Data Processing Agreement
GDPR Article 28 terms and practical processing details for First Author.
Last updated: June 6, 2026
Important: This is a practical compliance draft for a beta product operated by Dr. Philipp Münch - AI Software & SaaS. It is intended to meet the core GDPR Article 28 processor-contract requirements for the processing First Author actually performs. It is not a substitute for legal advice, and customers remain responsible for their own controller obligations.
1. Scope and Roles
This Data Processing Agreement ("DPA") forms part of the FirstAuthor Terms of Service when FirstAuthor processes personal data on behalf of a customer, lab, workspace owner, or other controller. In that context, the customer is the controller and Dr. Philipp Münch - AI Software & SaaS is the processor.
This DPA applies to library, uploaded/fetched PDF, reference, browser-extension, and AI-feature data processed through FirstAuthor. For account administration, sign-in, support, security, website analytics, optional marketing, and other processing where FirstAuthor determines the purposes and means, FirstAuthor may act as an independent controller as described in the Privacy Policy.
2. Processing Instructions
FirstAuthor will process customer personal data only on documented instructions from the controller. The documented instructions are the Terms of Service, this DPA, the customer's configuration and user actions inside the product, and written instructions sent to hello@firstauthor.ai.
FirstAuthor may process data where required by EU or German law. If legally permitted, we will notify the controller before carrying out such legally required processing. We will also inform the controller if we believe an instruction violates GDPR or other EU or Member State data protection law.
3. Subject Matter and Duration
The subject matter is the operation of FirstAuthor as a reference-management and reading service for scientific papers, with AI assistance. Processing continues for the duration of the customer's use of the service and any legally or operationally required retention period described below.
4. Nature, Purpose, and Categories
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email, Google sign-in identifiers (when used), account settings, and support messages | Authentication, account operation, support, abuse prevention, and any paid plan |
| Library content | Saved references and citations, attached or fetched PDFs, tags, groups/collections, highlights and "Explain" annotations, reading state, and AI summaries | Storing, organising, syncing, exporting, and reading your library |
| AI feature inputs and outputs | Open-paper and extracted PDF text, your questions and prompts, chat history, embeddings for semantic search, model outputs, summaries, and highlights | Per-paper summaries, "Explain", the "Ask" reference chat, the enhanced reading view (OCR), semantic search, and AI-usage accounting |
| Reference lookup and import data | DOIs, titles, and search queries sent to public scholarly APIs, fetched metadata and open-access PDF candidates, and browser-extension import metadata | Importing references, searching, and finding open-access PDFs at your request |
| Technical, security, and usage data | Session and live-demo cookies, IP and user-agent hashes, request logs, rate-limit events, AI token usage, and product analytics | Security, access control, service reliability, debugging, cost control, rate limiting, and aggregate product analytics |
| Billing and email data | Stripe customer/subscription identifiers and invoice metadata (only for a paid plan), email address, recipient names, and message metadata | Any paid plan, transactional emails, invitations, notifications, and support communication |
Data subjects can include users, support contacts, billing contacts, and people mentioned in content you save. Saved content may contain special-category or confidential research data if you choose to add it; you are responsible for ensuring a valid legal basis and appropriate notices for that content.
5. Confidentiality and Personnel
FirstAuthor limits access to customer personal data to personnel and contractors who need access to operate, secure, support, or improve the service. Persons authorized to process customer personal data must be bound by confidentiality obligations or an appropriate statutory duty of confidentiality.
6. Security Measures
FirstAuthor implements technical and organizational measures appropriate for a small beta SaaS product and the risks of processing scientific references and papers, including:
- TLS-protected transport for browser, API, storage, collaboration, payment, email, and AI calls.
- Session cookies and account permissions for access control.
- Browser caching for faster loading; your saved library is synced to your account.
- Separate storage of uploaded files (PDFs) and structured metadata, with authenticated file access through the application.
- Hashed IP addresses and hashed user-agent fingerprints for live-demo and share-link rate limiting.
- Operational logging, abuse-prevention checks, AI budget limits, and service-health monitoring.
- Deletion workflows for your library, references, attached files, and live-demo data.
7. AI Processing
AI features are user-initiated or feature-triggered within the product. FirstAuthor sends only the content needed for the requested feature, such as the open paper's text, an extracted PDF passage, your question or prompt, chat history, or a reference's metadata.
- OpenRouter routes the "Ask" reference chat, per-paper summaries, and "Explain" to underlying models.
- Anthropic is called directly for some features.
- OpenAI computes text embeddings that power semantic search.
- Mistral performs OCR to build the enhanced reading view from an attached PDF.
- AI usage metadata, token counts, cost estimates, model IDs, and feature context may be stored for abuse prevention, debugging, budget enforcement, and any billing.
- Generated summaries, highlights, and annotations may be stored so you can view them again later.
FirstAuthor does not intentionally opt customer content into provider model training and relies on provider API controls and terms where available. Customers should not use AI features for content they are not permitted to send to third-party processors.
