The Clinical Index

1. Definitions

“Controller” means the entity that determines the purposes and means of processing personal data (the customer).
“Processor” means the entity that processes personal data on behalf of the Controller (The Clinical Index).
“Data Subject” means an identified or identifiable natural person whose personal data is processed.
“Personal Data” means any information relating to a Data Subject that is processed in connection with the services.
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

2. Scope and Purpose

TCI processes product data and analysis results on behalf of the customer for the purpose of providing clinical evidence verification services. This includes parsing supplement labels, retrieving and analyzing PubMed studies, generating evidence scores, and producing verification dossiers. The processing is limited to data necessary to perform the contracted services.

3. Data Processing Details

The following details apply to the processing activities under this DPA:

Types of data: Account information (name, email, company name), product data (ingredient lists, doses, marketing claims), analysis results (scores, evidence citations, dossiers).
Categories of data subjects: Customer employees and authorized users of the platform.
Purpose of processing: Providing clinical evidence verification, generating analysis reports, delivering verification badges and dossiers.
Duration: For the duration of the service agreement plus any legally required retention period.

4. Obligations of TCI

As a Processor, TCI shall:

Process personal data only on documented instructions from the Controller.
Implement appropriate technical and organizational security measures, including encryption in transit (TLS 1.3) and at rest (AES-256), row-level security policies, and access controls.
Ensure that persons authorized to process personal data are bound by confidentiality obligations.
Assist the Controller in responding to data subject requests and regulatory inquiries.
Notify the Controller without undue delay upon becoming aware of a personal data breach.
Delete or return all personal data upon termination of services, at the Controller's election.
Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

TCI uses the following sub-processors to deliver its services. The Controller consents to the engagement of these sub-processors:

Sub-processor	Purpose	Location
Supabase	Database hosting and authentication	United States
Railway	Application compute and worker processes	United States
Vercel	Frontend hosting and CDN	United States / Global CDN
Anthropic	AI processing for evidence analysis	United States
Stripe	Payment processing	United States

TCI will notify the Controller of any intended changes to its sub-processors, giving the Controller the opportunity to object to such changes.

6. Data Subject Rights

TCI will assist the Controller in fulfilling data subject rights requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection. TCI will respond to such assistance requests within 10 business days and will not independently respond to data subject requests unless authorized by the Controller.

7. Data Breach Notification

In the event of a personal data breach, TCI will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Data Transfers

Data processed under this DPA is primarily stored and processed in the United States. For customers located in the European Economic Area (EEA) or United Kingdom, TCI relies on Standard Contractual Clauses (SCCs) as approved by the European Commission for the transfer of personal data to third countries. TCI will ensure that any onward transfers to sub-processors are subject to equivalent data protection safeguards.

9. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service between the parties. Upon termination of the service agreement, TCI will delete or return all personal data within 30 days, unless retention is required by applicable law. The obligations under this DPA that by their nature should survive termination (including confidentiality and data deletion) shall continue in effect.

10. Contact

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us at: dpa@theclinicalindex.com