Data Processing Addendum

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Controller" means the entity that determines the purposes and means of Processing
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Sub-processor" means any third party engaged by Processor to process Personal Data
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "UK GDPR" means the GDPR as incorporated into UK law
• "PIPEDA" means Canada's Personal Information Protection and Electronic Documents Act
• "Israeli Privacy Law" means Israel's Protection of Privacy Law, 5741-1981

2. Scope and Roles

2.1 Relationship of Parties

Controller is the data controller for Personal Data of its patients and users. Processor acts as data processor when processing Personal Data on Controller's behalf through the Clinic OS Pro service.

2.2 Subject Matter

This DPA applies to all Personal Data processed by Processor in connection with providing the Clinic OS Pro service to Controller.

2.3 Nature and Purpose of Processing

Processor processes Personal Data for the following purposes:

• Providing the Clinic OS Pro platform and its features
• Syncing patient data from EMR systems
• Generating task lists for patient outreach
• Sending communications on Controller's behalf
• Calculating metrics and generating reports
• Providing customer support

2.4 Duration

Processing shall continue for the duration of the Terms of Service, plus any retention period required by law or specified in this DPA.

3. Categories of Personal Data

4. Processor Obligations

4.1 Lawful Processing

Processor shall:

• Process Personal Data only on documented instructions from Controller
• Process Personal Data only to the extent necessary to provide the Service
• Inform Controller if an instruction infringes applicable data protection law
• Ensure persons authorized to process Personal Data are bound by confidentiality

4.2 Security Measures

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Ability to ensure ongoing confidentiality, integrity, and availability
• Ability to restore availability and access to Personal Data in timely manner
• Regular testing and evaluation of security measures

4.3 Sub-processors

Controller authorizes Processor to engage Sub-processors listed at /legal/subprocessors.

Processor shall notify Controller of any intended changes to Sub-processors, giving Controller the opportunity to object within 30 days. Processor shall ensure Sub-processors are bound by data protection obligations no less protective than this DPA.

4.4 Assistance to Controller

Processor shall assist Controller with:

• Responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
• Data protection impact assessments when required
• Prior consultation with supervisory authorities when required
• Demonstrating compliance with data protection obligations

4.5 Data Subject Rights

Processor shall promptly notify Controller of any request received directly from a Data Subject and shall not respond to such request except on Controller's documented instructions.

4.6 Personal Data Breach

Processor shall notify Controller without undue delay (and within 48 hours) after becoming aware of a Personal Data breach. Such notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Contact point for further information
• Likely consequences of the breach
• Measures taken or proposed to address the breach

4.7 Deletion and Return

Upon termination of the Service, Processor shall, at Controller's choice, delete or return all Personal Data and delete existing copies unless required by law to retain. Controller may request data export within 30 days of termination.

4.8 Audit

Processor shall make available to Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by Controller or an auditor mandated by Controller, subject to reasonable notice and confidentiality.

5. International Data Transfers

5.1 Transfer Mechanism

Personal Data may be transferred to and processed in the United States. For transfers from the EEA, UK, or other jurisdictions with transfer restrictions, Processor relies on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement / Addendum where applicable
• Any other legally recognized transfer mechanism

5.2 Standard Contractual Clauses

The parties agree that the EU Standard Contractual Clauses (Commission Decision 2021/914) are incorporated into this DPA by reference. For transfers:

• Module Two (Controller to Processor) applies where Controller transfers Personal Data to Processor
• The optional clauses are not adopted
• Option 2 (general authorization) applies for Sub-processor engagement
• The governing law is that of the Member State where Controller is established

5.3 Supplementary Measures

In addition to SCCs, Processor implements:

• Encryption of data in transit and at rest
• Access controls limiting who can access Personal Data
• Pseudonymization where technically feasible
• Regular security assessments

6. Jurisdiction-Specific Terms

6.1 European Union (GDPR)

• Processor shall process Personal Data in accordance with GDPR
• Controller may appoint a Data Protection Officer as required
• Data Subject rights under GDPR Articles 15-22 shall be honored
• 72-hour breach notification timeline applies

6.2 United Kingdom (UK GDPR)

• UK GDPR and Data Protection Act 2018 requirements apply
• UK International Data Transfer Agreement incorporated where applicable
• ICO (Information Commissioner's Office) is the relevant supervisory authority

6.3 Canada (PIPEDA)

• Processor acknowledges PIPEDA's 10 fair information principles
• Provincial health information laws (PHIPA, HIA, etc.) may also apply
• Controller is responsible for ensuring adequate consent
• Data localization requirements of Quebec Law 25 are acknowledged

6.4 Israel

• Protection of Privacy Law, 5741-1981 requirements apply
• Privacy Protection Regulations (Data Security) 2017 standards are met
• Database registration requirements are acknowledged
• Israeli Law, Information and Technology Authority (ILITA) is the relevant authority

6.5 Other Jurisdictions

For jurisdictions not specifically listed, Processor shall comply with the most protective requirements of applicable local data protection law or, where no specific law applies, the standards set forth in this DPA.

7. Controller Obligations

Controller represents and warrants that:

• It has the right to transfer Personal Data to Processor
• Processing instructions comply with applicable law
• Appropriate consent or legal basis exists for Processing
• Data Subjects have been informed of the Processing as required by law
• Personal Data is accurate and up-to-date

8. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except that such limitations shall not apply to:

• Breaches of confidentiality obligations
• Willful misconduct or gross negligence
• Fines or penalties imposed by supervisory authorities due to a party's breach

9. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, Processor shall comply with the deletion and return obligations in Section 4.7.

10. Contact Information

Processor Contact

EU Representative (GDPR Article 27)

Appendix 1: Technical and Organizational Measures

A. Physical Security

• Cloud infrastructure hosted in SOC 2 Type II certified data centers
• Physical access controls at data center facilities

B. Access Control

• Role-based access control (RBAC)
• Unique user identification
• Password complexity requirements
• Multi-factor authentication support
• Automatic session timeout

C. Encryption

• TLS 1.2+ for data in transit
• AES-256 encryption for data at rest
• Encryption key management procedures

D. Logging and Monitoring

• Audit logs of access to Personal Data
• Security monitoring and alerting
• Log retention per applicable requirements

E. Business Continuity

• Regular automated backups
• Disaster recovery procedures
• Tested restore capabilities

F. Personnel

• Background checks where permitted
• Confidentiality agreements
• Security awareness training