — DPF / SCCs |
| ePotentia (own server) | Internal processing | Belgium (EEA) |
ePotentia will inform the Controller of intended changes to sub-processors and give the Controller the opportunity to object.
6. International transfers
Personal data is processed within the EEA. Where a sub-processor involves a transfer outside the EEA, it is governed by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
7. AI processing
Where the Controller’s users use the AI assistant, inputs are processed transiently via Anthropic’s Claude on Google Cloud Vertex AI (EU region) to generate responses and are not used to train models and not retained on ePotentia’s servers.
8. Personal data breach
ePotentia will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provide reasonable information to assist the Controller’s own obligations.
9. Deletion and return
On termination, ePotentia will delete or return the Controller’s personal data within 30 days, except where retention is legally required or where data was contributed to an open dataset (which may be retained in anonymized form, as agreed).
10. Liability and law
This DPA is governed by Belgian law and subject to the liability provisions of the main customer agreement. Disputes fall under the courts of Antwerp.
Annex 1 — Processing details
As described in §2–3 above.
Annex 2 — Technical and organizational security measures
Infrastructure and hosting. Customer data is hosted on Google Cloud Platform in the EEA (europe-west4, Netherlands). The underlying infrastructure carries Google Cloud’s certifications, including ISO/IEC 27001 and SOC 2. ePotentia’s internal processing servers are located in Belgium (EEA).
Encryption. All data is encrypted at rest (AES-256, Google-managed keys) and in transit (TLS 1.2+), including connections between ePotentia’s internal servers and Google Cloud services.
Network security. Internal processing servers are not exposed to inbound public traffic; administrative and inter-server access runs over a device-authenticated, WireGuard-based private mesh network (Tailscale). Access to cloud storage from internal servers occurs exclusively over encrypted channels.
Access control. Multi-factor authentication is enforced on all administrative accounts (cloud console, admin interfaces). IAM roles follow the principle of least privilege; production access is restricted to a small number of named staff and reviewed on role change and at least annually. End-user credentials are hashed and managed via Firebase Authentication.
Tenant separation. Customer data is logically separated in shared databases by tenant/organization identifiers enforced at the application layer.
Availability and backups. Relational data (Cloud SQL) is protected by automated backups with point-in-time recovery. Object storage benefits from Google Cloud Storage’s regional redundancy and soft-delete protection against accidental deletion.
Monitoring and vulnerability management. Centralized logging and monitoring (Cloud Logging); application error monitoring via Sentry with PII scrubbing; automated dependency vulnerability scanning with timely patching.
Organisational measures. All staff and contractors are bound by confidentiality obligations in their agreements. Staff devices use full-disk encryption (BitLocker/FileVault). Security incidents are handled under an internal incident-response procedure supporting the notification obligation in §8.