Legal

Data Processing Agreement

Last updated: February 2026

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Data Controller" or "Business") and Rymeda, Inc. ("Data Processor" or "Service Provider"). This DPA governs the processing of personal data by Rymeda on behalf of the customer and supplements our Privacy Policy.

Where personal data includes Protected Health Information ("PHI"), the Business Associate Agreement applies in addition to this DPA.

2. Definitions

  • Personal Data — information that identifies, relates to, describes, or could reasonably be linked to a particular individual or household, as defined under the California Consumer Privacy Act ("CCPA"), Cal. Civ. Code §1798.140(v).
  • Data Controller / Business — the customer that determines the purposes and means of processing personal data.
  • Data Processor / Service Provider — Rymeda, Inc., which processes personal data on behalf of the Data Controller, as defined in Cal. Civ. Code §1798.140(ag).
  • Data Subject / Consumer — the identified or identifiable individual to whom personal data relates.
  • Processing — any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • Subprocessor — a third party engaged by Rymeda to process personal data on behalf of the Data Controller. See Subprocessor List.

3. Scope and Purpose of Processing

Rymeda processes personal data solely to provide the services described in the Terms of Service, including:

  • Platform operation, including user authentication, authorization, and session management.
  • Healthcare compliance automation, provider verification, and community features.
  • AI-powered features, including clinical workflow automation and analytics (subject to the AI disclosures in our Privacy Policy).
  • Customer support, billing, and account management.
  • Security monitoring, audit logging, and incident response.

Categories of data subjects include: healthcare providers, practice administrators, patients (as directed by Covered Entity), and platform end users. Categories of personal data include: contact information, professional credentials, account data, usage data, and, where applicable, Protected Health Information.

4. Obligations of the Processor

Rymeda shall:

  • Process personal data only on documented instructions from the Data Controller, unless required by law.
  • Ensure that persons authorized to process personal data have committed to confidentiality obligations.
  • Implement appropriate technical and organizational security measures, as described in Section 8 and on our Security page.
  • Not engage a subprocessor without prior written authorization from the Data Controller (see Section 5).
  • Assist the Data Controller in responding to data subject requests (see Section 6).
  • Assist the Data Controller in ensuring compliance with breach notification obligations (see Section 9).
  • At the Data Controller's election, delete or return all personal data upon termination (see Section 10).
  • Make available all information necessary to demonstrate compliance and allow for audits (see Section 11).

5. Sub-processing

Rymeda maintains a list of approved subprocessors at the Subprocessor List page. The Data Controller provides general written authorization for the subprocessors listed as of the effective date of this DPA.

Rymeda shall provide the Data Controller with thirty (30) days' advance written notice before adding or replacing a subprocessor. The Data Controller may object to a new subprocessor within fifteen (15) days of notification. If the objection is not resolved, either party may terminate the affected services.

Rymeda shall impose contractual obligations on each subprocessor that are no less protective than those set forth in this DPA, and Rymeda remains fully liable for the acts and omissions of its subprocessors.

6. Data Subject Rights

Rymeda shall assist the Data Controller in fulfilling data subject rights requests, including:

  • Right to know / access (Cal. Civ. Code §1798.100)
  • Right to delete (Cal. Civ. Code §1798.105)
  • Right to correct (Cal. Civ. Code §1798.106)
  • Right to data portability (Cal. Civ. Code §1798.100(d))
  • Right to opt out of sale or sharing (Cal. Civ. Code §1798.120)
  • Right to limit use of sensitive personal information (Cal. Civ. Code §1798.121)
  • Right to non-discrimination (Cal. Civ. Code §1798.125)

For data that also constitutes PHI, data subject rights are governed by HIPAA and the Business Associate Agreement, which may differ from CCPA rights.

7. CCPA/CPRA Compliance

For personal data subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.), Rymeda certifies that it:

  • Does not sell or share personal data as defined under Cal. Civ. Code §1798.140(ad) and §1798.140(ah).
  • Does not retain, use, or disclose personal data for any purpose other than the business purposes specified in the Terms of Service.
  • Does not retain, use, or disclose personal data outside of the direct business relationship between Rymeda and the Data Controller.
  • Complies with the obligations of a "Service Provider" under Cal. Civ. Code §1798.140(ag).
  • Grants the Data Controller the right to take reasonable steps to ensure compliance, including ongoing manual reviews and automated scans, and to stop and remediate unauthorized use of personal data.

8. Data Security

Rymeda implements technical and organizational measures to ensure a level of security appropriate to the risk of processing, including:

  • AES-256 encryption at rest and TLS 1.3 encryption in transit.
  • Role-based and attribute-based access controls with principle of least privilege.
  • Tenant data isolation with separate compute, storage, and network boundaries.
  • Automated PHI detection and redaction pipeline.
  • Immutable, append-only audit trails for all data access.
  • Regular risk assessments, vulnerability scanning, and penetration testing.
  • Documented incident response procedures.

For complete details, see our Security page.

9. Data Breach Notification

Rymeda shall notify the Data Controller without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a personal data breach. Notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

California-Specific: For breaches affecting California residents, Rymeda additionally complies with Cal. Civ. Code §1798.82 (SB 446), including notification to the California Attorney General when more than 500 residents are affected. For breaches involving medical information, Rymeda complies with CMIA requirements under Cal. Civ. Code §56.36.

Where personal data also constitutes PHI, the breach notification provisions of the Business Associate Agreement apply concurrently.

10. Data Retention and Deletion

Rymeda retains personal data for the duration of the service agreement. Upon termination:

  • At the Data Controller's request, Rymeda shall delete or return all personal data within thirty (30) days, unless retention is required by law.
  • PHI and healthcare data are retained for a minimum of six (6) years from creation or last effective date, per 45 CFR §164.530(j) and the BAA.
  • General personal data is retained for up to three (3) years after last account activity, unless earlier deletion is requested.
  • Anonymized and aggregated data that cannot identify individuals may be retained indefinitely.

These retention periods are consistent with the Privacy Policy.

11. Audits

Rymeda shall make available to the Data Controller all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice, and no more than once per calendar year, the Data Controller (or an independent third-party auditor) may conduct an audit of Rymeda's processing activities, provided such audit does not unreasonably disrupt Rymeda's operations and is subject to confidentiality obligations.

12. Governing Law

This DPA shall be governed by the laws of the State of California, without regard to conflict of laws principles. For matters involving PHI, federal HIPAA regulations govern to the extent applicable. The CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) applies to all processing of personal data of California residents.

13. Contact

For questions regarding this DPA or to exercise data processing rights: