Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Loomantix Inc. ("Processor") and the Customer ("Controller").

1. Purpose

This DPA governs the processing of Personal Data and PHI by the Processor on behalf of the Controller in connection with the Service.

2. Roles of the Parties

  • Controller: Customer (Health Information Custodian)
  • Processor: Company (information manager / service provider)

The Processor acts only on documented instructions from the Controller.

3. Scope of Processing

3.1 Subject Matter

AI-assisted transcription and clinical documentation.

3.2 Duration

For the term of the agreement plus any agreed data return period.

3.3 Categories of Data

  • Patient identifiers
  • Clinical information
  • Audio recordings
  • Provider notes

3.4 Categories of Data Subjects

  • Patients
  • Healthcare providers
  • Authorized staff

4. Processor Obligations

Processor shall:

  • Process data only as instructed
  • Maintain confidentiality
  • Implement appropriate safeguards
  • Ensure personnel are trained in privacy obligations
  • Not use Customer Data for AI training or secondary purposes

5. Security Measures

Processor shall implement safeguards including:

  • Encryption
  • Access controls
  • Monitoring and logging
  • Incident response procedures

Detailed security documentation available upon request.

6. Subprocessing

Processor may engage subprocessors subject to:

  • Written agreements with equivalent obligations
  • Transparency and notice of material changes

7. Breach Notification

Processor shall:

  • Notify Controller without undue delay of any breach
  • Provide reasonable assistance with investigation and remediation

8. Assistance to Controller

Processor will reasonably assist Controller with:

  • Privacy impact assessments
  • Regulatory inquiries
  • Compliance documentation

9. Data Return & Deletion

Upon termination:

  • Processor will make Customer Data available for export for the number of days Customer has set for the retention window within the Service (1-90)
  • Thereafter, data will be securely deleted unless retention is required by law

10. Audits

Processor will:

  • Make available relevant compliance documentation
  • Cooperate with reasonable audit requests, subject to confidentiality and security controls

11. Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

12. Governing Law

This DPA is governed by the laws of Ontario, Canada.

13. Order of Precedence

In the event of conflict:

  • 1. DPA
  • 2. Terms of Service
  • 3. Privacy Policy
Back to home