Skip to main content
Terms of Service Privacy Policy DPA

Data Processing Agreement

Template Version 1.0 · February 2026

This is a template. This Data Processing Agreement (DPA) is provided as a standard template for enterprise customers requiring GDPR-compliant data processing terms. To execute this DPA, contact legal@latticezero.com.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Customer"): The entity that has agreed to the LatticeZero Terms of Service and uploads molecular data to the Service.
  • Data Processor ("LatticeZero"): LatticeZero, the operator of the LatticeZero molecular docking and scoring platform.

This DPA supplements and forms part of the LatticeZero Terms of Service.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Molecular Data" means protein receptor structures, compound libraries, scoring results, and related scientific data uploaded to or generated by the Service.
  • "Sub-processor" means any third party engaged by LatticeZero to process data on behalf of the Customer.

3. Purpose and Scope of Processing

LatticeZero processes data solely for the purpose of providing the molecular docking and scoring services described in the Terms of Service. Processing activities include:

  • Molecular docking (pose generation and evaluation)
  • Scoring (physics-based energy calculations)
  • Pose analysis and ranking
  • Scoring profile optimization
  • Grid compilation for binding pocket representation
  • Results storage and retrieval

4. Types of Data Processed

CategoryData TypesContains Personal Data?
Account dataName, email, organizationYes
Receptor structuresPDB files (protein coordinates)No (typically)
Compound librariesSDF, MOL2, SMILES filesNo (typically)
Scoring resultsEnergy scores, rankings, posesNo
Usage metadataTimestamps, IP addresses, job IDsYes (IP address)

Molecular data (receptor structures, compound libraries, scoring results) does not typically constitute Personal Data. However, if Customer uploads data that contains or is linked to Personal Data, this DPA applies to that data.

5. Obligations of the Processor

LatticeZero shall:

  • Process data only on documented instructions from the Customer (i.e., to provide the Service)
  • Ensure that persons authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Not engage additional sub-processors without prior written authorization from the Customer (see Section 6)
  • Assist the Customer in responding to data subject access requests
  • Delete or return all data upon termination of the Service (see Section 9)
  • Make available all information necessary to demonstrate compliance with GDPR obligations

6. Sub-processors

LatticeZero uses the following sub-processors:

Sub-processorPurposeLocationData Processed
DigitalOcean, LLCCloud infrastructure hostingUnited States (NYC region)All data (hosted on their infrastructure)
Stripe, Inc. (future)Payment processingUnited StatesPayment information only

LatticeZero will notify the Customer at least 30 days before engaging any new sub-processor. The Customer may object to a new sub-processor within 14 days of notification.

7. Security Measures

LatticeZero implements the following technical and organizational measures:

7.1 Technical Measures

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: AES-256 encrypted storage volumes
  • Access controls: Role-based access control, SSH key authentication
  • Network security: Firewall rules, rate limiting, DDoS protection
  • Audit logging: All data access and administrative actions logged
  • Backups: Encrypted nightly backups with 30-day retention
  • Shield Mode: Optional zero-retention processing for maximum data privacy

7.2 Organizational Measures

  • Principle of least privilege for all system access
  • No shared credentials or service accounts
  • Incident response procedures documented and tested
  • Regular security review of infrastructure and application code

8. Data Location

All data is processed and stored in the United States (DigitalOcean NYC region). For EU customers, this constitutes a transfer of data outside the EEA. The legal basis for this transfer is Standard Contractual Clauses (SCCs) as incorporated into DigitalOcean's data processing terms.

9. Data Breach Notification

In the event of a personal data breach, LatticeZero will:

  • Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to mitigate
  • Cooperate with the Customer in notifying relevant supervisory authorities and affected data subjects as required by applicable law

10. Data Return and Deletion

Upon termination of the Service or upon Customer's request:

  • LatticeZero will return all Customer data in a standard, machine-readable format (PDB, SDF, CSV, JSON) within 14 days of request
  • After data return (or upon Customer instruction to delete), all Customer data will be permanently deleted from production systems within 30 days
  • Data in encrypted backups will be overwritten within the backup retention cycle (30 days)
  • Shield Mode data is deleted immediately upon job completion and is not included in backups

11. Audits

The Customer may request an audit of LatticeZero's data processing activities and security measures. LatticeZero will:

  • Make available all information necessary to demonstrate compliance
  • Allow and contribute to audits conducted by the Customer or an independent auditor
  • Audits shall be conducted with reasonable notice (30 days minimum) and during business hours

12. Duration and Termination

This DPA remains in effect for the duration of the Customer's use of the Service. It terminates automatically when the Terms of Service terminate. Sections 9 (Breach Notification), 10 (Data Return/Deletion), and 11 (Audits) survive termination.

13. Governing Law

This DPA is governed by the same law that governs the Terms of Service (State of Delaware, United States), except that GDPR provisions shall be interpreted in accordance with EU law where applicable.

14. Contact

To execute this DPA or for questions about data processing:
legal@latticezero.com

© 2026 LatticeZero. All rights reserved.
Terms Privacy DPA legal@latticezero.com