Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") is entered into by and between the entity that has executed the Terms of Service or a separate subscription agreement with Rymeda, Inc. (the "Controller" or "Business") and Rymeda, Inc., a Delaware corporation with its principal place of business in California (the "Processor" or "Service Provider"), collectively referred to as the "Parties."

This DPA forms part of and supplements the Terms of Service. It governs the processing of personal data by the Processor on behalf of the Controller and applies in addition to the Privacy Policy. Where personal data includes Protected Health Information ("PHI"), the Business Associate Agreement applies concurrently. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

This DPA is designed to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018/UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.) ("CCPA/CPRA"), and other applicable data protection laws.

1. Definitions

In addition to terms defined elsewhere in this DPA, the following definitions apply:

2. Subject Matter and Duration

2.1 Subject Matter

The subject matter of this DPA is the Processor's provision of healthcare SaaS services, including clinical documentation, practice management, billing and claims, AI-assisted charting and transcription, marketplace, secure messaging, and related services as described in the Terms of Service.

2.2 Duration

Processing shall continue for the duration of the Terms of Service or subscription agreement, plus any retention period required by applicable law (including the six (6)-year HIPAA minimum retention period under 45 CFR §164.530(j) where applicable).

2.3 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Platform operation: user authentication, authorization, session management, and role-based access control
• Clinical documentation: patient records, clinical charts, SOAP notes, treatment plans, and care coordination
• AI-assisted workflows: voice recording transcription (OpenAI Whisper), AI-generated clinical notes (OpenAI, Google Gemini), clinical decision support (ORIS AI), and task prioritization
• Billing and payment: invoice creation with CPT codes, insurance claims processing with ICD-10/CPT codes, payment processing via Stripe
• Provider verification: NPI/NPPES validation, license verification, DEA verification, and credential management
• Marketplace operations: product listings, cart management, order fulfillment, vendor management, and reviews
• Communication: secure messaging between providers and patients, transactional email notifications via SendGrid
• Security and compliance: audit logging, access monitoring, incident detection, and compliance automation
• Analytics: privacy-focused website analytics via Plausible (cookie-free, no PII)

3. Data Types and Data Subject Categories

3.1 Categories of Data Subjects

3.2 Types of Personal Data Processed

4. Controller Obligations

The Controller warrants and agrees that:

• It has a valid legal basis for the processing of Personal Data under applicable data protection law (GDPR Article 6, and where applicable, Article 9 for special categories).
• It has provided appropriate notice to Data Subjects regarding the processing of their Personal Data by the Processor, including the use of AI-assisted clinical documentation features.
• It has obtained any required consents from Data Subjects, including explicit consent for the processing of special categories of Personal Data (health data, biometric data) where required by GDPR Article 9(2)(a) or applicable law.
• It has obtained separate voice recording consent in compliance with California Penal Code §632 (two-party consent) and telehealth consent in compliance with California Business & Professions Code §2290.5, where applicable.
• Its processing instructions to the Processor comply with applicable data protection law. The Controller shall immediately inform the Processor if it becomes aware that an instruction infringes applicable law.
• It is responsible for configuring appropriate role-based access controls within the platform, including assigning correct clinical roles to staff members and maintaining accurate care team relationships.

5. Processor Obligations

In accordance with GDPR Article 28(3), the Processor agrees to:

5.1 Documented Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notice on grounds of public interest. The Terms of Service and this DPA constitute the Controller's documented instructions.

5.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)). All Rymeda workforce members are bound by confidentiality agreements and undergo HIPAA security training.

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. Specific measures are detailed in Section 8 of this DPA.

5.4 Sub-processor Engagement

Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, as detailed in Section 6 of this DPA (Article 28(2)).

5.5 Data Subject Rights Assistance

Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights (Article 28(3)(e)). Specific rights are detailed in Section 9 of this DPA.

5.6 Compliance Assistance

Assist the Controller in ensuring compliance with the obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Article 32)
• Notification of personal data breaches to supervisory authorities (Article 33)
• Communication of personal data breaches to Data Subjects (Article 34)
• Data Protection Impact Assessments (Article 35) — see Section 10
• Prior consultation with supervisory authorities (Article 36)

5.7 Data Return or Deletion

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage (Article 28(3)(g)). Details in Section 12.

5.8 Audit and Inspection

Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h)). Details in Section 11.

5.9 Notification of Infringement

Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (Article 28(3), last sentence).

