PappAI
Try free

Data Processing Agreement — Template

Overview of PappAI's DPA structure, key technical measures, and sub-processor list.

Version 1.0 · Template (requires legal review before contractual use) · 21 February 2026

This is a technical-operational template. It requires legal review and customisation before use in any contractual context.

DPA structure

  1. Parties (Controller and Processor).
  2. Subject matter and purposes of processing.
  3. Duration, categories of data, and data subjects.
  4. Documented instructions from the Controller.
  5. Obligations of the Processor.
  6. Sub-processors and extra-EEA/UK transfers.
  7. Security measures and data breach procedures.
  8. Data subject rights, audit rights, and termination.

Key technical measures

  1. Role-based access control and least-privilege principle.
  2. Encryption in transit (TLS) and at rest where applicable.
  3. Environment segregation: development / staging / production.
  4. Operational and AI audit logs.
  5. Backup, recovery, and continuous monitoring.
  6. Secret management via dedicated secret manager.

Current sub-processors

PappAI relies on the following sub-processors to deliver the Service. Each entry indicates the primary purpose, the country of processing and the legal basis for any data transfer outside the EU/EEA. The list is kept up to date and any material change will be notified in advance to Controllers.

ProviderPurposeProcessing countryData categoriesTransfer / safeguards
Google Cloud Platform (Google LLC)Cloud hosting (Cloud Run, Cloud SQL), object storage (GCS), logging and monitoring.EU regions (europe-west1) — corporate USAAll Service data: clinical, account, billing, operational logs.EU SCC + DPA
Google Vertex AI (Google LLC)Generative AI inference for diet plan drafting and clinical analysis support.EU multi-region — corporate USAPseudonymised input passed to the model; no PII; no training opt-in.EU SCC + DPA · no training opt-in
Firebase (Google LLC)Authentication (identity tokens) and push notification delivery (FCM/APNs).USA — multi-regionUser identity (email, phone), device push tokens.EU SCC + DPA
Stripe Payments Europe LtdSubscription billing, invoicing, payment processing.Ireland (EU)Account and billing data, transaction history. No clinical data.Intra-EU
Brevo (Sendinblue SAS)Transactional email delivery (account, billing notifications, professional templates).France (EU)Recipient email, message content, delivery status.Intra-EU
Twilio Ireland LtdSMS / WhatsApp delivery (legacy channel).Ireland (EU) — corporate USARecipient phone number, message content, delivery metadata.EU SCC + DPA
Meta Platforms Ireland LtdWhatsApp Business Cloud API for templated patient communications.Ireland (EU) — corporate USARecipient phone number, template variables, delivery metadata.EU SCC + DPA
Google Analytics 4 (Google LLC)Aggregated usage analytics on the public site and authenticated app.USA — corporatePseudonymous identifiers, page views, interaction events. No clinical data.EU SCC + DPA · consent-gated
Microsoft Clarity (Microsoft Corporation)Anonymised UX analytics (heatmaps, session replays).USA — corporatePseudonymous identifiers, interaction events. No clinical data; sensitive fields masked.EU SCC + DPA · consent-gated

All listed sub-processors process data under written agreements containing GDPR-compliant safeguards (DPAs, EU SCCs where applicable). Patient clinical data is never used to train, fine-tune, or evaluate AI models by any sub-processor.

Planned annexes

  1. Annex A: processing detail (Art. 28(3) GDPR).
  2. Annex B: current sub-processor list.
  3. Annex C: technical and organisational measures (TOMs).

We value your privacy

We use cookies to improve your experience, analyse site traffic, and enable personalised features. You can accept all cookies, reject non-essential ones, or manage your preferences. Cookie Policy