Data Use Agreement

Effective April 16, 2026 · Version 1.0 · Databasin LLC · 707 Spirit 40 Park Drive, Ste. 120, Chesterfield, Missouri 63005 · info@databasin.co

Terms of Service → Privacy Policy →

1. Purpose and Scope

This Data Use Agreement ("DUA") supplements and forms part of the Terms of Service between Databasin LLC ("Databasin," "we," "us") and each customer organization that uses the Databasin Platform ("Customer," "you," "your"). It describes how Databasin handles data that Customer and its users upload, connect, process, or generate through the Platform.

This DUA applies to the Databasin SaaS Platform at app.databasin.ai . It does not apply to Self-Install deployments, where the Databasin software runs inside Customer's own Azure tenant under Customer's governance; Databasin has no access to Customer Data in a Self-Install deployment.

2. Definitions

  • "Customer Data" means any data, including Personal Information, that Customer uploads, connects to, queries, or generates using the Platform.
  • "Personal Information" means any information that identifies or reasonably could be linked to an identifiable individual.
  • "PHI" means Protected Health Information as defined in 45 C.F.R. § 160.103.
  • "Sub-processor" means a third party engaged by Databasin to process Customer Data on Databasin's behalf.
  • "Security Incident" means any confirmed unauthorized access to, acquisition of, or disclosure of Customer Data in Databasin's possession.

3. Ownership of Customer Data

Customer retains all rights, title, and interest in Customer Data. Databasin claims no ownership of Customer Data. Customer grants Databasin a limited, non-exclusive license to process Customer Data solely for the purposes described in Section 4.

4. Permitted Uses of Customer Data

Databasin will process Customer Data only to:

  • Provide, operate, maintain, and improve the Platform
  • Meter usage and generate billing records
  • Respond to Customer's support requests
  • Detect, prevent, and mitigate fraud, abuse, or security threats
  • Comply with applicable law or valid legal process
  • Enforce the Terms of Service

Databasin will not:

  • Sell, rent, or lease Customer Data
  • Share Customer Data with third parties except as required to deliver the Platform or as required by law
  • Use Customer Data to train Databasin's or any third party's machine learning or artificial intelligence models
  • Access Customer Data for any reason not listed above without Customer's prior written consent, except as needed for urgent troubleshooting — in which case notice is given to Customer after the fact

5. Sub-processors

Databasin uses the following Sub-processors to deliver the Platform. All are located in the United States.

  • Microsoft Azure — hosting, storage, compute, networking, and private AI (Azure OpenAI Service)
  • Stripe — SaaS billing and payment processing
  • Microsoft Azure Marketplace — Self-Install billing
  • HubSpot — customer relationship management

By default, Customer Data submitted to Platform AI features is processed through Azure OpenAI Service in a private deployment configuration, which does not use Customer Data to train third-party models. Customer may configure the Platform to use a different large language model provider of Customer's choosing. When Customer does so, that provider's terms govern the processing of Customer Data by that provider, and Databasin is not responsible for the third-party provider's processing or security practices.

Databasin will give Customer at least thirty (30) days' prior written notice (via email or in-Platform notice) before adding or replacing a Sub-processor that processes Customer Data. Customer may object in writing within thirty (30) days on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected Platform subscription and receive a prorated refund of prepaid fees for the unused portion of the subscription.

6. Security

Databasin maintains administrative, technical, and physical safeguards reasonably designed to protect Customer Data, including:

  • Encryption — TLS 1.2 or higher in transit; AES-256 at rest
  • Tenant isolation — logical segregation of Customer Data between customers
  • Access controls — role-based access, multi-factor authentication for Databasin personnel, least-privilege principles
  • Monitoring & logging — security event monitoring and audit logging of access to production systems
  • Patch management — regular vulnerability scanning and timely patching
  • Personnel — background checks for employees with access to Customer Data; security and privacy training on hire and annually thereafter
  • Business continuity — backups and documented recovery procedures
  • Secure development — code review, dependency scanning, and security testing for Platform changes

These safeguards are consistent with industry standards for SaaS data platforms, including practices drawn from the HIPAA Security Rule, the NIST Cybersecurity Framework, and SOC 2 Trust Services Criteria.

