Data Processing Agreement (DPA)

Version: 1.0
Effective Date: October 1, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between:

• The Customer ("Controller"), and
• HR Online Consulting LLC ("Processor")

and applies to the use of the InjexPro platform and related services (the "Services").

This DPA is entered into electronically and becomes legally binding upon acceptance by the Controller via click-acceptance during account creation, organization setup, or subscription activation.

1. Scope and Applicability

1.1 This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").

1.2 This DPA applies to all customers outside the United States. U.S. customers are governed by a separate Business Associate Agreement (BAA) where applicable.

2. Subject Matter and Duration

2.1 The subject matter of the processing is the provision of secure, audit-safe clinical documentation software.

2.2 The duration of processing corresponds to the term of the underlying service agreement, unless otherwise required by applicable law.

3. Nature and Purpose of Processing

3.1 The Processor processes Personal Data solely for the purpose of providing the Services in accordance with the Controller’s documented instructions.

3.2 Processing activities include hosting, storage, access control, audit logging, and transmission of clinical documentation data.

4. Categories of Data Subjects and Personal Data

4.1 Categories of Data Subjects include: Patients, Healthcare professionals, Authorized clinical staff.

4.2 Categories of Personal Data include: Patient identifiers (processed in logically isolated systems), Clinical treatment records, User account and access data, Audit and activity logs.

4.3 Special categories of data pursuant to Article 9 GDPR (health data) are processed.

5. Roles of the Parties

5.1 The Controller acts as the data controller within the meaning of the GDPR.

5.2 The Processor acts as a data processor and processes Personal Data only on documented instructions from the Controller.

6. Processor Obligations

The Processor shall:

1. Process Personal Data only in accordance with documented instructions from the Controller.
2. Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
3. Implement appropriate technical and organizational measures ("TOMs") pursuant to Article 32 GDPR.
4. Assist the Controller in responding to data subject rights requests.
5. Assist the Controller with compliance obligations relating to security, breach notification, and data protection impact assessments.
6. Delete or return Personal Data upon termination of the Services, unless retention is required by law.

7. Technical and Organizational Measures (TOMs)

7.1 The Processor implements security measures appropriate to the risk, including but not limited to RBAC, Encryption, Logical separation, and Audit logging.

7.2 A detailed description of the TOMs is provided in the Technical and Organizational Measures (TOMs) document.

8. Subprocessors

8.1 The Controller authorizes the Processor to engage subprocessors as necessary to provide the Services.

8.2 Current list of subprocessors: List of Subprocessors.

9. International Data Transfers

9.1 Personal Data is processed and stored within the European Union unless otherwise agreed.

10. Data Subject Rights

10.1 The Processor assists the Controller in fulfilling obligations relating to data subject rights under Articles 12–22 GDPR.

11. Personal Data Breach Notification

11.1 The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach.

12. Audits and Compliance

12.1 The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

13. Liability

Each Party shall be liable for damages caused by its own breach of this DPA or applicable data protection law.

14. Governing Law

This DPA shall be governed by the laws of the European Union and, where applicable, the laws of the Processor’s principal place of business within the EU.

15. Acceptance and Updates

15.1 This DPA is accepted electronically and does not require a handwritten or electronic signature.

15.2 Continued use of the Services after publication of an updated version constitutes acceptance of the updated DPA.