8. Subprocessors
The controller gives FirstAuthor general written authorization to use subprocessors needed to provide the service. FirstAuthor remains responsible to the controller for subprocessors used to perform processing on FirstAuthor's behalf and will impose data-protection obligations that are the same in substance as the obligations in this DPA.
FirstAuthor will provide notice of intended material additions or replacements of subprocessors by updating this page or another reasonable channel and giving controllers an opportunity to object. Controllers may object on reasonable data-protection grounds by contacting hello@firstauthor.ai. If an objection cannot be resolved, the affected feature may need to be disabled or the service relationship ended for the affected processing.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Hosting, serverless runtime, logs, Vercel Postgres, Blob storage (PDFs), and Vercel Web Analytics | EU/US/global infrastructure |
| Identity provider for "Sign in with Google"; and, only after cookie-banner consent, Google Ads conversion measurement | US / global | |
| OpenRouter | Model routing for the "Ask" reference chat, per-paper summaries, and "Explain" | US / provider-dependent |
| Anthropic | Direct AI model calls for some reader features | US |
| OpenAI | Text embeddings (text-embedding-3-small) that power semantic search | US |
| Mistral | OCR that converts an attached PDF into the enhanced reading view | EU/US |
| Resend | Transactional email: confirmations, invitations, notifications, waitlist, and support-related messages | US |
| Pushover | Operational heads-up to the operator when a public live-demo session starts (approximate region derived from IP, referring page) | US / global |
| Stripe | Checkout, subscriptions, and invoices — only if you purchase a paid plan | US / global |
| Public scholarly APIs | Reference metadata and open-access PDF lookups when you import, search, or fetch a paper — including Crossref, OpenAlex, Unpaywall, Semantic Scholar, DataCite, arXiv, PubMed/NCBI, and Europe PMC | Provider-dependent |
9. International Transfers
FirstAuthor is based in Germany and primarily uses EU/EEA infrastructure for the core database where available. Some subprocessors and provider networks process data in the United States or other third countries, especially AI, sign-in, payments, email, file storage, analytics, and public scholarly APIs.
Where Chapter V GDPR applies, transfers are based on appropriate transfer mechanisms such as adequacy decisions, the EU-U.S. Data Privacy Framework for participating US companies, Standard Contractual Clauses, and supplementary measures where required. Explicit consent is not used as the default transfer mechanism for ordinary service processing.
10. Assistance and Data Subject Requests
Taking into account the nature of the processing, FirstAuthor will reasonably assist the controller with data-subject requests and controller obligations under Articles 32 to 36 GDPR. Most access, export, deletion, and portability actions are available through the product. Requests that cannot be handled in the product should be sent to hello@firstauthor.ai.
11. Personal Data Breach Notice
FirstAuthor will notify the controller without undue delay after becoming aware of a personal data breach affecting customer personal data processed under this DPA. The notice will include information reasonably available to FirstAuthor so the controller can assess and meet its own notification obligations.
12. Deletion, Return, and Retention
- After the service relationship ends, FirstAuthor will delete customer personal data or make it available for return/export at the controller's choice, unless EU, German, or other applicable law requires continued storage.
- Active library data is retained while your account remains active.
- Deleted references, attached files, and other library data are removed from active systems through the relevant product workflows.
- Backups and logs may retain deleted data for a limited period, generally up to 30 days unless longer retention is required for security, billing, legal, or abuse-prevention reasons.
- Public live-demo accounts are throwaway and reset automatically; their seeded library and any AI usage are short-lived and not linked to a real account.
- Billing, tax, security, and legal records may be retained where FirstAuthor is legally required or has a legitimate need to preserve them.
13. Audit and Compliance Information
FirstAuthor will make available information reasonably necessary to demonstrate compliance with Article 28 GDPR and will allow and contribute to audits, including inspections, subject to reasonable scope, timing, confidentiality, security, and protection of other customers' data. Because FirstAuthor is a small beta service, audits should normally be handled through written security and processing information, responses to reasonable questionnaires, and review of this DPA and related documentation.
14. Customer Responsibilities
The controller is responsible for the lawfulness of customer content and instructions, providing required notices to data subjects, obtaining any necessary permissions, and deciding whether FirstAuthor is appropriate for confidential, regulated, export-controlled, patient, human-subject, or special-category research data. FirstAuthor is not designed as a dedicated medical-record, clinical-trial, HIPAA, GxP, or high-assurance enterprise compliance system.
15. Cookies, Local Storage, and Analytics
FirstAuthor uses necessary cookies and browser storage for authentication, the public live-demo session, share-link access where used, browser caching, and preferences. Vercel Web Analytics is used for aggregate website metrics. Google Ads conversion measurement is loaded only after optional cookie-banner consent where the banner is enabled.
16. Legal References
This DPA is drafted around GDPR Article 28 processor-contract requirements and Article 32 security obligations. The European Commission has published standard contractual clauses for controller- processor relationships under Article 28 and separate transfer mechanisms for third-country transfers, including adequacy decisions and Standard Contractual Clauses.
17. Contact
For DPA questions, processor assistance requests, or objections to material subprocessor changes, contact Dr. Philipp Münch - AI Software & SaaS at hello@firstauthor.ai.