Data Processing Agreement

2.1 VitaFlow Care as Data Controller

VitaFlow Care acts as Data Controller for:

• Platform user accounts (Practitioners and Clients)
• Platform usage data and analytics
• Communications sent through our systems
• Billing and subscription management
• Marketing communications (with consent)

Our Responsibilities as Controller:

• Determine purposes and means of processing
• Ensure lawful basis for all processing
• Implement appropriate technical and organizational measures
• Respond to Data Subject requests
• Notify breaches to Belgian DPA within 72 hours
• Maintain records of processing activities

2.2 Practitioners as Data Controllers

Practitioners act as Data Controllers for:

• Client health data collected during appointments
• Questionnaire responses from their clients
• Clinical notes and treatment records
• Any data collected outside the platform

Practitioner Responsibilities as Controller:

• Comply with GDPR and Belgian healthcare data protection laws
• Obtain explicit consent for processing health data
• Maintain professional confidentiality obligations
• Have a lawful basis for all processing
• Honor Data Subject rights (access, erasure, etc.)
• Maintain appropriate insurance and professional compliance

2.3 VitaFlow Care as Data Processor

VitaFlow Care acts as Data Processor on behalf of Practitioners for:

• Storage of client appointment data
• Delivery of messages between practitioners and clients
• Storage of questionnaire responses
• Management of client records on practitioner's behalf

Our Responsibilities as Processor:

• Process data only according to Practitioner's documented instructions
• Ensure confidentiality of personnel with data access
• Implement appropriate security measures
• Assist Practitioners with Data Subject requests
• Assist with data breach notifications
• Delete or return data upon request or termination

2.4 Joint Controllers

For certain processing activities, VitaFlow Care and Practitioners may be Joint Controllers:

• Appointment booking and management
• Automated appointment reminders
• Waiting list management

Joint Responsibilities:

• We jointly determine purposes and means
• We transparently inform Data Subjects of our respective roles
• We have an arrangement determining our respective responsibilities

3.1 Practitioner Instructions to VitaFlow Care

By using the platform, Practitioners instruct VitaFlow Care to process Client data for the following purposes:

Authorized Processing:

• Store client profiles and appointment history
• Facilitate appointment booking and management
• Deliver messages between Practitioner and Client
• Store questionnaire responses
• Send appointment reminders and notifications
• Manage waiting lists
• Provide analytics about practice performance

Prohibited Processing:

VitaFlow Care will NOT:

• Process Client data for purposes outside those authorized above
• Share Client data with third parties except Sub-processors
• Use Client data for marketing without explicit consent
• Process data in countries outside the EU/EEA without appropriate safeguards

3.2 Changes to Instructions

Practitioners may modify processing instructions by:

• Adjusting settings in their account dashboard
• Sending written instructions to [email protected]

We will confirm feasibility within 10 business days. If we cannot comply with modified instructions, we will notify the Practitioner and may:

• Suggest alternative approaches
• Allow the Practitioner to terminate the agreement

4.1 Authorized Sub-Processors

VitaFlow Care engages the following Sub-processors to provide platform services:

All Sub-processors:

• Are located in the EU or have GDPR-compliant data transfer mechanisms
• Have signed Data Processing Agreements with VitaFlow Care
• Implement appropriate technical and organizational security measures
• Are SOC 2 or ISO 27001 certified (or equivalent)

4.2 Sub-processor Requirements

We ensure all Sub-processors:

• Process data only according to our instructions
• Maintain confidentiality obligations
• Implement appropriate security measures
• Assist with Data Subject requests
• Notify us of any data breaches immediately
• Allow audits and inspections

4.3 Changes to Sub-processors

New Sub-processors:

We will notify Practitioners at least 30 days before engaging new Sub-processors via:

• Email notification
• Platform announcement
• Updated list on our website

Right to Object:

Practitioners may object to new Sub-processors within 15 days of notification. If we cannot accommodate the objection, Practitioners may terminate their subscription without penalty.