6. Sub-processor Management

6.1 General Authorization

The Controller provides general written authorization for the Processor to engage Sub-processors listed in Section 6.3 below and on the Subprocessor List as of the effective date of this DPA, in accordance with GDPR Article 28(2).

6.2 Notification and Objection Rights

The Processor shall provide the Controller with thirty (30) days' advance written notice before adding or replacing a Sub-processor, specifying: (a) the identity of the Sub-processor; (b) the nature of services; (c) the categories of Personal Data processed; and (d) the location of processing.

The Controller may object to a new Sub-processor within fifteen (15) days of notification by providing written objection to legal@rymeda.com. If the Controller raises a reasonable objection, the Processor shall: (a) make commercially reasonable efforts to provide an alternative; or (b) if no alternative is available, permit the Controller to terminate the affected services without penalty, with a pro-rata refund of prepaid fees.

6.3 Current Sub-processors

6.4 Sub-processor Agreements

The Processor shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing meets the requirements of applicable data protection law. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations (GDPR Article 28(4)).

7. International Data Transfers

7.1 Transfer Mechanism

The Processor's primary infrastructure is located in AWS US-East-1 (Northern Virginia, United States). For transfers of Personal Data from the European Economic Area ("EEA"), United Kingdom, or Switzerland to the United States, the Parties agree that the Standard Contractual Clauses ("SCCs") adopted by the European Commission Implementing Decision (EU) 2021/914 shall apply as follows:

• Module Two (Controller to Processor): Where the Controller is established in the EEA/UK and the Processor processes Personal Data in the United States.
• The SCCs are incorporated by reference and form an integral part of this DPA. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.
• For UK transfers, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner) applies.
• For Swiss transfers, the SCCs apply with the modifications required by the Swiss Federal Act on Data Protection ("FADP").

7.2 Transfer Impact Assessment

The Processor has conducted a Transfer Impact Assessment ("TIA") and determined that the supplementary measures described in Section 8 (Security Measures) provide an essentially equivalent level of protection for Personal Data transferred to the United States. These supplementary measures include AES-256 encryption, per-tenant KMS keys, tenant isolation, and access controls that prevent unauthorized government access.

7.3 Sub-processor Transfers

All Sub-processors listed in Section 6.3 that process Personal Data outside the EEA are bound by Standard Contractual Clauses or an equivalent transfer mechanism. Plausible Analytics is hosted in the EU and does not transfer Personal Data internationally.

8. Security Measures

The Processor implements the following technical and organizational measures pursuant to GDPR Article 32:

For complete details, see the Security page and Information Security Policy.

9. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable law:

9.1 GDPR Rights (Articles 15-22)

9.2 CCPA/CPRA Rights

For data that also constitutes PHI, HIPAA rights (45 CFR §§164.524-528) apply and may differ from CCPA rights. The Business Associate Agreement governs PHI-specific access rights.

10. Data Protection Impact Assessment Assistance

Where the Controller is required to carry out a Data Protection Impact Assessment ("DPIA") under GDPR Article 35, the Processor shall provide reasonable assistance, taking into account the nature of the processing and the information available to the Processor. This assistance may include:

• A description of the processing operations and purposes
• Information about the technical and organizational security measures implemented (Section 8)
• Information about Sub-processors and international transfers (Sections 6 and 7)
• Information about the AI systems used and their risk classification under the EU AI Act
• Records of processing activities maintained by the Processor under GDPR Article 30(2)
• Assessment of necessity, proportionality, and risks to Data Subjects

The Processor acknowledges that its AI-assisted clinical documentation features (voice transcription, AI-generated SOAP notes, clinical decision support) may constitute "high-risk AI systems" under the EU AI Act (Regulation (EU) 2024/1689), particularly where they involve processing of health data and may influence clinical decisions. The Processor cooperates with Controllers in meeting EU AI Act obligations.

11. Audit Rights

11.1 Information Availability

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in GDPR Article 28 and this DPA.

11.2 Third-Party Audits

The Processor maintains annual SOC 2 Type II audit reports conducted by an independent third-party auditor. The Processor shall make the most recent SOC 2 report available to the Controller upon written request, subject to the Processor's reasonable confidentiality requirements.

