Data Processing Agreement
Last updated: 12 June 2026
Parties
This data processing agreement is entered into between the subscribing institution (the controller) and [OWNER INPUT PENDING - H11: legal entity and jurisdiction] (the processor). The processor operates the AIPR service at aipr.pub.
Subject matter
The processor generates AI-assisted peer review drafts from manuscripts the controller submits and makes them available to the controller's reviewers through the AIPR service. Reviewers stay in control of every decision; the processing exists to give them a first read.
Duration
Processing lasts for the term of the service agreement between the parties. When the agreement ends, processing stops and the deletion and return clause applies.
Categories of data
Manuscript content (the text of submitted papers and supporting material), reviewer account data (email address, name, optional ORCID iD), and standard server logs (IP address, user agent, request path) kept for 30 days.
Sub-processors
The controller authorizes the following sub-processors. Each one sees only what it needs to do its job. OpenAI (United States). Performs the model inference that generates the review, under enterprise API terms with no training on submitted content. Receives the manuscript text and returns the structured review. DigitalOcean (European Union and United States). Application hosting, managed PostgreSQL, and Spaces (S3-compatible) blob storage. SOC 2 Type II certified. Holds stored papers, reviews, account records, and encrypted database backups. Stripe (United States). Payment processing. Handles checkout end-to-end. We receive a customer reference and entitlement records, never card data. Resend (United States). Transactional email delivery. Sees the recipient address and the content of each transactional email. Google Analytics (Global). Aggregate, anonymized traffic measurement on the public site, never used for advertising. Sees anonymized, aggregate traffic measurements. No manuscript content reaches it. Consent-gated on the public site and not part of manuscript processing. The processor informs the controller before adding or replacing a sub-processor.
Security measures
All connections use TLS 1.2 or newer. Database backups are encrypted at rest before upload to object storage. Passwords are stored as bcrypt hashes. Sessions use HMAC-signed, HttpOnly/Secure cookies with SameSite=Lax. Encrypted backups follow a tiered retention of 7 daily / 4 weekly / 3 monthly snapshots and are tested on a recurring restore cadence. We never use your submitted content to train a model. Neither do the model providers we route to. AIPR runs under standard commercial API terms, which contractually exclude your prompts and documents from any training or fine-tuning. This holds for every reviewer, every manuscript, on every tier.
Breach notice
The processor notifies the controller without undue delay after becoming aware of a personal data breach affecting the controller's data, and shares the known scope and the remediation steps as the investigation proceeds.
Deletion and return
At the end of the engagement, the processor returns or deletes the controller's manuscripts and personal data, at the controller's choice. Anonymous uploads (no account attached) are deleted after 7 days. Account-attached papers and reviews are kept for as long as the account is active. Deleting the account removes the associated personal data within 30 days. The model provider may retain a request for around 30 days for abuse monitoring. On accounts where zero data retention is enabled, that window is removed and content is dropped immediately after the response. You can request a copy of your data, an export of your reviews, an account deletion, or a takedown of a review you authored, by emailing [email protected]. We respond within five working days. Deletions complete within 30 days.
Audit
The processor makes available the information needed to demonstrate compliance with this agreement and, with reasonable notice, allows audits conducted by the controller or an auditor the controller mandates.
Signatures
This agreement is signable as-is. Signed for the controller: name, title, date. Signed for the processor: name, title, date.