Data Processing Addendum (DPA)

Version 1.0 Effective Date: January 1, 2025 Last Updated: January 1, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Ask My DNA Terms of Service and Privacy Policy between you ("Data Subject," "User," "you") and Wundekind S.R.O. ("Data Controller," "Processor," "we," "us") regarding the processing of Personal Data in connection with the Ask My DNA services.

Company Information:

• Name: Wundekind S.R.O.
• Registration: Czech Republic
• Address: Roháčova 145/14, Žižkov, 130 00 Praha 3, Czech Republic
• Email: dpo@askmydna.com
• Website: https://askmydna.com

This DPA is entered into to ensure compliance with:

• EU General Data Protection Regulation (GDPR)
• Czech Act No. 110/2019 Coll. on Personal Data Processing
• California Consumer Privacy Act (CCPA)
• Other applicable data protection laws

2. Definitions

For purposes of this DPA, the following terms have the meanings set forth below:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

"Special Category Data" means genetic data, biometric data, health data, and other sensitive personal data as defined in GDPR Article 9.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion, as defined in GDPR Article 4(2).

"Data Controller" means Wundekind S.R.O., which determines the purposes and means of Processing Personal Data.

"Data Subject" means the individual to whom Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Data Controller.

"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR.

"Standard Contractual Clauses (SCCs)" means the standard data protection clauses approved by the European Commission for the transfer of Personal Data to third countries.

3. Roles and Responsibilities

3.1 Data Controller

Wundekind S.R.O. acts as the Data Controller for all Personal Data processed through the Ask My DNA service. As Data Controller, we:

• Determine the purposes and means of Processing
• Ensure lawful basis exists for all Processing activities
• Implement appropriate technical and organizational measures
• Respond to Data Subject requests
• Maintain records of Processing activities
• Conduct Data Protection Impact Assessments when required

3.2 Data Subject Rights

As Data Subject, you have the rights described in our Privacy Policy and this DPA, including:

• Right of access to your Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing
• Rights related to automated decision-making

4. Scope of Processing

4.1 Subject Matter and Purpose

The subject matter of Processing is the provision of AI-powered genetic analysis and interpretation services through the Ask My DNA platform.

Purposes of Processing:

• Providing genetic data analysis services
• Generating personalized health and wellness insights
• Maintaining user accounts and subscriptions
• Improving our AI models and services
• Providing customer support
• Ensuring platform security
• Complying with legal obligations

4.2 Nature of Processing

Processing includes:

• Collection: Receiving user account information and genetic data
• Storage: Securely storing data on encrypted servers
• Analysis: Processing genetic data through AI models
• Generation: Creating personalized reports and insights
• Transmission: Delivering results to users
• Deletion: Permanently removing data upon request

4.3 Duration of Processing

Personal Data is Processed:

• During Active Account: As long as your account remains active
• Upon Deletion Request: Deleted within 30 days from active systems
• Backup Retention: Removed from backups within 90 days
• Legal Retention: Certain data retained as required by law (e.g., payment records for 7 years)

4.4 Types of Personal Data

Standard Personal Data:

• Email address
• Name (optional)
• Language preference
• Password (hashed)
• IP address (anonymized after 30 days)
• Payment information (processed by third-party)
• Usage data and analytics

Special Category Data (GDPR Article 9):

• Genetic Data: Raw genetic files, processed variants, genetic analysis results
• Health Data: Health-related questions, wellness insights, predisposition information

4.5 Categories of Data Subjects

• Individual users of the Ask My DNA platform
• Prospective users who submit early access requests
• Individuals who contact customer support

5. Data Controller Obligations

Wundekind S.R.O. as Data Controller commits to:

5.1 Lawful Processing

• Process Personal Data only on lawful basis under GDPR Article 6
• Obtain explicit consent for Special Category Data (GDPR Article 9(2)(a))
• Process data only for specified, legitimate purposes
• Ensure Processing is necessary and proportionate

5.2 Data Minimization

• Collect only data necessary for stated purposes
• Avoid collecting excessive or irrelevant data
• Regularly review and purge unnecessary data
• Implement privacy by design and default

