Data Processing Agreement

Last Updated: March 30, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Scale Prognostics LLC ("Scale Prognostics," "we," "us") and the customer ("Customer," "you") governing the processing of data through the Scale Prognostics battery degradation prediction API.

1. Definitions

"Customer Data" means all data submitted by the Customer through the API, including Simulation Inputs and Calibration Data.

"Simulation Inputs" means battery cycling parameters, operating conditions, and configuration data submitted to generate degradation predictions.

"Calibration Data" means experimental or field data provided by the Customer for the purpose of calibrating the model to their specific battery chemistry or use case.

"Processing" means any operation performed on Customer Data, including receiving, computing, transforming, and returning results.

2. Data Processing Scope

Scale Prognostics processes Simulation Inputs solely to execute degradation predictions and return results to the Customer. Processing occurs on demand in response to API requests. We do not process Customer Data for any purpose beyond delivering the contracted prediction service.

3. Data Isolation

Customer Data is never pooled, aggregated, or combined with data from other customers. Each calibration is isolated to the Customer's account. No Customer Data is used to train, improve, or enhance models served to other customers.

4. Data Retention

Simulation Inputs are processed in memory and are not persisted after the API response is returned. Calibration parameters are computed and returned to the Customer in the response payload; they are not stored server-side beyond the active session. Usage metadata (request counts, timestamps) is retained for billing and rate-limiting purposes.

5. No Secondary Use

Customer Data will not be sold, licensed, shared with third parties, or used for any purpose other than providing the contracted service. We do not use Customer Data for marketing, analytics, model training, or any secondary purpose.

6. Encryption and Security

All data transmitted between the Customer and the API is encrypted in transit using TLS 1.2 or higher. API keys are generated using cryptographically secure random functions and are unique to each Customer account. Customers are responsible for safeguarding their API keys and should treat them as sensitive credentials.

7. Data Deletion

Upon contract termination or account closure, all customer-associated data -- including API keys, usage logs, and account records -- will be deleted within 90 days. Customers may request immediate deletion at any time.

8. Subprocessors

Scale Prognostics uses the following subprocessors to deliver the service:

Railway (US region) — Application hosting and compute infrastructure. Simulation Inputs are processed on Railway-hosted servers. Sub-processor agreement: railway.com/legal/dpa.
Stripe, Inc. (US) — Payment processing and subscription billing. No Customer simulation data passes through Stripe. Stripe receives only billing information (name, email, payment method). Sub-processor agreement: stripe.com/legal/dpa.
Anthropic PBC (US, Claude API) — Powers the public chat assistant on scaleprognostics.com. When Customers or site visitors interact with the chat widget, their messages and Scale Prognostics' system prompt transit Anthropic's API for inference. No Customer Simulation Inputs, calibration data, or telemetry are sent to Anthropic. The chat tool can invoke a server-side run_simulation function on inputs the visitor types; results return through Scale Prognostics' API, not via Anthropic. Anthropic's zero-retention API tier is the default for this integration. Sub-processor agreement: anthropic.com/legal/dpa.
Netlify, Inc. (US) — Static frontend hosting (the marketing site, /docs, /methodology, /dashboard). Netlify receives standard HTTP request metadata (IP, user-agent, page path) but no Customer Simulation Inputs.

We will notify Customers before adding new subprocessors that handle Customer Data. Customers may object to a new subprocessor under Article 28(2) GDPR within 30 days of notification, at which point we will either (a) modify the proposed subprocessor relationship to address the objection, or (b) terminate the affected Service with pro-rata refund of pre-paid fees.

9. Security Incident Notification

In the event of a confirmed security incident involving Customer Data, Scale Prognostics will:

Notify affected Customers without undue delay and, in any event, within 72 hours of becoming aware of the incident, consistent with industry standards (GDPR Article 33, DFARS 252.204-7012(c) for Defense Federal Acquisition Regulation Supplement applicability);
Provide reasonably available information about the incident, including the nature of the incident, categories of data affected, likely consequences, and measures taken or proposed to address it;
Preserve relevant logs and forensic artifacts to support the Customer's own incident response and regulatory obligations;
Cooperate in good faith with any Customer-driven investigation or audit reasonably required to assess the scope of the incident.

Initial notification may be made through the Customer's designated security contact (or, absent one, the email associated with the account). Detailed forensic findings may follow as the investigation progresses.

10. Customer Rights

Customers may request a full export or deletion of their account data at any time by contacting support@scaleprognostics.com. We will respond to data requests within 30 days.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of the State of Georgia, USA, without regard to its conflict of law provisions.

12. Contact

For questions about this DPA or data processing practices, contact us at jason@scaleprognostics.com.