Skip to main content

Legal · Data Processing Addendum

EU/UK Data Processing Addendum.

The standard agreement Conceptual Healthcare Corporation executes with controllers subject to the EU General Data Protection Regulation or the UK General Data Protection Regulation. Incorporates the EU Standard Contractual Clauses (Module Two — controller-to-processor) and the UK International Data Transfer Addendum by reference. Template version 2026.05.

1 · Scope and roles

Processor: us. Controller: you.

For purposes of this DPA and the GDPR / UK GDPR: Conceptual Healthcare Corporation acts as Processor; the party executing this agreement acts as Controller. This DPA applies to Personal Data that is subject to the EU GDPR (Regulation (EU) 2016/679) or the UK GDPR.

2 · Subject matter, duration, nature, purpose

Article 28(3) — covered.

Subject matter. Processing of Personal Data as required to deliver the services in the underlying agreement.
Duration. Co-terminus with the underlying agreement.
Nature and purpose. Healthcare and adjacent operational services.
Data subjects. Patients, providers, employees of Controller, research participants, end-users authorized by Controller.
Categories of Personal Data. Identifiers, contact, health (special category under Article 9), biometric where enabled, account and usage. Full inventory at /trust/whitepaper/#data-inventory.

3 · Processor obligations

Article 28 compliance. Documented and audited.

We process Personal Data only on documented instructions from the Controller; ensure persons authorized to process Personal Data are committed to confidentiality; implement Article 32 security measures (see §6); engage sub-processors only under Article 28; assist Controller with data-subject rights and Article 32–36 obligations; delete or return Personal Data at the end of services; and make available the information necessary to demonstrate compliance.

4 · Sub-processors

30 days notice. 15 days to object. Public list.

Controller authorizes the sub-processors listed at /compliance/threaded/#subprocessors. We will provide 30 days' advance notice of any intended addition or replacement, posted at the same URL. Controller may object within 15 days on reasonable grounds; if the objection cannot be resolved, Controller may terminate the underlying agreement with respect to the affected services without penalty.

5 · International transfers

SCCs Module Two. UK IDTA. Incorporated by reference.

For transfers of Personal Data subject to the EU GDPR from the EEA to a third country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor). For transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum under Section 119A of the UK Data Protection Act 2018. Where SCCs require selections, the order of precedence is: SCCs > UK Addendum > this DPA > underlying agreement.

6 · Security measures (Annex II summary)

ISO 27001/27701. SOC 2. HITRUST. AES-256 + TLS 1.3.

Certifications: ISO/IEC 27001:2022, ISO/IEC 27701:2019, SOC 2 Type II, HITRUST CSF v11 (status at /trust/attestations/).
Encryption: AES-256-GCM at rest under FIPS 140-3 KMS; TLS 1.3 mutual authentication for service-to-service.
Access control: Role-based, quarterly recertification, hardware-token MFA, just-in-time elevation.
Audit: Immutable, append-only logs anchored to CH Chain — see /proof/chains.html.
Personnel: Background-checked; annual privacy and security training. Full Annex II equivalent at /legal/security-whitepaper/.

7 · Data subject rights

5 business days. Self-service in the app.

Personal Data subjects exercise rights of access, deletion, portability, rectification, and objection through the patient app and the enterprise console. Where assistance from us is required, we respond within 5 business days. Automated-decision-making — including the Master Equation — is advisory only; it is never the sole basis of a decision producing legal or similarly significant effects on a data subject, and human override is always logged.

8 · Personal Data Breach

Within 24 hours of awareness.

We notify Controller of any Personal Data Breach within 24 hours of awareness — faster than the GDPR Article 33 standard. Notice will include the information required by Article 33(3) to the extent known at the time. We do not notify supervisory authorities or data subjects on Controller's behalf unless specifically instructed to do so.

9 · DPIAs

We assist Controllers running them.

On reasonable request, we provide the information Controller needs to complete a Data Protection Impact Assessment under Article 35: nature of processing, data categories, data flows, security measures, sub-processor list, and retention practice.

10 · Audit

Documentation-based. Once a year max. 30 days' notice.

Controller may audit our compliance with this DPA. We will provide our SOC 2 Type II report, ISO 27001 certificate, and HITRUST CSF certificate on request; these reports are deemed to satisfy Controller's audit right where they cover the relevant scope. On-site or documentation-based audit beyond reports is available once per calendar year, on 30 days' written notice, conducted under reasonable confidentiality and security constraints.

11 · Term, return, deletion

30 days post-termination. Cryptographic shredding.

On termination of the underlying agreement, we return or delete Personal Data within 30 days. Deletion is performed by cryptographic shredding and confirmed in writing. Where Union or Member State law requires storage of Personal Data, we will inform Controller and store the data only for the duration and for the purpose so required.

12 · Liability and miscellaneous

Florence rules. Lead authority: Irish DPC (proposed).

Liability follows the underlying services agreement. Order of precedence on conflict: SCCs > UK IDTA > this DPA > underlying agreement. Governing law: the law of the Member State of the EU lead supervisory authority, proposed to be Ireland. Lead supervisory authority under Article 56(1): proposed to be the Irish Data Protection Commission.

Signature block — Processor: Conceptual Healthcare Corporation, by Maria R. Lahti, MD (Privacy Officer). EU Representative (Article 27): TBD upon EU-region launch.

Contact

Privacy Officer responds to DPA questions.

Email: dpo@conceptualhealth.com (EU/UK DPO)
General: privacy@conceptualhealth.com
Prior versions of this DPA are archived at /trust/transparency-report/.