11.3 On-Site Audits

The Controller (or an independent third-party auditor bound by confidentiality obligations) may conduct an on-site audit of the Processor's processing activities, subject to the following conditions:

• No more than one (1) audit per calendar year, unless a data breach or material non-compliance is suspected
• At least thirty (30) days' advance written notice
• Conducted during normal business hours
• Shall not unreasonably disrupt the Processor's operations or compromise the security of other customers' data
• The auditor shall be bound by confidentiality obligations no less protective than those in this DPA
• The Controller shall bear the costs of any audit, except where the audit reveals material non-compliance by the Processor

12. Data Return and Deletion

12.1 Post-Termination Obligations

Upon termination of the Terms of Service or this DPA, the Processor shall, at the Controller's election:

• Return: Provide the Controller with all Personal Data in a structured, commonly used, machine-readable format (JSON or CSV) within thirty (30) days of the Controller's written request
• Delete: Securely delete all Personal Data within thirty (30) days, using cryptographic erasure for encrypted data and NIST SP 800-88 compliant methods for unencrypted data

12.2 Certification of Deletion

Upon completion of deletion, the Processor shall provide written certification confirming the deletion of all Personal Data, specifying: (a) the date of deletion; (b) the categories of data deleted; (c) the methods of destruction used; and (d) identification of the authorized person who oversaw the deletion.

12.3 Retention Exceptions

The Processor may retain Personal Data beyond the termination period where required by applicable law, including:

• PHI retention for six (6) years per 45 CFR §164.530(j)
• Clinical records per California retention requirements (7 years for adults, until age 19 for minors)
• Financial records per tax and accounting regulations (7 years)
• Audit logs per HIPAA requirements (6 years)
• Data subject to a legal hold for pending or anticipated litigation

Where retention is required, the Processor shall: (a) limit processing to the purpose requiring retention; (b) maintain all security measures; and (c) delete the data upon expiration of the retention period.

13. Personal Data Breach Notification

13.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Personal Data breach, in accordance with GDPR Article 33(2). This timeline is in addition to (and may differ from) the breach notification obligations under the BAA (30 calendar days for HIPAA breaches) and the Breach Notification Policy.

13.2 Notification Content

The notification shall include, to the extent available:

• The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned (Article 33(3)(a))
• The name and contact details of the Processor's data protection officer or equivalent contact point (Article 33(3)(b))
• The likely consequences of the breach (Article 33(3)(c))
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects (Article 33(3)(d))

13.3 California-Specific Requirements

For breaches affecting California residents, the Processor additionally complies with Cal. Civ. Code §1798.82 (SB 446), including notification within thirty (30) days and notification to the California Attorney General when more than 500 residents are affected. For breaches involving medical information, the Processor complies with CMIA (Cal. Civ. Code §56.36) and Cal. Health & Safety Code §1280.15.

14. CCPA/CPRA Service Provider Addendum

For Personal Data subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.), the Processor certifies and agrees that it:

HIPAA Exemption: Personal information that constitutes PHI governed by HIPAA is exempt from CCPA/CPRA requirements per Cal. Civ. Code §1798.145(c)(1)(A). The BAA governs all PHI processing.

15. Liability

15.1 Allocation of Liability

Each Party shall be liable for damages caused by processing which infringes applicable data protection law, in accordance with GDPR Article 82. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller.

15.2 Limitation

The total aggregate liability of the Processor under or in connection with this DPA shall be subject to the limitation of liability provisions in the Terms of Service, except to the extent such limitation is prohibited by applicable data protection law.

15.3 Indemnification

Each Party shall indemnify and hold harmless the other Party from and against any claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from the indemnifying Party's breach of this DPA or violation of applicable data protection law.

16. General Provisions

16.1 Governing Law

This DPA shall be governed by the laws of the State of Delaware, without regard to conflict of laws principles. For matters subject to the GDPR, the provisions of the GDPR shall apply. For matters involving PHI, federal HIPAA regulations govern to the extent applicable. The CCPA/CPRA applies to all processing of personal information of California residents, subject to the HIPAA exemption in Cal. Civ. Code §1798.145(c)(1)(A).

16.2 Amendment

This DPA may be amended by the Processor upon thirty (30) days' written notice to the Controller to comply with changes to applicable data protection law. Material amendments to the processing scope require the Controller's prior written consent.

16.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

16.4 Precedence

In the event of conflict: (a) the SCCs shall prevail over this DPA with respect to international transfers; (b) this DPA shall prevail over the Terms of Service with respect to data processing; (c) the BAA shall prevail over this DPA with respect to PHI.

16.5 Survival

Sections 9 (Data Subject Rights), 11 (Audit Rights), 12 (Data Return and Deletion), 13 (Breach Notification), 14 (CCPA/CPRA Addendum), and 15 (Liability) shall survive termination of this DPA.

17. Contact Information

For questions regarding this DPA, data processing inquiries, or to exercise any rights:

Related Policies