Current Sub-processor List: Available at: vitaflow.care/sub-processors

5.1 Technical Measures

VitaFlow Care implements the following technical safeguards:

Encryption:

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Database-level encryption
• End-to-end encrypted backups

Access Control:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for admin accounts
• Unique user credentials
• Automatic session timeout
• Regular access reviews and revocation

Network Security:

• Firewall protection
• Intrusion detection and prevention systems (IDPS)
• DDoS mitigation (Cloudflare)
• Virtual Private Cloud (VPC) isolation
• Regular vulnerability scanning

Application Security:

• Input validation and sanitization
• SQL injection prevention
• Cross-site scripting (XSS) protection
• CSRF token protection
• Security headers (HSTS, CSP, X-Frame-Options)
• Regular security code reviews

Data Integrity:

• Checksums for data verification
• Transaction logging
• Database replication
• Point-in-time recovery (PITR)

5.2 Organizational Measures

Personnel Security:

• Background checks for employees with data access
• Confidentiality and non-disclosure agreements
• Regular security awareness training
• Documented security policies
• Principle of least privilege

Physical Security:

• Data centers with ISO 27001 certification
• 24/7 physical security and surveillance
• Biometric access controls
• Environmental controls (fire, flood, temperature)

Operational Security:

• Change management procedures
• Incident response plan
• Business continuity and disaster recovery plans
• Regular security audits and penetration testing
• Vendor security assessments

Data Minimization:

• Collect only necessary data
• Pseudonymization where possible
• Regular data retention reviews
• Automated deletion of expired data

5.3 Testing and Audits

Regular Testing:

• Annual penetration testing by independent third parties
• Quarterly vulnerability assessments
• Continuous security monitoring
• Bi-annual disaster recovery testing

Compliance Audits:

• Annual SOC 2 Type 2 audit
• GDPR compliance assessments
• Internal security audits quarterly
• Right to audit: Practitioners may request audit reports (subject to confidentiality)

6.1 Assisting with Data Subject Requests

VitaFlow Care will assist Practitioners in responding to Data Subject requests, including:

Right to Access (Article 15):

• Provide data export functionality in platform
• Supply data in machine-readable format (JSON, CSV) within 30 days
• Include metadata (dates, sources, recipients)

Right to Rectification (Article 16):

• Enable Practitioners to update Client data
• Allow Clients to update their own profile information
• Correct inaccuracies within 5 business days of notification

Right to Erasure (Article 17):

• Delete Client data upon Practitioner instruction within 30 days
• Confirm deletion in writing
• Purge from backups within 90 days
• Exception: Retain data required by law (financial records, etc.)

Right to Data Portability (Article 20):

• Provide data export in structured, machine-readable format
• Enable transfer to another controller
• No charge for standard exports (once per 6 months)

Right to Object (Article 21):

• Stop processing upon objection (where legally permissible)
• Document objections and actions taken

Right to Restrict Processing (Article 18):

• Temporarily suspend processing while verifying accuracy or assessing objection
• Mark data as "restricted" in systems

6.2 Response Timeframes

• Initial Response: Within 5 business days acknowledging the request
• Full Response: Within 30 days (may be extended to 60 days for complex requests)
• Urgent Requests: Prioritized for potential harm situations

6.3 Cost and Verification

• First request per year: Free of charge
• Excessive or repetitive requests: May charge reasonable administrative fee
• Identity Verification: Required before fulfilling requests to prevent unauthorized access

7.1 Notification Obligations

VitaFlow Care's Obligations:

If we become aware of a personal data breach, we will:

To Belgian Data Protection Authority:

• Notify within 72 hours of becoming aware
• Provide description of breach, categories and volume of data affected
• Describe likely consequences and mitigation measures taken
• Provide contact point for further information

To Affected Practitioners:

• Notify without undue delay (typically within 24 hours)
• Provide details of breach, data affected, and mitigation steps
• Assist Practitioners in assessing whether to notify their Clients

To Affected Data Subjects (if required):

• Notify directly if there is high risk to rights and freedoms
• Provide clear, plain language description of breach
• Explain steps Data Subjects can take to protect themselves

7.2 Breach Response Process

1. Detection & Containment (0-2 hours): Identify and isolate affected systems, prevent further unauthorized access, preserve evidence.
2. Assessment (2-24 hours): Determine scope and severity, identify affected data and individuals, assess risk.
3. Notification (24-72 hours): Notify Belgian DPA (if required), Practitioners, and Data Subjects (if high risk).
4. Investigation & Remediation (72 hours - 30 days): Conduct root cause analysis, implement corrective measures, update security.
5. Documentation (Ongoing): Maintain breach register and document all breaches.

