Chiasm Logo
Use casesHow it worksPlatformPricingTeamFAQDocs
Log inRequest demo
Chiasm Logo
Use casesHow it worksPlatformPricingTeamFAQDocs
Request demoLog in

Legal

Data Processing Agreement

Last updated: 19-06-2026

Chiasm B.V. - Cloud-Based Eye-Tracking Service

1. Parties and Roles

This Data Processing Agreement ("Agreement") forms part of the agreement between:

Controller:

The customer, being a research institution or other organisation, that uses the Chiasm cloud-based eye-tracking service ("Controller"), having its registered office at [address], [City], [Country].

Processor:

Chiasm B.V., a private limited liability company (besloten vennootschap) incorporated under the laws of the Netherlands, having its registered office at Kastelenstraat 255 3, 1082EG Amsterdam, The Netherlands, registered with the Dutch Chamber of Commerce under number 99335719, hereinafter referred to as "Processor".

Together referred to as the "Parties".

2. Subject Matter and Duration

2.1 This Agreement governs the processing of personal data by Processor on behalf of Controller in the context of the provision of the Chiasm cloud-based eye-tracking service.

2.2 Processing shall commence upon activation of the services and continue for the duration of the underlying service agreement, unless otherwise agreed in writing.

3. Nature and Purpose of Processing

3.1 Processor shall process personal data solely for the purpose of:

  • Providing online eye-movement measurement services to Controller
  • Performing calibration and validation necessary for accurate gaze estimation
  • Operating, securing, and maintaining the service

3.2 Processor shall not process personal data for its own purposes unless expressly agreed in writing, where Processor acts as an independent controller, and where such processing is based on a valid legal basis and appropriate transparency and consent obligations have been fulfilled.

4. Categories of Data Subjects and Personal Data

4.1 Data subjects

  • Participants aged 18 and older
  • Users of the Chiasm service (researchers / experimenters)

4.2 Categories of personal data

Depending on configuration and consent:

  • Webcam images (calibration / validation phase only)
  • Pseudonymous calibration models and training data
  • Logging and technical metadata (timestamps, session IDs, browser information)
  • Account data of service users (name, email, login credentials)

Gaze coordinates provided to the Controller are processed in a pseudonymised or anonymised manner and, when no longer reasonably linkable to an identifiable individual, are not considered personal data under the GDPR.

5. Instructions of the Controller

5.1 Processor shall process personal data only on documented instructions of the Controller, including with regard to transfers to third countries.

5.2 Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

5.3 Controller remains solely responsible for:

  • Determining the purposes and means of processing
  • Ensuring the existence of a valid legal basis
  • Providing appropriate information to participants
  • Obtaining valid informed consent or other lawful basis

6. Confidentiality

6.1 Processor shall ensure that all persons authorised to process personal data are bound by confidentiality obligations or statutory duties of confidentiality.

7. Security Measures

7.1 Processor shall implement appropriate technical and organisational measures pursuant to Article 32 GDPR, including, where applicable:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Role-based access control
  • Segregated storage and environments
  • Logging and monitoring
  • Secure APIs

7.2 A description of the applicable technical and organisational measures is set out in Annex II.

8. Sub-processors

8.1 Controller hereby authorises the use of sub-processors as listed in Annex III.

8.2 Processor shall:

  • Enter into a written agreement with each sub-processor
  • Impose data protection obligations equivalent to this Agreement
  • Remain fully liable for the performance of sub-processors

8.3 Processor shall inform Controller of any intended changes concerning sub-processors and allow Controller to object on reasonable grounds. Controller may object within a reasonable period. Where such objection is justified, the Parties shall discuss in good faith a commercially reasonable solution.

