Light mode illustration

Data Processing Addendum (DPA)

Effective: August 5, 2025
Parties: Nexalink Health, Inc. ("Processor") and the customer identified in the Order ("Controller"). This DPA is incorporated into the Master Services Agreement ("MSA").

Template provided for convenience; counsel for both parties should finalize.

1. Definitions

"Applicable Data Protection Laws" means U.S. federal and state privacy laws (e.g., HIPAA/HITECH, CCPA/CPRA) and, where applicable to Controller’s use of the Services, GDPR/UK GDPR. "Personal Data," "Processing," and related terms have the meanings given in such laws.

2. Roles; Scope

Controller appoints Processor to Process Personal Data to provide the Services. Processor will Process Personal Data only on documented instructions from Controller, subject to this DPA.

3. Security Measures

Processor will implement technical and organizational measures appropriate to risk, including encryption in transit and at rest, access controls, vulnerability management, logging, and incident response. See Annex 2.

4. Confidentiality

Processor will ensure personnel are bound by confidentiality obligations and receive appropriate training.

5. Sub-processors

Controller authorizes Processor to use sub-processors listed at /legal/subprocessors (or provided in writing). Processor will impose data protection obligations equivalent to this DPA and remain responsible for their performance. Processor will provide notice of material changes and allow reasonable, good-faith objections.

6. U.S. Data Residency

Processor stores and processes data in the United States. The Services are intended for U.S. use only.

7. Assistance & Requests

Taking into account the nature of Processing and the information available, Processor will assist Controller with data subject requests, security incidents, and impact assessments, as required by Applicable Data Protection Laws.

8. Audit

Upon reasonable notice, Processor will make available information reasonably necessary to demonstrate compliance and allow for audits up to once per year by Controller or an agreed auditor, subject to confidentiality and security restrictions.

9. Incident Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach impacting Controller’s data and provide information reasonably necessary for Controller to meet its obligations.

10. Return or Deletion

Upon termination or at Controller’s written request, Processor will delete or return Personal Data unless retention is required by law. Minimal logs/backups may be retained for limited periods for security, audit, or legal compliance.

11. Liability

The parties’ liability under this DPA is governed by the MSA’s limitation of liability, to the extent permitted by law.

12. Conflict

If this DPA conflicts with the MSA, this DPA controls with respect to Processing of Personal Data.

Annex 1 — Subject Matter & Duration

  • Subject Matter: Processing Personal Data to deliver the Services
  • Duration: Term of the MSA and any legally required retention
  • Nature & Purpose: Hosting, storage, support, analytics (as configured), and related activities
  • Data Subjects: End users, patients/members, workforce users of Controller
  • Personal Data: Identifiers, contact info, usage data, plan/directory data, and any data submitted by Controller
  • Sensitive/PHI: Only if provided by Controller and necessary; enhanced safeguards apply

Annex 2 — Security Measures (Summary)

  • Encryption in transit (TLS 1.2+) and at rest (managed keys)
  • Least-privilege access with MFA for admins; role-based access for staff
  • Logical tenant isolation; network segmentation
  • Secure SDLC, code review, dependency scanning, patch cadence
  • Logging and monitoring; alerting on anomalies
  • Regular backups and tested restore procedures
  • Incident response and breach notification procedures
  • Employee confidentiality and security training