Data Processing Agreement

2.1 VitaFlow Care as Data Controller

VitaFlow Care acts as Data Controller for: Platform user accounts, platform usage data and analytics, communications through our systems, billing and subscription management, marketing communications (with consent).

Our Responsibilities: Determine purposes and means of processing, ensure lawful basis, implement appropriate measures, respond to Data Subject requests, notify Belgian DPA of breaches within 72 hours, maintain processing records.

2.2 Practitioners as Data Controllers

Practitioners act as Data Controllers for: Client health data collected during appointments, questionnaire responses, clinical notes and treatment records, data collected outside the platform.

Practitioner Responsibilities: Comply with GDPR and Belgian healthcare laws, obtain explicit consent for health data, maintain professional confidentiality, have lawful basis for processing, honor Data Subject rights, maintain insurance and compliance.

2.3 VitaFlow Care as Data Processor

VitaFlow Care acts as Data Processor on behalf of Practitioners for: Storage of client appointment data, message delivery, questionnaire response storage, client record management.

Our Responsibilities: Process only according to Practitioner's documented instructions, ensure personnel confidentiality, implement security measures, assist with Data Subject requests, assist with breach notifications, delete or return data upon request.

2.4 Joint Controllers

VitaFlow Care and Practitioners may be Joint Controllers for: Appointment booking and management, automated appointment reminders, waiting list management.

Joint Responsibilities: We jointly determine purposes and means, transparently inform Data Subjects of our roles, have an arrangement determining respective responsibilities.

3.1 Authorized Processing

By using the platform, Practitioners instruct VitaFlow Care to: Store client profiles and appointment history, facilitate appointment booking, deliver messages, store questionnaire responses, send reminders and notifications, manage waiting lists, provide practice analytics.

Prohibited Processing

VitaFlow Care will NOT: Process Client data for unauthorized purposes, share Client data except with Sub-processors, use Client data for marketing without consent, process data outside EU/EEA without appropriate safeguards.

3.2 Changes to Instructions

Practitioners may modify instructions via dashboard settings or by emailing [email protected]. We will confirm feasibility within 10 business days.

4.1 Authorized Sub-Processors

VitaFlow Care engages the following Sub-processors:

• Supabase: Database, Auth, Storage - EU (Frankfurt, Germany)
• Hetzner: Backend Hosting - EU Infrastructure
• Vercel: Frontend Hosting - EU Edge
• Cloudflare: CDN, Storage & DNS - Global (EU residency)
• Resend: Email Delivery - EU Compliant
• Polar: Payment Processing - EU
• Google/Microsoft: Calendar APIs - Global (GDPR compliant)

4.2 Sub-processor Requirements

We ensure all Sub-processors: Process data only according to our instructions, maintain confidentiality, implement appropriate security, assist with Data Subject requests, notify us of breaches immediately, allow audits.

4.3 Changes to Sub-processors

We will notify Practitioners at least 30 days before engaging new Sub-processors. Practitioners may object within 15 days; if we cannot accommodate, they may terminate without penalty.

5.1 Technical Measures

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest, database-level encryption, end-to-end encrypted backups.

Access Control: Role-based access control (RBAC), MFA for admin accounts, unique user credentials, automatic session timeout, regular access reviews.

Network Security: Firewall protection, intrusion detection and prevention, DDoS mitigation (Cloudflare), VPC isolation, regular vulnerability scanning.

Application Security: Input validation, SQL injection prevention, XSS protection, CSRF protection, security headers, regular code reviews.

5.2 Organizational Measures

Personnel Security: Background checks, confidentiality agreements, regular security training, documented policies, least privilege principle.

Physical Security: ISO 27001 certified data centers, 24/7 security and surveillance, biometric access, environmental controls.

Operational Security: Change management, incident response plan, business continuity and disaster recovery, regular audits and penetration testing.

5.3 Testing and Audits

Regular Testing: Annual penetration testing, quarterly vulnerability assessments, continuous monitoring, bi-annual disaster recovery testing. Compliance Audits: Annual SOC 2 Type 2, GDPR assessments, quarterly internal audits.

6.1 Assisting with Data Subject Requests

Right to Access (Article 15): Data export functionality, machine-readable format (JSON, CSV) within 30 days.

