This is a technical-operational template. It requires legal review and customisation before use in any contractual context.
DPA structure
- Parties (Controller and Processor).
- Subject matter and purposes of processing.
- Duration, categories of data, and data subjects.
- Documented instructions from the Controller.
- Obligations of the Processor.
- Sub-processors and extra-EEA/UK transfers.
- Security measures and data breach procedures.
- Data subject rights, audit rights, and termination.
Key technical measures
- Role-based access control and least-privilege principle.
- Encryption in transit (TLS) and at rest where applicable.
- Environment segregation: development / staging / production.
- Operational and AI audit logs.
- Backup, recovery, and continuous monitoring.
- Secret management via dedicated secret manager.
Current sub-processors
PappAI relies on the following sub-processors to deliver the Service. Each entry indicates the primary purpose, the country of processing and the legal basis for any data transfer outside the EU/EEA. The list is kept up to date and any material change will be notified in advance to Controllers.
| Provider | Purpose | Processing country | Data categories | Transfer / safeguards |
|---|---|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud hosting (Cloud Run, Cloud SQL), object storage (GCS), logging and monitoring. | EU regions (europe-west1) — corporate USA | All Service data: clinical, account, billing, operational logs. | EU SCC + DPA |
| Google Vertex AI (Google LLC) | Generative AI inference for diet plan drafting and clinical analysis support. | EU multi-region — corporate USA | Pseudonymised input passed to the model; no PII; no training opt-in. | EU SCC + DPA · no training opt-in |
| Firebase (Google LLC) | Authentication (identity tokens) and push notification delivery (FCM/APNs). | USA — multi-region | User identity (email, phone), device push tokens. | EU SCC + DPA |
| Stripe Payments Europe Ltd | Subscription billing, invoicing, payment processing. | Ireland (EU) | Account and billing data, transaction history. No clinical data. | Intra-EU |
| Brevo (Sendinblue SAS) | Transactional email delivery (account, billing notifications, professional templates). | France (EU) | Recipient email, message content, delivery status. | Intra-EU |
| Twilio Ireland Ltd | SMS / WhatsApp delivery (legacy channel). | Ireland (EU) — corporate USA | Recipient phone number, message content, delivery metadata. | EU SCC + DPA |
| Meta Platforms Ireland Ltd | WhatsApp Business Cloud API for templated patient communications. | Ireland (EU) — corporate USA | Recipient phone number, template variables, delivery metadata. | EU SCC + DPA |
| Google Analytics 4 (Google LLC) | Aggregated usage analytics on the public site and authenticated app. | USA — corporate | Pseudonymous identifiers, page views, interaction events. No clinical data. | EU SCC + DPA · consent-gated |
| Microsoft Clarity (Microsoft Corporation) | Anonymised UX analytics (heatmaps, session replays). | USA — corporate | Pseudonymous identifiers, interaction events. No clinical data; sensitive fields masked. | EU SCC + DPA · consent-gated |
All listed sub-processors process data under written agreements containing GDPR-compliant safeguards (DPAs, EU SCCs where applicable). Patient clinical data is never used to train, fine-tune, or evaluate AI models by any sub-processor.
Planned annexes
- Annex A: processing detail (Art. 28(3) GDPR).
- Annex B: current sub-processor list.
- Annex C: technical and organisational measures (TOMs).
