Business Terms

Data Processing Agreement

GDPR compliant data processing terms for controller-processor relationship

Effective Date: 2025-01-01
Last Updated: 2025-01-15
Version: 1.0.0

Overview

This Data Processing Agreement (DPA) governs the data processing relationship between Vetigen, Inc. (the 'Processor') and the customer veterinary clinic (the 'Controller').

This agreement ensures full compliance with GDPR requirements and establishes the legal framework for personal data processing.

All personal data processed using the Vetigen platform is subject to this agreement.

Roles and Responsibilities

Controller (Veterinary Clinic)

  • Determines the purposes and means of processing
  • Provides data processing instructions to Vetigen
  • Ensures GDPR compliance

Processor (Vetigen)

  • Processes data only on controller's instructions
  • Implements appropriate technical and organizational security measures
  • Assists controller in meeting GDPR obligations

Scope of Processing

Vetigen processes the following data:

  • Personal data of pet owners
  • Veterinary medical records (SOAP notes, diagnoses, treatments)
  • Billing and payment information
  • Clinic staff account information

Processor Obligations

  • Ensure all authorized personnel are under confidentiality commitments
  • Implement appropriate security measures (encryption, access control)
  • Obtain controller approval for using sub-processors
  • Assist in responding to data subject rights requests
  • Delete or return data at the end of the agreement
  • Allow for audits and inspections

Data Subject Rights

Vetigen assists the controller in fulfilling data subject rights obligations:

  • Right of access - obtaining a copy of data
  • Right to rectification - correcting inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Security Measures

Vetigen implements the following security measures:

  • Encryption in transit with TLS 1.3, at rest with AES-256
  • Role-based access control (RBAC) and multi-factor authentication (MFA)
  • 24/7 security monitoring and incident response
  • Daily automated backups and disaster recovery procedures
  • Regular security audits and penetration testing

Data Breach Notification

In the event of a data breach, Vetigen will:

  • Notify the controller within 72 hours
  • Provide breach details, affected data categories, and number of records
  • Describe measures taken or planned to be taken
  • Assist the controller in notifying regulatory authorities

International Data Transfers

Vetigen primarily processes data within Turkey and the EU. If data is transferred outside the EU:

  • Transfers to countries with adequacy decisions
  • Use of Standard Contractual Clauses (SCC)
  • Binding Corporate Rules (where applicable)
  • Explicit consent (when required)

Term and Termination

This DPA is valid for the duration of the Vetigen service agreement.

Upon termination, Vetigen will:

  • Delete all personal data within 90 days
  • Return data securely upon request
  • Provide certification of deletion completion

Contact

For questions about the DPA:

Data Protection Officer: dpo@vetigen.com

For any questions or concerns regarding this policy, please contact us at legal@vetigen.com