This page summarises the Data Processing Addendum (DPA) that forms part of the agreement with institutional customers. A signed DPA is available on request as part of contracting.

1. Roles

For personal data processed within a customer’s Discover RIMS deployment, the institution is the data controller and Discover RIMS acts as data processor, processing data only on documented instructions.

2. Scope of processing

We process researcher and publication metadata, and account/usage data, solely to provide and support the platform for the customer.

3. Security measures

Technical and organisational measures include encryption in transit and at rest, role-based access control, two-factor authentication for administrators, audit logging, and regular backups.

4. Data residency

Customers may select a data residency region (EU, US, or APAC) so personal data remains within the required jurisdiction. On-premise and hybrid deployments keep designated data within the institution’s own infrastructure.

5. Sub-processors

Where cloud infrastructure providers are used, they are engaged as sub-processors under appropriate contractual safeguards. A current list of sub-processors is available to customers on request.

6. International transfers

Where personal data is transferred across borders, appropriate transfer mechanisms (such as Standard Contractual Clauses) are applied as required by GDPR.

7. Data subject requests & breach notification

We assist the customer in responding to data subject requests and will notify the customer without undue delay upon becoming aware of a personal data breach affecting their data.

8. Return & deletion

On termination, customer data is returned or deleted in accordance with the agreement and a documented data-handover process.

9. Request the signed DPA

To receive the full executable DPA, contact us via the contact page.

This document is a general summary template and should be reviewed by qualified legal counsel before reliance.