9. Transfers Outside the EEA

9.1 As a rule, personal data shall be processed and stored within the European Economic Area.

9.2 Where transfers outside the EEA are required, such transfers shall take place only:

  • To recipients certified under the EU-US Data Privacy Framework; or
  • On the basis of Standard Contractual Clauses pursuant to Article 46 GDPR, where applicable

10. Assistance to Controller

Processor shall provide reasonable assistance to Controller in:

  • Responding to data subject requests
  • Ensuring compliance with Articles 32-36 GDPR
  • Supporting DPIAs and consultations with supervisory authorities

11. Data Subject Requests

11.1 For processing under this Agreement, the Controller is responsible for handling data subject requests.

11.2 Processor shall promptly notify Controller of any request received and shall not respond directly unless instructed.

12. Personal Data Breaches

12.1 Processor shall notify Controller without undue delay after becoming aware of a personal data breach.

12.2 Such notification shall include:

  • Description of the breach
  • Likely consequences
  • Measures taken or proposed

13. Deletion and Return of Data

13.1 Upon termination of the services, Processor shall, at the choice of Controller:

  • Delete all personal data; or
  • Return all personal data and delete remaining copies

unless retention is required by law.

13.2 Deletion shall be performed in accordance with the deletion procedures and timelines described in Annex I or as otherwise instructed by the Controller.

13.3 Unless the Controller requests earlier deletion or return, Processor shall make Controller personal data available for export for up to 60 days following termination of the services, after which Processor may delete remaining copies in accordance with Annex I unless retention is required by law.

14. Audits

14.1 Controller may audit Processor's compliance with this Agreement, subject to:

  • Reasonable notice
  • Confidentiality
  • Minimal disruption

14.2 Processor may provide third-party audit reports or certifications in lieu of on-site audits where appropriate.

14.3 Audits shall be conducted at the Controller's expense unless otherwise required by law.

15. Liability

15.1 Each Party shall be liable in accordance with the liability provisions of the underlying service agreement and applicable law.

15.2 Processor shall be liable only for breaches of this Agreement attributable to its own processing activities.

16. Governing Law

This Agreement shall be governed by the laws of the Netherlands.

Disputes shall be submitted to the competent courts in the Netherlands, unless otherwise agreed.

Annex I - Description of Processing

Subject matter: Online eye-tracking via webcam

Nature: Collection, processing, calibration, inference, temporary storage, and deletion

Purpose: Provision of gaze estimation services for research and analysis

Duration: Per session and per contractual retention schedule

Retention periods:

  • Gaze positions: 90 days, then anonymised or deleted
  • Webcam frames (if consented): up to 1 year
  • Calibration models: until end of session
  • Logging: up to 6 months

Annex II - Technical and Organisational Measures

  • TLS 1.3 encryption in transit
  • AES-256 encryption at rest
  • VPC isolation within GCP Europe
  • Role-based IAM and logging
  • Access limited to authorised staff
  • Regular security reviews
  • Periodic deletion and anonymisation

Annex III - Authorised Sub-processors (initial)

  • Google Cloud Platform (Europe region) - cloud infrastructure and storage. Google Cloud Platform acts as a sub-processor and does not access personal data except as necessary to provide infrastructure services.
  • Stripe, Inc. (US / Ireland) - payment processing, subscription management, invoicing, billing portal, tax calculation. Certified under EU-US Data Privacy Framework.

No other sub-processors are authorised without prior notification.

17. Entry into effect

17.1 This Agreement is entered into when the Controller accepts the Chiasm Terms of Service, including by creating an account or subscribing, and Chiasm makes the Service available to the Controller.

17.2 The Controller represents that the person accepting on its behalf has authority to bind the Controller to this Agreement.

17.3 Chiasm B.V. is bound as Processor upon publication of this Agreement and provision of the Service following acceptance.

17.4 For enterprise or custom arrangements, the Parties may execute a separate written agreement or order form. If so, that document governs to the extent it expressly modifies this Agreement.

Chiasm Logo

Browser-native eye tracking for modern research teams.

Product

How it worksPlatformPricingFAQ

Company

Chiasm B.V.

Amsterdam, The Netherlands

KvK Number: 99335719

Legal

Privacy policyTerms of serviceData Processing Agreement

Connect

contact@chiasm.eu

Request demo

© 2026 Chiasm. Built for the future of behavioral science. ·