7. Protected Health Information (PHI) and HIPAA

Customer may process PHI on the Databasin Platform provided the parties first execute a Business Associate Agreement ("BAA"). Contact info@databasin.co to request a BAA prior to uploading PHI.

For Customers handling highly sensitive health data, clinical research data, genomic data, or data subject to institutional review board restrictions, Databasin strongly recommends Self-Install. In a Self-Install deployment, the Databasin software operates inside Customer's own Azure tenant and Customer retains sole control and custody of Customer Data. Databasin has no logical access to a Self-Install deployment or the data within it. Customer's own information-security program governs the deployment. Contact info@databasin.co to discuss Self-Install.

8. Customer Responsibilities

Customer is solely responsible for:

  • The legality of Customer Data and the basis on which Customer's end users provide it
  • Obtaining any consents, permissions, or authorizations required under applicable law, including HIPAA authorizations, GLBA notices, FERPA consents, and other sector-specific requirements
  • The accuracy, quality, and content of Customer Data
  • The security of Customer's account credentials, API keys, and end-user accounts
  • Appropriate configuration of access controls, data retention, and data-sharing settings within the Platform
  • Compliance with the Acceptable Use section of the Terms of Service

9. Security Incident Notification

If Databasin determines that a Security Incident affecting Customer Data has occurred, Databasin will:

  • Notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation
  • Describe the nature of the incident, the categories of Customer Data affected, and the measures taken or proposed to address it
  • Cooperate with Customer's reasonable investigation and remediation efforts

Notification does not constitute an admission of fault or liability by Databasin.

10. Audits

Upon Customer's reasonable written request, no more than once per calendar year, Databasin will provide:

  • A summary of its most recent third-party security assessment, if available
  • A written description of its security practices
  • Reasonable responses to written security questionnaires

Customers with material regulatory obligations (for example, HIPAA covered entities requiring vendor oversight) may request an additional on-site or remote audit on reasonable notice, subject to a mutually agreed scope, schedule, and confidentiality terms.

11. Data Retention and Return

  • Active accounts — Customer Data is retained as long as the Customer subscription is active.
  • Account disabled by Databasin (for example, non-payment) — Customer Data is retained for thirty (30) days to permit reinstatement and then permanently deleted.
  • Customer-initiated deletion — if Customer deletes a Platform account or specific Customer Data, that data is permanently deleted within twenty-four (24) hours.
  • On termination — Customer may export Customer Data through Platform export features at any time prior to or during a thirty (30) day post-termination window. After thirty days from termination, Databasin will permanently delete all Customer Data unless retention is required by applicable law.

Deletion is permanent. Databasin cannot recover deleted Customer Data. Customer is responsible for maintaining its own backups of Customer Data it cannot afford to lose.

12. No International Transfers

Databasin processes and stores Customer Data in the United States. Databasin does not transfer Customer Data outside the United States in the ordinary course of business. Customers accessing the Platform from outside the United States acknowledge that Customer Data they upload is transferred to and processed in the United States.

13. Conflicts

In the event of a conflict between this DUA and the Terms of Service , this DUA controls with respect to the handling of Customer Data. In the event of a conflict between this DUA and a separately signed Business Associate Agreement or Data Processing Addendum between the parties, that separately signed agreement controls.

14. Changes to this DUA

Databasin may update this DUA. If a change materially reduces Customer's rights, Databasin will give Customer at least thirty (30) days' notice by email or in-Platform notice before the change takes effect, and Customer may terminate the affected subscription for a prorated refund if Customer reasonably objects. Other changes take effect upon posting the updated DUA with a new "Effective" date.

15. Contact

Databasin LLC · Attn: Legal
707 Spirit 40 Park Drive, Ste. 120
Chesterfield, Missouri 63005
info@databasin.co