This Data Processing Addendum (“Addendum”) forms part of the Terms of Service or any agreement (the “Agreement”) between Litmap Limited (“ResearchRabbit”, “Processor”) and the customer entity agreeing to the Agreement (“Customer”, “Controller”).
This Addendum applies where ResearchRabbit processes Personal Data on behalf of Customer in connection with the ResearchRabbit service.
1. Definitions
• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Data Protection Laws” means all applicable data protection and privacy laws, including (where applicable) the GDPR and UK GDPR.
• “Processing” has the meaning given under applicable Data Protection Laws.
• “ResearchRabbit Service” means the ResearchRabbit literature discovery and research exploration platform.
2. Roles of the Parties
• Customer is the Controller of Personal Data.
• Litmap Limited (ResearchRabbit) is the Processor.
ResearchRabbit will process Personal Data only on documented instructions from Customer, unless required to do so by applicable law.
3. Nature and Purpose of Processing
3.1 Nature of Processing
Processing activities may include:
• collection
• storage
• organisation
• retrieval
• analysis
• synchronisation with third-party integrations (e.g. reference managers)
3.2 Purpose of Processing
To provide and improve the ResearchRabbit Service, including:
• user account management
• literature discovery and recommendation
• visualisation of research networks
• citation tracking
• integration with third-party tools
3.3 Categories of Data Subjects
• Researchers
• Students
• Academic staff
• Customer personnel
3.4 Types of Personal Data
• Name and email address
• Account credentials and authentication data
• Usage and interaction data
• Content submitted by users (e.g. saved papers, collections, annotations)
• Integration data (e.g. metadata synced from third-party tools)
4. Duration of Processing
ResearchRabbit will process Personal Data for the duration of the Agreement and thereafter in accordance with Section 10 (Deletion or Return of Data).
5. Confidentiality
ResearchRabbit ensures that all personnel authorised to process Personal Data are subject to confidentiality obligations.
6. Security Measures
ResearchRabbit implements appropriate technical and organisational measures, including:
• Encryption in transit (TLS)
• Encryption at rest (where applicable)
• Access controls based on least privilege
• Authentication and authorisation mechanisms
• Monitoring and logging of systems
• Backup and recovery procedures
• Regular updates and patching
7. Subprocessors
7.1 General Authorisation
Customer provides general authorisation for ResearchRabbit to engage subprocessors.
7.2 Subprocessor List
A current list of subprocessors is available at:
https://www.researchrabbit.ai/legal/subprocessors
7.3 Subprocessor Obligations
ResearchRabbit will:
(a) enter into written agreements with subprocessors imposing data protection obligations no less protective than those set out in this Addendum; and
(b) remain responsible for their performance.
7.4 Changes to Subprocessors
ResearchRabbit may update subprocessors from time to time and will provide notice by updating the subprocessor list.
7.5 Objections
Customer may reasonably object to a new subprocessor on data protection grounds within 14 days of notice.
8. Data Subject Rights
ResearchRabbit will assist Customer, taking into account the nature of processing, in responding to data subject requests, including:
• access
• correction
• deletion
• restriction of processing
9. Personal Data Breaches
ResearchRabbit will notify Customer without undue delay after becoming aware of a Personal Data Breach and provide reasonable information to assist Customer in meeting its obligations.
10. Deletion or Return of Data
Upon termination of the Agreement, ResearchRabbit will, at Customer’s choice:
• delete Personal Data; or
•return Personal Data
unless retention is required by law.
Backups may retain data for a limited period consistent with standard retention practices.
11. International Data Transfers
Where Personal Data is transferred outside of the EEA or UK, ResearchRabbit will ensure appropriate safeguards are in place, including:
• Standard Contractual Clauses (SCCs), or
• other lawful transfer mechanisms
12. Audit Rights
ResearchRabbit will make available information reasonably necessary to demonstrate compliance.
Audits are subject to:
• reasonable notice
• no more than once annually (unless required by law)
• confidentiality obligations
13. Limitation of Liability
Liability under this Addendum is subject to the limitations set out in the Agreement.
14. Governing Law
This Addendum is governed by the same law as the Agreement unless otherwise required by applicable Data Protection Laws.
15. Order of Precedence
In case of conflict, this Addendum prevails over the Agreement with respect to Personal Data processing.
Annex 1: Details of Processing
Subject Matter:
Provision of the ResearchRabbit Service
Duration:
For the duration of the Agreement
Nature and Purpose:
As described in Section 3
Categories of Data Subjects:
As described in Section 3
Types of Personal Data:
As described in Section 3
Annex 2: Security Measures
ResearchRabbit maintains administrative, technical, and physical safeguards appropriate to the risk, including:
• Secure cloud infrastructure hosted by reputable providers
• Network security controls (e.g. firewalls)
• Role-based access control
• Employee access restrictions
• Monitoring and incident response processes
• Regular system updates and vulnerability management