5.3 Data Accuracy

• Take reasonable steps to ensure data accuracy
• Provide users tools to update their information
• Correct inaccurate data upon request
• Delete or anonymize outdated data

5.4 Storage Limitation

• Retain data only as long as necessary
• Implement clear retention schedules
• Automatically delete or anonymize data when no longer needed
• Securely erase data from backups

5.5 Security Measures

Implement appropriate technical and organizational measures:

Technical Measures:

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Multi-factor authentication
• Role-based access control
• Intrusion detection systems
• Regular security audits
• Secure backup procedures

Organizational Measures:

• Employee training on data protection
• Background checks for personnel with data access
• Confidentiality agreements
• Incident response procedures
• Data breach notification protocols
• Regular privacy compliance reviews

5.6 Accountability

• Maintain records of Processing activities (GDPR Article 30)
• Conduct Data Protection Impact Assessments (GDPR Article 35)
• Appoint Data Protection Officer
• Implement compliance monitoring programs
• Document compliance measures

6. Sub-processors

6.1 Authorized Sub-processors

We engage the following Sub-processors to assist in providing the Service:

Cloud Infrastructure:

• Name: Amazon Web Services, Inc. (AWS)
• Location: United States
• Purpose: Data hosting, storage, and computing
• Safeguards: EU-U.S. Data Privacy Framework, Standard Contractual Clauses

AI Services:

• Name: Anthropic, PBC
• Location: United States
• Purpose: AI-powered genetic data interpretation
• Safeguards: Data Processing Agreement, encryption, de-identification

Payment Processing:

• Name: Stripe, Inc.
• Location: United States
• Purpose: Payment processing and subscription management
• Safeguards: PCI-DSS compliance, Standard Contractual Clauses

Email Services:

• Name: [Email Service Provider]
• Location: [Location]
• Purpose: Transactional and marketing emails
• Safeguards: Data Processing Agreement, encryption

6.2 Sub-processor Requirements

All Sub-processors must:

• Enter into written agreements with equivalent data protection obligations
• Implement appropriate technical and organizational security measures
• Process data only for specified purposes
• Allow audits and inspections
• Notify us of any data breaches
• Comply with GDPR and applicable data protection laws

6.3 Sub-processor Changes

Notice of New Sub-processors:

• We will provide advance notice of new Sub-processors via email or platform notification
• You have the right to object to new Sub-processors within 30 days
• If you object, we will work to find an alternative solution or allow you to terminate without penalty

Updated List: Current Sub-processors are listed on our website at https://askmydna.com/legal/sub-processors

7. International Data Transfers

7.1 Transfer Mechanism

Personal Data is transferred from the European Economic Area (EEA) to the United States. We ensure adequate protection through:

EU-U.S. Data Privacy Framework:

• Our U.S. service providers are certified under the EU-U.S. Data Privacy Framework
• This framework provides adequacy as recognized by the European Commission

Standard Contractual Clauses (SCCs):

• We have executed SCCs approved by the European Commission (Decision 2021/914)
• SCCs are incorporated into agreements with all Sub-processors in third countries
• You may request a copy of SCCs at dpo@askmydna.com

7.2 Supplementary Measures

In addition to SCCs, we implement supplementary measures:

Technical Safeguards:

• End-to-end encryption (AES-256)
• Data pseudonymization where feasible
• Encryption of data in transit (TLS 1.3)
• Secure key management

Organizational Safeguards:

• Access limited to personnel with legitimate need
• Regular audits of data access logs
• Background checks on personnel with data access
• Contractual confidentiality obligations

Legal Safeguards:

• Assessment of third country laws and surveillance programs
• Notification procedures if data requests received
• Challenge unlawful data requests where possible

7.3 Transparency on Government Requests

If we receive a government or law enforcement request for your data:

• We will notify you unless legally prohibited
• We will challenge overbroad or unlawful requests
• We will disclose only the minimum data legally required
• We publish transparency reports annually

8. Data Subject Rights

8.1 Right of Access (GDPR Article 15)

You have the right to obtain:

• Confirmation whether we Process your Personal Data
• Copy of your Personal Data
• Information about Processing purposes, categories, recipients, and retention

How to Exercise:

• Email: dpo@askmydna.com
• Subject: "GDPR Access Request"
• Response Time: Within 1 month

8.2 Right to Rectification (GDPR Article 16)

You may request correction of inaccurate or incomplete Personal Data.

