Data Processing Agreement

"Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR, and equivalent local laws.

"Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given to them in the applicable Data Protection Laws.

Aevio Health processes Personal Data only on behalf of the Controller and in accordance with the Controller's documented instructions, including with regard to transfers to a third country, unless otherwise required by applicable law. The Controller's instructions are reflected in the Terms of Service, the Privacy Policy, and the Controller's use of the service.

The subject matter, nature, and purpose of the processing, the type of Personal Data, and the categories of Data Subjects are described in our Privacy Policy.

Aevio Health implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:

• Pseudonymization and encryption of personal data
• Confidentiality, integrity, availability, and resilience of systems
• Timely restoration of availability after an incident
• Regular testing, assessing, and evaluating effectiveness of measures
• Access controls scoped by role and purpose

A detailed list of controls is published in our Security Policy.

The Controller grants Aevio Health a general authorization to engage sub-processors. Aevio Health will inform the Controller of any intended changes concerning the addition or replacement of sub-processors with at least thirty (30) days' notice, giving the Controller the opportunity to object. Where Aevio Health engages a sub-processor, the same data protection obligations as set out in this DPA are imposed on that sub-processor by contract.

Aevio Health ensures that any transfer of Personal Data to a country outside the European Economic Area is subject to appropriate safeguards as described in Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (SCCs) where applicable. Primary processing occurs in the European Union. Edge execution and AI-model inference may occur globally; contractual safeguards apply.

Taking into account the nature of the processing, Aevio Health assists the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising the rights laid down in Chapter III of the GDPR. The service provides self-service export and deletion functionality.

Aevio Health notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification describes the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed to address it.

Upon termination of the service, Aevio Health deletes or returns all Personal Data processed on behalf of the Controller within thirty (30) days, unless retention is required by Union or Member State law. The Controller may export their vault as JSON or CSV at any time before termination.

For DPA questions, sub-processor lists, SCC requests, or to receive a countersigned copy, write to dpa@aevio.health.