7.3 Practitioner Obligations

If Practitioners become aware of a breach, they must:

• Notify us immediately at [email protected]
• Provide details of the incident
• Cooperate with our investigation
• Follow breach notification requirements to their Clients if applicable

8.1 Data Location

Primary Data Storage:

• All personal data stored on EU servers (Germany: Supabase)
• Backups stored in EU (Supabase, Germany)
• No regular data transfers outside EU/EEA

8.2 Transfers to Third Countries

If a transfer outside the EU/EEA is necessary, we will only transfer data to third countries that ensure an adequate level of protection through one of the following mechanisms:

1. European Commission Adequacy Decision (GDPR Article 45)
2. Standard Contractual Clauses (SCCs) (GDPR Article 46)
3. Binding Corporate Rules (for multinational groups)
4. EU-U.S. Data Privacy Framework certification (for U.S. entities)

Current Situation: Most of our Sub-processors are EU-based or have EU data residency. For others, we use Standard Contractual Clauses and ensure they are certified under the EU-U.S. Data Privacy Framework.

By using the platform, Practitioners consent to transfers necessary for service provision, provided appropriate safeguards are in place.

8.3 Documentation

We maintain documentation of all data transfers, including the legal basis, safeguards implemented, countries involved, and data categories transferred. This is available upon request to [email protected].

9.1 Retention Periods

Account Data: Retained while account is active; deleted within 90 days of closure.

Appointment Data: Past appointments retained for 7 years (Belgian medical records requirement).

Health Data (Questionnaires): Retained for 7 years after the last appointment, or as long as required by the Practitioner's professional obligations, whichever is longer.

Messages: Retained for 5 years for legal compliance.

Financial Records: Retained for 7 years (Belgian tax law).

Analytics Data: Individual data anonymized after 2 years; aggregated data retained indefinitely.

Backups: Retained for 90 days.

9.2 Deletion Procedures

Upon account deletion, we immediately deactivate access, delete personal data within 30 days, and purge it from backups within 90 days, retaining only legally required records. We use secure deletion methods like cryptographic erasure.

9.3 Return or Deletion at Termination

Upon termination, Practitioners may request a return of all Client data (provided within 30 days) or deletion of all Client data (completed within 90 days). We will provide written confirmation of deletion.

10.1 VitaFlow Care Liability

We are liable for breaches of this DPA caused by our negligence or willful misconduct. Our total liability under this DPA shall not exceed the greater of €100,000 per incident or the amount paid by the Practitioner in the 12 months preceding the incident. This limitation does not apply to gross negligence, intentional misconduct, or liability that cannot be limited under Belgian law.

10.2 Practitioner Liability

Practitioners are liable for providing unlawful processing instructions, failing to obtain necessary consents from Clients, and non-compliance with their GDPR controller obligations.

10.3 Mutual Indemnification

Each party shall indemnify the other for regulatory fines, third-party claims, and breach remediation costs arising from the other party's data protection violations.

11.1 Term

This DPA remains in effect for the duration of the Terms of Service and automatically renews with subscription renewals.

11.2 Termination

This DPA terminates when the Practitioner terminates their subscription, we terminate the account for cause, or by mutual written agreement. Upon termination, processing of Client data ceases, and data is returned or deleted as instructed. Obligations regarding confidentiality and security survive termination.

12.1 Practitioner Audit Rights

Practitioners have the right to request information, audit reports (like SOC 2), and conduct audits to verify GDPR compliance. Audits must be requested in writing with 30 days' notice, are limited to one per year (unless a breach is suspected), and the Practitioner bears the cost. We provide SOC 2 Type 2 reports annually to all Practitioners at no charge.

12.2 Regulatory Audits

We cooperate fully with audits by the Belgian Data Protection Authority and other competent supervisory authorities.

13.1 Escalation Process

For disputes, parties will first attempt informal resolution through direct communication, followed by management escalation and mediation. If not resolved within 60 days, legal action may be pursued in Belgian courts.

13.2 Supervisory Authority

Either party may lodge a complaint with the Belgian Data Protection Authority.