How to Exercise:

• Update information in account settings, or
• Email: dpo@askmydna.com
• Response Time: Within 1 month

8.3 Right to Erasure (GDPR Article 17)

You may request deletion of your Personal Data when:

• Data no longer necessary for original purpose
• You withdraw consent and no other legal basis exists
• You object to Processing and no overriding legitimate grounds
• Data was unlawfully Processed
• Deletion required for compliance with legal obligation

Exceptions:

• Legal or regulatory retention requirements (e.g., tax records)
• Establishment, exercise, or defense of legal claims
• Public interest or scientific research (if applicable)

How to Exercise:

• Use account deletion feature in settings, or
• Email: dpo@askmydna.com
• Deletion Timeline: 30 days from active systems, 90 days from backups

8.4 Right to Restriction (GDPR Article 18)

You may request restricted Processing when:

• You contest data accuracy (during verification period)
• Processing is unlawful but you don't want deletion
• We no longer need data but you need it for legal claims
• You objected to Processing (pending verification)

8.5 Right to Data Portability (GDPR Article 20)

You have the right to:

• Receive your Personal Data in structured, machine-readable format (JSON or CSV)
• Transmit data to another controller without hindrance

How to Exercise:

• Email: dpo@askmydna.com
• Subject: "Data Portability Request"
• Format: Specify preferred format (JSON, CSV, etc.)

8.6 Right to Object (GDPR Article 21)

You may object to Processing based on:

• Legitimate interests (Article 6(1)(f))
• Direct marketing (absolute right, no override)
• Scientific/historical research or statistics

How to Exercise:

• Email: dpo@askmydna.com
• Specify grounds for objection

8.7 Automated Decision-Making (GDPR Article 22)

You have the right not to be subject to decisions based solely on automated Processing that produce legal or similarly significant effects.

Our Practice:

• Our AI provides information and insights
• Final decisions are always made by you
• No automated decisions with legal/significant effects are made without human intervention

8.8 Response Time and Costs

• Response Deadline: 1 month from request (extendable by 2 months for complex requests)
• Cost: Free of charge
• Excessive Requests: We may charge reasonable fee or refuse manifestly unfounded/excessive requests
• Identification: We may request information to verify your identity

9. Data Breach Notification

9.1 Notification to Supervisory Authority

In the event of a Personal Data breach, we will:

• Notify the Czech Data Protection Authority (ÚOOÚ) within 72 hours of discovery
• Provide description of the breach, categories and approximate number of affected Data Subjects
• Describe likely consequences and measures taken or proposed
• Provide contact point for more information

9.2 Notification to Data Subjects

If the breach is likely to result in high risk to your rights and freedoms, we will notify you without undue delay:

• Direct Communication: Via email to your registered address
• Content: Description of breach, likely consequences, measures taken, contact point
• Exceptions: If data was encrypted, notification already given to authority, or disproportionate effort required (then public communication)

9.3 Breach Response Procedures

Upon detecting a breach:

1. Containment: Immediate action to contain and limit breach
2. Assessment: Evaluate scope, affected data, and potential impact
3. Notification: Notify authorities and affected individuals as required
4. Investigation: Conduct thorough investigation of root cause
5. Remediation: Implement measures to prevent recurrence
6. Documentation: Maintain detailed records of breach and response

10. Data Protection Impact Assessment (DPIA)

10.1 When DPIA is Conducted

We conduct DPIAs (GDPR Article 35) for:

• New technologies or Processing methods
• Large-scale Processing of Special Category Data
• Systematic monitoring of publicly accessible areas
• Automated decision-making with legal/significant effects
• When recommended by Data Protection Officer

10.2 DPIA Process

Our DPIA process includes:

1. Description: Systematic description of Processing operations
2. Necessity Assessment: Evaluation of necessity and proportionality
3. Risk Assessment: Identification of risks to Data Subject rights
4. Mitigation Measures: Description of safeguards and security measures
5. Consultation: Consultation with DPO and, if required, supervisory authority

10.3 Genetic Data DPIA

We have conducted a comprehensive DPIA for genetic data Processing, concluding:

• High Risk: Genetic data Processing presents high risks requiring enhanced safeguards
• Mitigations: Encryption, access controls, pseudonymization, Staff training, regular audits
• Compliance: With robust safeguards, risks are mitigated to acceptable levels

11. Records of Processing Activities

11.1 Documentation

We maintain records of Processing activities (GDPR Article 30) including:

• Name and contact details of Data Controller and DPO
• Purposes of Processing
• Categories of Data Subjects and Personal Data
• Categories of recipients (including Sub-processors)
• International data transfers and safeguards
• Retention periods
• Description of technical and organizational security measures

11.2 Availability

Records are:

• Reviewed and updated regularly
• Made available to supervisory authorities upon request
• Used to demonstrate compliance with GDPR

12. Audit Rights

12.1 Your Audit Rights

You have the right to request information demonstrating our compliance with this DPA.

Available Documentation:

• Records of Processing activities
• Sub-processor list and agreements
• Data security measures and policies
• Data breach records and responses
• DPIA summaries (non-confidential portions)

How to Request:

• Email: dpo@askmydna.com
• Subject: "Audit Documentation Request"
• Response: Within 30 days

12.2 Third-Party Audits

We undergo:

• Annual Security Audits: By independent third-party auditors
• GDPR Compliance Reviews: Regular assessment of data protection practices
• Penetration Testing: Regular testing of security controls

Audit Reports: Summaries available upon request (confidential details may be redacted).

13. Liability and Indemnification

13.1 Liability Allocation

• Each party is liable for damages caused by Processing that violates GDPR
• We are liable for damages caused by our Sub-processors as if we caused them directly
• Liability follows GDPR Article 82 provisions

13.2 Limitation

Our liability under this DPA is subject to limitations in the Terms of Service, except where prohibited by law.

13.3 Indemnification

We will indemnify you for damages and costs arising from:

• Our breach of this DPA
• Our non-compliance with GDPR
• Unauthorized Processing by our employees or Sub-processors

14. Term and Termination

14.1 Term

This DPA is effective as of your acceptance of the Terms of Service and continues while we Process your Personal Data.

14.2 Termination

This DPA terminates when:

• You delete your account and all Personal Data is erased
• The Terms of Service terminate
• By mutual written agreement

14.3 Effect of Termination

Upon termination:

• We will cease Processing your Personal Data
• We will delete or return your Personal Data as you direct
• Deletion will occur within 30 days from active systems
• Backup data will be purged within 90 days
• Provisions related to confidentiality, liability, and audit survive

15. Amendments

15.1 Changes to DPA

We may update this DPA to reflect:

• Changes in data protection laws
• New Sub-processors or Processing activities
• Enhanced security measures
• Supervisory authority guidance

15.2 Notification

We will notify you of material changes:

• Via email to your registered address
• At least 30 days before changes take effect
• You may object or terminate if you disagree with changes

16. Dispute Resolution

16.1 Good Faith Negotiations

Parties agree to first attempt to resolve disputes through good faith negotiations.

16.2 Supervisory Authority

You have the right to lodge a complaint with:

• Czech Supervisory Authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
• Your Local Authority: The supervisory authority in your EU country of residence

16.3 Governing Law

This DPA is governed by:

• GDPR and applicable EU data protection laws
• Czech data protection laws
• As specified in the Terms of Service

17. Contact Information

Data Protection Officer: Email: dpo@askmydna.com

Privacy Team: Email: privacy@askmydna.com

Mailing Address: Wundekind S.R.O. Attention: Data Protection Officer Roháčova 145/14, Žižkov 130 00 Praha 3 Czech Republic

Response Time: We aim to respond within 5 business days.

By using the Ask My DNA Service, you acknowledge that you have read, understood, and agree to this Data Processing Addendum.

Last Updated: January 1, 2025 Version 1.0