Data Processing Addendum

This DPA applies where Aduvera processes Customer Personal Data on behalf of a customer in connection with the service. This DPA is incorporated into the applicable Terms or Order Form. If there is a conflict between this DPA and the Terms regarding data protection, this DPA controls.

The customer is the controller, business, or equivalent principal for Customer Personal Data, except where the parties expressly agree otherwise. Aduvera is the processor, service provider, or equivalent downstream provider processing Customer Personal Data only on the customer's documented instructions and as necessary to provide the service, secure the service, prevent abuse, and comply with law.

If the customer is itself a processor, the customer confirms it is authorized to instruct Aduvera as a downstream processor.

• Subject matter: provision of the Aduvera documentation workspace and related support, security, and administrative services.
• Duration: for the term of the applicable customer agreement and until deletion or return of Customer Personal Data under this DPA.
• Nature of processing: collection, recording, storage, organization, retrieval, generation, transcription, analysis, export, deletion, and other processing necessary to deliver the service.
• Categories of data subjects: customer users, clinicians, staff members, patients, and other individuals whose data customers submit to the service.
• Categories of personal data: identity data, account data, consultation content, audio, transcripts, generated notes, patient summaries, technical metadata, and other personal data included in customer inputs or outputs.

Aduvera will process Customer Personal Data only on documented customer instructions, including as reflected in the customer's use of the service features, API calls, administrator settings, and written support or implementation instructions. Aduvera may refuse instructions that would violate law or materially increase security, operational, or legal risk.

Aduvera will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate access limitations. Access to Customer Personal Data is limited to personnel who need that access to operate, secure, or support the service.

Aduvera will implement and maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, as applicable to the service, access control, authenticated APIs, rate limiting, audit logging, encrypted transport, security headers, user-scoped authorization, and environment controls restricting unsafe payload logging.

Aduvera may update its security measures from time to time, provided the updates do not materially diminish the overall security of the service.

The customer authorizes Aduvera to use subprocessors listed on the Subprocessors page. Aduvera will impose data-protection obligations on subprocessors that are substantially similar to the obligations in this DPA, as relevant to the services they provide.

Aduvera may update its subprocessor list from time to time. Aduvera will update the public list when material subprocessors are added, removed, or replaced.

Taking into account the nature of the processing, Aduvera will provide reasonable assistance to the customer in responding to data subject requests, security assessments, regulator inquiries, and customer obligations relating to privacy impact assessments or similar reviews, to the extent customer cannot reasonably fulfill those obligations without Aduvera's assistance.

Aduvera will notify the customer without undue delay after becoming aware of a confirmed security incident affecting Customer Personal Data processed under this DPA. Aduvera will provide reasonably available information to help the customer assess the incident and meet its own notification obligations.

During the term, customers may access and delete Customer Personal Data through the service or by written request where appropriate. Upon termination or expiration of the applicable agreement, Aduvera will delete or return Customer Personal Data in accordance with the customer agreement, this DPA, and Aduvera's documented retention schedule, unless law requires retention.

• Temporary uploaded audio is deleted after successful transcription by default.
• Persisted consultation data is retained for up to 30 days after the last update, then queued for purge.
• Final hard deletion occurs after an additional 7-day grace period unless a legal hold applies.
• Residual backup copies may remain until overwritten in the normal backup cycle.

To the extent Customer Personal Data protected by GDPR, UK GDPR, Swiss data-protection law, or similar transfer restrictions is transferred cross-border, this DPA is intended to incorporate the required transfer safeguards, including SCC-based controller-to-processor and processor-to-processor terms and UK transfer addendum terms where applicable.

The parties will cooperate in good faith on reasonably necessary transfer-impact, government-access, or supplementary-measures assessments specific to the customer's use case.

Aduvera will make available information reasonably necessary to demonstrate compliance with this DPA. Where the customer reasonably concludes that additional review is necessary, parties will work in good faith to provide a proportionate audit mechanism that does not compromise the security, confidentiality, or privacy of other customers.

This DPA does not, by itself, create HIPAA terms. Where the customer requires HIPAA coverage, the parties must execute a separate business associate addendum. Aduvera's Google Cloud HIPAA BAA is in place, but the separate customer BAA still governs HIPAA obligations between Aduvera and the customer. If there is a conflict between this DPA and a fully executed BAA, the BAA controls for PHI subject matter.

DPA requests, procurement questions, and legal notices may be sent to [email protected].