Right to Rectification (Article 16): Enable updates, correct inaccuracies within 5 business days.

Right to Erasure (Article 17): Delete upon instruction within 30 days, purge from backups within 90 days (except legally required records).

Right to Data Portability (Article 20): Structured, machine-readable format, enable transfer to another controller.

Right to Object (Article 21): Stop processing upon objection where legally permissible.

Right to Restrict Processing (Article 18): Temporarily suspend processing, mark data as restricted.

6.2 Response Timeframes

Initial Response: Within 5 business days acknowledging the request.

Full Response: Within 30 days (may extend to 60 days for complex requests).

Urgent Requests: Prioritized for potential harm situations.

7.1 Notification Obligations

To Belgian DPA: Notify within 72 hours with breach description, categories and volume affected, likely consequences, mitigation measures, contact point.

To Affected Practitioners: Notify without undue delay (typically within 24 hours), provide breach details and mitigation steps.

To Affected Data Subjects (if required): Notify directly if high risk, clear description, steps to protect themselves.

7.2 Breach Response Process

Detection & Containment (0-2 hours): Identify and isolate affected systems, prevent further access, preserve evidence.

Assessment (2-24 hours): Determine scope and severity, identify affected data and individuals, assess risk.

Notification (24-72 hours): Notify Belgian DPA (if required), Practitioners, and Data Subjects (if high risk).

Investigation & Remediation (72 hours - 30 days): Root cause analysis, implement corrective measures, update security.

7.3 Practitioner Obligations

If Practitioners become aware of a breach, they must: Notify us immediately at [email protected], provide incident details, cooperate with investigation, follow breach notification requirements to their Clients if applicable.

8.1 Data Location

All personal data stored on EU servers (Germany: Supabase). Backups stored in EU. No regular transfers outside EU/EEA.

8.2 Transfers to Third Countries

If transfer outside EU/EEA is necessary, we only transfer to countries with adequate protection through: European Commission Adequacy Decision (Article 45), Standard Contractual Clauses (Article 46), Binding Corporate Rules, EU-U.S. Data Privacy Framework.

9.1 Retention Periods

Account Data: Retained while active; deleted within 90 days of closure.

Appointment Data: Past appointments retained for 7 years (Belgian medical records requirement).

Health Data (Questionnaires): Retained for 7 years after last appointment or as required by professional obligations.

Messages: Retained for 5 years for legal compliance.

Financial Records: Retained for 7 years (Belgian tax law).

Analytics Data: Individual data anonymized after 2 years; aggregated data retained indefinitely.

Backups: Retained for 90 days.

9.2 Deletion Procedures

Upon account deletion: Deactivate access immediately, delete personal data within 30 days, purge from backups within 90 days, retain only legally required records. Secure deletion methods including cryptographic erasure.

9.3 Return or Deletion at Termination

Upon termination, Practitioners may request: Return of all Client data (provided within 30 days), or deletion of all Client data (completed within 90 days). Written confirmation of deletion provided.

10.1 VitaFlow Care Liability

We are liable for breaches caused by our negligence or willful misconduct. Total liability shall not exceed the greater of €100,000 per incident or the amount paid in the 12 months preceding. This does not apply to gross negligence, intentional misconduct, or non-limitable Belgian law liability.

10.2 Practitioner Liability

Practitioners are liable for providing unlawful processing instructions, failing to obtain necessary consents, and non-compliance with GDPR controller obligations.

10.3 Mutual Indemnification

Each party shall indemnify the other for regulatory fines, third-party claims, and breach remediation costs arising from the other party's data protection violations.

12.1 Practitioner Audit Rights

Practitioners may request information, audit reports (SOC 2), and conduct audits to verify GDPR compliance. Requirements: 30 days' written notice, limited to one per year unless breach suspected, Practitioner bears cost. We provide annual SOC 2 Type 2 reports at no charge.

12.2 Regulatory Audits

We cooperate fully with Belgian DPA and other competent supervisory authority audits.

13.1 Escalation Process

For disputes: First attempt informal resolution, then management escalation and mediation. If not resolved within 60 days, legal action in Belgian courts.

13.2 Supervisory Authority

Either party may lodge a complaint with the Belgian Data Protection Authority.