Legal · Data Processing Addendum · v2026.05

EU/UK Data Processing Addendum.

The standard agreement Conceptual Healthcare Corporation executes with controllers subject to the EU GDPR or UK GDPR. Incorporates the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum by reference.

Request a countersigned copy → GDPR posture

1. Scope and roles

This Addendum applies to Personal Data processed by Conceptual Healthcare Corporation ("Processor") on behalf of "Controller" in connection with the underlying agreement. For Personal Data subject to GDPR, Controller is the controller and Processor is the processor as those terms are defined in Article 4. For Personal Data subject to UK GDPR, the same allocation applies. Where Processor determines purposes and means of processing for its own legitimate interests (security, billing, fraud prevention), the parties act as independent controllers for that limited processing.

2. Subject matter, duration, nature, purpose

Subject matter. Provision of the services described in the underlying agreement. Duration. The term of the underlying agreement plus the period required by Section 11. Nature and purpose. Hosting, processing, and providing access to Personal Data necessary to deliver Conceptual Health platform services. Categories of data subjects. Patients, providers, employees of Controller, research participants, end-users authorized by Controller. Categories of Personal Data. Identifiers, contact data, health data (special category, Article 9), biometric data where Controller enables it, account/usage data. Full inventory at /trust/whitepaper#data-inventory.

3. Processor obligations (Article 28)

  1. Process Personal Data only on Controller's documented instructions, including with regard to international transfers, unless required to do so by Union or Member State law (in which case Processor will inform Controller before processing, unless prohibited by law).
  2. Ensure persons authorized to process Personal Data are bound by confidentiality.
  3. Implement appropriate technical and organizational measures (see Annex II) meeting Article 32.
  4. Engage Sub-processors only under Section 4.
  5. Assist Controller in fulfilling its obligations under Articles 12–22 (data subject rights), 32–36 (security, breach, DPIA, prior consultation).
  6. At Controller's choice, return or delete all Personal Data after the end of services.
  7. Make available all information necessary to demonstrate compliance and contribute to audits, including inspections (subject to confidentiality and reasonable scheduling).

4. Sub-processors

Controller grants Processor general written authorization to engage Sub-processors, subject to Processor providing notice of additions or replacements at least thirty (30) days in advance. Notice is delivered by email and posted at /compliance#subprocessors. Controller may object on reasonable grounds within fifteen (15) days; if the objection cannot be resolved, Controller may terminate the affected services. Processor remains liable for the acts and omissions of its Sub-processors.

5. International transfers

Where Personal Data is transferred outside the EEA, the United Kingdom, or Switzerland, the parties incorporate by reference the EU Standard Contractual Clauses (Module Two — controller-to-processor) as adopted by Commission Implementing Decision (EU) 2021/914, and for UK transfers the UK International Data Transfer Addendum issued under Section 119A of the UK Data Protection Act 2018. Annex I (parties, transfer details, competent authority) and Annex II (technical and organizational measures) below populate the Clauses.

6. Security measures (Annex II summary)

Processor implements measures meeting or exceeding ISO/IEC 27001:2022, ISO/IEC 27701:2019, SOC 2 Type II (Security, Availability, Confidentiality), and HITRUST CSF v11. Encryption at rest is AES-256-GCM with FIPS 140-3 validated KMS; in transit is TLS 1.3 with mutual authentication for service-to-service. Access control is role-based with quarterly recertification, hardware-token MFA, and just-in-time elevation. Audit logs are immutable, append-only, anchored to CH Chain. Personnel are background-checked and complete annual privacy and security training. Detail at /trust/whitepaper.

7. Data subject rights

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligation to respond to requests for exercising data subject rights. Most rights (access, deletion, portability) are self-service in the patient app and available to Controller administrators in the enterprise console; Processor will respond to assistance requests within five (5) business days.

8. Personal Data Breach

Processor will notify Controller without undue delay and in any event within twenty-four (24) hours of becoming aware of a Personal Data Breach. Notice will include the information specified at Article 33(3). Processor will not notify supervisory authorities or data subjects on Controller's behalf unless Controller specifically directs in writing.

9. Data Protection Impact Assessments

Processor will provide Controller with reasonable assistance with DPIAs (Article 35) and prior consultations with supervisory authorities (Article 36) relating to Controller's use of the services, taking into account the nature of the processing and the information available to Processor.

10. Audit

Processor will make available to Controller, on reasonable request and not more than once per calendar year, its most recent SOC 2 Type II report, ISO 27001 certificate, and HITRUST CSF certification letter. Controller may, with thirty (30) days' written notice and under reasonable confidentiality, conduct a documentation-based audit. On-site audit rights are reserved to supervisory authorities exercising lawful powers.

11. Term, return, deletion

This Addendum has effect from the Effective Date of the underlying agreement until all Personal Data is returned or deleted. After termination, Processor will, at Controller's choice, return or delete Personal Data within thirty (30) days, except where Union or Member State law requires retention. Deletion is performed by cryptographic shredding and confirmed in writing.

12. Liability and miscellaneous

Liability under this Addendum is governed by the underlying agreement. Order of precedence: Standard Contractual Clauses, then UK Addendum, then this DPA, then the underlying agreement. Governing law: the law of the Member State of the EU lead supervisory authority (proposed: Ireland). Lead supervisory authority: Irish Data Protection Commission, proposed under Article 56(1).

CONTROLLER: ____________________________
Name / Title: ____________________________
Date: ____________________________

PROCESSOR: Conceptual Healthcare Corporation
By: Maria R. Lahti, MD — Privacy Officer
EU Representative (Article 27): TBD upon EU-region launch

Document control. Template version 2026.05. Reviewed annually by the Privacy Officer. Past versions archived at /trust/transparency-report.