Data Processing Agreement (DPA)

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between YouDoo Health Technologies ("Processor", "we", "us") and the organisation subscribing to the YouDoo platform ("Controller", "you").

This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This DPA applies when you, as an organisation, use the YouDoo platform to manage employee wellness programmes, and YouDoo processes personal data of your employees on your behalf.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• "Special Category Data" means personal data revealing health information, as defined in Article 9(1) GDPR.
• "Processing" means any operation performed on personal data, as defined in Article 4(2) GDPR.
• "Data Subjects" means the employees of the Controller whose personal data is processed through the Service.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

3. Subject Matter and Duration of Processing

3.1 Subject Matter

The Processor processes personal data to provide AI-powered health and wellness services to the Controller's employees, including therapy sessions, exercise tracking, pain monitoring, and aggregated organisation analytics.

3.2 Duration

Processing shall continue for the duration of the service agreement between the parties. Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by applicable law.

3.3 Nature and Purpose

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

• Employees of the Controller enrolled in the wellness programme
• Authorised administrators of the Controller

4.2 Categories of Personal Data

5. Obligations of the Processor

The Processor shall:

1. Process personal data only on documented instructions from the Controller, unless required by EU or Member State law (Art. 28(3)(a) GDPR).
2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality (Art. 28(3)(b) GDPR).
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 28(3)(c), Art. 32 GDPR).
4. Not engage another processor without prior specific or general written authorisation of the Controller (Art. 28(2) GDPR).
5. Assist the Controller in responding to data subject rights requests (Art. 28(3)(e) GDPR).
6. Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, impact assessments).
7. At the choice of the Controller, delete or return all personal data after the end of the provision of services (Art. 28(3)(g) GDPR).
8. Make available to the Controller all information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h) GDPR).

6. Obligations of the Controller

The Controller shall:

1. Ensure a lawful basis exists for the processing of employee personal data, including obtaining explicit consent for special category data where required.
2. Provide employees with transparent information about data processing in accordance with Articles 13 and 14 GDPR.
3. Ensure that instructions given to the Processor comply with applicable data protection laws.
4. Respond to data subject requests and inform the Processor promptly of any relevant requests.

7. Security Measures

The Processor implements the following technical and organisational measures in accordance with Article 32 GDPR:

7.1 Technical Measures

• Encryption of data in transit using TLS 1.2+ / SSL
• Encryption of data at rest on storage volumes
• Password hashing using bcrypt with per-user salt
• Secure JWT-based authentication with HTTP-only cookies
• Role-based access control (RBAC) with principle of least privilege
• Network segmentation using Docker containerisation
• Automated security updates and patch management
• Regular backups with encrypted off-site storage

7.2 Organisational Measures

• Confidentiality agreements for all personnel with access to personal data
• Access limited to authorised personnel on a need-to-know basis
• Clinical expert review pipeline for AI-generated health recommendations
• Calibration system for quality assurance of expert reviews
• Incident response procedures for data breaches

8. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

Current sub-processors:

The Processor ensures that sub-processors are bound by data processing agreements providing at least the same level of data protection as this DPA.

9. International Data Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission
• Transfer Impact Assessments where required
• Supplementary technical measures (encryption, pseudonymisation) where appropriate

10. Data Breach Notification

In the event of a personal data breach, the Processor shall:

1. Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
2. Provide the Controller with sufficient information to meet any obligation to report or inform data subjects of the breach under Articles 33 and 34 GDPR.
3. Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

The notification shall include, where possible:

• Nature of the breach, including categories and approximate number of data subjects affected
• Name and contact details of the Processor's contact point
• Likely consequences of the breach
• Measures taken or proposed to address the breach

11. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests, including:

• Access requests (Art. 15 GDPR)
• Rectification requests (Art. 16 GDPR)
• Erasure requests (Art. 17 GDPR)
• Restriction requests (Art. 18 GDPR)
• Data portability requests (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)

If the Processor receives a request directly from a data subject, it shall promptly redirect the request to the Controller unless otherwise instructed.

Important: Individual employees maintain independent rights over their personal health data. Employees can directly request access, correction, or deletion of their health data through the YouDoo platform regardless of their organisation's instructions.

12. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) under Article 35 GDPR, and prior consultations with supervisory authorities under Article 36 GDPR, where required.

13. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of any audit.

14. Data Return and Deletion

Upon termination of the service agreement:

1. The Processor shall, at the Controller's choice, return all personal data in a commonly used, machine-readable format or securely delete all personal data.
2. Deletion shall be completed within 30 days of termination, unless retention is required by applicable law.
3. The Processor shall provide written confirmation of deletion upon request.
4. Individual employee accounts and data remain under the employee's direct control and are not affected by the termination of the organisation's agreement.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party limits its liability for breaches of its obligations under this DPA resulting from wilful misconduct or gross negligence.

16. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany. Any disputes arising from or in connection with this DPA shall be resolved in the courts of Berlin, Germany.

17. Contact

For questions regarding this DPA or data processing matters, contact:

• Email: dpa@youdoo.ai
• YouDoo Health Technologies