Data Processing Addendum (DPA)

Last Updated: November 7, 2025

This Data Processing Addendum (“DPA”) supplements the Terms of Service (“Agreement”) between BOSS Startup Science, Inc. (“Startup Science” or “Processor”) and any customer organization, accelerator, university, or similar entity using the Startup Science platform (“Customer” or “Controller”).

This DPA applies where Startup Science processes Personal Data on behalf of the Customer under the Agreement, in accordance with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”) and UK GDPR.

1. Roles

The Customer is the Data Controller: it determines the purposes and means of processing Personal Data.
Startup Science is the Data Processor: it processes Personal Data only on the Customer’s documented instructions.

2. Scope and Purpose

Startup Science processes Personal Data solely to provide the Services described in the Agreement, including:

Hosting and managing platform accounts and content;
Enabling communication and collaboration among users authorized by the Customer;
Providing analytics, reporting, and functionality within the platform;
Delivering support and maintaining the security and performance of the Services.

Startup Science does not process Personal Data for its own independent marketing or sale to third parties.

3. Types of Data and Data Subjects

Categories of Personal Data may include:

Names, contact details, and professional information;
Organization or company affiliation;
Account credentials and activity logs;
Profile, application, and program-related information submitted by users;
Other data uploaded or submitted by the Customer or its users in connection with the Services.

Data Subjects may include:

Entrepreneurs, founders, and their team members;
Employees, contractors, and representatives of the Customer;
Advisors, mentors, and investors authorized by the Customer.

4. Processor Obligations

Startup Science shall:

Process Personal Data only on documented instructions from the Customer, including as set forth in the Agreement and this DPA;
Ensure persons authorized to process Personal Data are bound by confidentiality obligations;
Implement appropriate technical and organizational measures to protect Personal Data;
Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data;
Assist the Customer, to the extent reasonably possible, in fulfilling its obligations to respond to data subject requests and comply with security, breach notification, and data protection impact assessment requirements;
Maintain records of processing activities as required by law;
Not retain Personal Data longer than necessary to provide the Services or as required by law.

5. Sub-processors

Startup Science may engage third-party sub-processors to support the Services (e.g., hosting providers, infrastructure providers, analytics, CRM, and support tools).

Startup Science shall ensure sub-processors are bound by written agreements that provide data protection obligations no less protective than those in this DPA.
Customer authorizes Startup Science’s use of such sub-processors. A current list is available from Startup Science upon request.

6. International Transfers

Personal Data may be transferred to and processed in countries outside the EEA/UK, including the United States, where Startup Science or its sub-processors operate.

Where required, Startup Science shall ensure such transfers are subject to appropriate safeguards, such as the European Commission’s Standard Contractual Clauses or other lawful mechanisms.

7. Data Subject Rights

Taking into account the nature of the processing, Startup Science shall assist the Customer, insofar as possible, in fulfilling its obligation to respond to requests from data subjects to exercise their rights under applicable data protection laws (such as rights of access, rectification, erasure, restriction, portability, or objection).

8. Audit and Information Rights

Upon reasonable written request, Startup Science shall make available information necessary to demonstrate compliance with this DPA. Where required by applicable law, Customer may conduct audits (or appoint an independent auditor) subject to reasonable advance notice, confidentiality obligations, and without undue disruption to Startup Science’s operations or other customers.

9. Return or Deletion of Data

Upon termination or expiry of the Services relating to processing, Startup Science shall, at Customer’s choice and subject to legal requirements:

Delete Personal Data; or
Return Personal Data to the Customer.

Startup Science may retain limited copies as required by law or for legitimate business purposes (e.g., records, backups), subject to ongoing confidentiality and security obligations.

10. Liability

The parties’ liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party’s liability where such limitation is prohibited by applicable law.

11. Term

This DPA remains in effect for as long as Startup Science processes Personal Data on behalf of the Customer under the Agreement.

12. Contact

For questions regarding this DPA, please contact:

BOSS Startup Science, Inc.
Email: privacy@startupscience.io