Last updated: July 12, 2026
This Data Processing Addendum (“DPA”) describes how TrialWave (“Processor”, “we”) processes personal data on behalf of your organization (“Controller”, “you”) in connection with the Service. It supplements and forms part of our Terms of Service and Privacy Policy. If you require a countersigned copy for your records, contact trialwaveadmin@gmail.com.
You act as the Controller of the personal data you submit to the Service, and we act as your Processor, processing that data only on your documented instructions (including as set out in the Terms and this DPA), except where required by law.
Subject matter: provision of clinical-trial business-development software. Duration: for the term of your account. Nature and purpose: hosting, storing, and processing Customer Data to provide the Service. Types of data: account details, organization and site information, sponsor/CRO contact details, and aggregate, de-identified patient-population counts. The Service is not intended to process individual patient PHI.
Categories of data subjects: your personnel and business contacts (e.g., sponsor and CRO representatives). You must not submit special-category personal data or individual patient records.
We ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.
We implement appropriate technical and organizational measures, including encrypted transport, hashed credentials, role-based access control, tenant isolation, row-level database security, rate limiting, and audit logging, designed to protect Customer Data against unauthorized access, loss, or disclosure.
You authorize us to engage the following subprocessors to provide the Service: Supabase (managed database and file storage, United States); Vercel (application hosting, United States); Stripe (payment and subscription processing); Resend (transactional email delivery); and Upstash (rate limiting and caching). We impose data-protection obligations on each subprocessor substantially similar to those in this DPA and remain responsible for their performance. We will give notice before a new subprocessor begins processing Customer Data, so you may object on reasonable data-protection grounds.
Taking into account the nature of the processing, we provide reasonable assistance to help you respond to data-subject requests and to meet your security, breach-notification, and impact-assessment obligations. Account owners can export and delete workspace data directly within the Service.
We will notify you without undue delay after becoming aware of a personal-data breach affecting your Customer Data, and provide information reasonably available to help you meet your notification obligations.
Upon termination or your request, we will delete or return Customer Data in accordance with our Privacy Policy, except where retention is required by law.
We make available information reasonably necessary to demonstrate compliance with this DPA and will cooperate with reasonable audit requests, subject to appropriate confidentiality and scheduling.
Where Customer Data is transferred across borders, we use appropriate safeguards required by applicable law.
Questions about this DPA, or requests for a signed copy, can be sent to trialwaveadmin@gmail.com.