This Data Processing Agreement ("DPA") forms part of the Terms of Service between Attreo ("Processor") and you ("Controller") and governs the processing of personal data, including Protected Health Information, in connection with the Attreo service.
GDPR & HIPAA Compliance
This agreement addresses requirements under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and other applicable data protection laws.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Protected Health Information" (PHI) means individually identifiable health information as defined under HIPAA.
- "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
- "Data Subject" means the individual whose personal data is being processed.
- "Sub-processor" means any third party engaged by Attreo to process personal data.
- "Controller" means the entity that determines the purposes and means of processing personal data (you, the healthcare provider).
- "Processor" means the entity that processes personal data on behalf of the Controller (Attreo).
2. Scope of Processing
2.1 Nature and Purpose
Attreo processes personal data for the following purposes:
- Transcribing audio recordings of medical consultations
- Generating clinical notes using AI technology
- Storing and managing clinical documentation
- Providing customer support and service improvements
- Ensuring security and preventing fraud
2.2 Types of Personal Data
The following categories of personal data may be processed:
- Patient identifying information (name, date of birth, contact details)
- Medical history and clinical information
- Audio recordings of consultations
- Healthcare provider information
- Account and billing information
2.3 Data Subjects
Personal data may relate to:
- Patients of healthcare providers using Attreo
- Healthcare professionals and their staff
- Other individuals mentioned in consultations
3. Obligations of the Processor
Attreo agrees to:
3.1 Processing Instructions
- Process personal data only on documented instructions from the Controller
- Inform the Controller if an instruction appears to violate applicable law
- Not process personal data for any purpose other than providing the Service
3.2 Confidentiality
- Ensure all personnel processing personal data are bound by confidentiality obligations
- Limit access to personal data to personnel who need it to perform their duties
- Maintain appropriate confidentiality training for all personnel
3.3 Security Measures
Attreo implements the following technical and organizational measures:
- Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Access Controls: Role-based access control, multi-factor authentication
- Monitoring: 24/7 security monitoring and intrusion detection
- Infrastructure: SOC 2 Type II certified data centers
- Backup: Regular encrypted backups with tested recovery procedures
- Testing: Regular penetration testing and vulnerability assessments
- Incident Response: Documented incident response procedures
3.4 Sub-processors
- Obtain Controller's prior authorization before engaging sub-processors
- Ensure sub-processors are bound by equivalent data protection obligations
- Remain liable for sub-processor compliance
- Maintain an up-to-date list of sub-processors available upon request
3.5 Data Subject Rights
Attreo will assist the Controller in responding to requests from data subjects to exercise their rights under applicable law, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
3.6 Data Breach Notification
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach
- Provide sufficient information to enable the Controller to meet its notification obligations
- Cooperate with the Controller in investigating and mitigating the breach
- Document all breaches and remediation measures
4. Obligations of the Controller
The Controller agrees to:
- Ensure lawful basis for processing personal data through Attreo
- Obtain necessary consents from patients for recording and AI processing
- Provide clear instructions for data processing
- Fulfill transparency obligations to data subjects
- Comply with applicable healthcare regulations
- Report any known or suspected breaches to Attreo
5. HIPAA Compliance (US Healthcare Providers)
For US healthcare providers, this DPA incorporates the following HIPAA Business Associate requirements:
- Use and disclose PHI only as permitted by this agreement or as required by law
- Implement appropriate safeguards to prevent unauthorized use or disclosure
- Report any use or disclosure not provided for in this agreement
- Ensure sub-contractors agree to the same restrictions
- Make PHI available for access by individuals
- Make PHI available for amendment
- Provide accounting of disclosures
- Make internal practices available to HHS for compliance review
- Return or destroy PHI upon termination
Enterprise customers may request a separate Business Associate Agreement (BAA) by contacting legal@attreo.com.
6. International Data Transfers
Where personal data is transferred outside the European Economic Area:
- Transfers will only occur to countries with adequate protection or under appropriate safeguards
- Standard Contractual Clauses (SCCs) will be used where required
- Supplementary measures will be implemented as necessary
- Transfer impact assessments will be conducted
7. Data Retention and Deletion
7.1 Retention Periods
- Audio recordings: Deleted immediately after transcription unless extended retention is selected
- Clinical notes: Retained according to plan settings (7 days to custom retention)
- Account data: Retained for duration of account plus 30 days
- Backup data: Retained for 90 days after primary deletion
7.2 Deletion Upon Termination
Upon termination of the agreement:
- Personal data will be deleted within 30 days unless legally required to retain
- Controller may request data export before deletion
- Certification of deletion available upon request
8. Audit Rights
The Controller has the right to:
- Request copies of relevant certifications and audit reports (SOC 2, ISO 27001)
- Submit written questions regarding Attreo's security practices
- Conduct or commission audits (at Controller's expense, with reasonable notice)
9. Liability
Liability for data protection breaches is governed by the Terms of Service. Each party is liable for damages caused by processing that violates applicable data protection law.
10. Term and Termination
This DPA remains in effect for the duration of the Service agreement. Upon termination, data processing obligations continue until all personal data is deleted or returned.
11. Governing Law
This DPA is governed by the same law as the Terms of Service. For GDPR-related matters, applicable EU data protection law shall apply.
12. Contact Information
For data protection inquiries:
Annex A: Technical and Organizational Measures
| Measure | Implementation |
|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | TLS 1.3 for all data transmission |
| Access Control | Role-based access, principle of least privilege |
| Authentication | Multi-factor authentication available |
| Audit Logging | Comprehensive logging of all data access |
| Backup | Daily encrypted backups, 90-day retention |
| Physical Security | SOC 2 Type II certified data centers |
| Vulnerability Management | Regular scanning and patching |
| Penetration Testing | Annual third-party testing |
| Incident Response | 24/7 monitoring, documented procedures |
Enterprise Customers
For customized data processing terms, Business Associate Agreements, or questions about compliance requirements for your organization, please contact our legal team at legal@attreo.com.