Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Cevi Inc ("Processor") and the customer ("Controller") for the provision of the Cevi Service. This DPA applies where Cevi processes personal data on behalf of the customer in connection with the Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law. "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction. "Subprocessor" means any third party engaged by Cevi to process personal data on behalf of the customer.

2. Scope and Purpose of Processing

Cevi processes personal data solely for the purpose of providing the Service to the customer, as described in the applicable service agreement. Categories of data subjects include patients, practice staff, and other individuals whose data is processed through the Service. Categories of personal data include names, contact information, scheduling data, insurance information, and in the case of a BAA, protected health information.

3. Obligations of the Processor

Cevi will: process personal data only on documented instructions from the customer; ensure that persons authorized to process personal data are bound by confidentiality obligations; implement appropriate technical and organizational security measures; assist the customer in responding to data subject rights requests; delete or return all personal data upon termination of the service agreement, at the customer's choice; make available to the customer all information necessary to demonstrate compliance with this DPA.

4. Subprocessors

Cevi maintains a list of authorized subprocessors at cevi.ai/trust/subprocessors. We will notify the customer of any intended changes to subprocessors at least 30 days in advance. If the customer objects to a new subprocessor, the customer may terminate the affected services. Cevi remains liable for the acts and omissions of its subprocessors.

5. International Transfers

Cevi processes data primarily in the United States. For transfers of personal data from the EU/EEA to the US, Cevi relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Where applicable, Cevi also relies on the EU-US Data Privacy Framework.

6. Security Measures

Cevi implements and maintains technical and organizational security measures appropriate to the risk, including: encryption of data in transit and at rest, access controls and authentication, regular security testing, incident detection and response capabilities, employee security training, and physical security controls for data center facilities.

7. Data Breach Notification

Cevi will notify the customer of any personal data breach without undue delay after becoming aware of it, and in any event within 72 hours. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences of the breach, and measures taken to address the breach.

8. Contact

For questions about this DPA, contact us at: Cevi Inc, 16192 Coastal Hwy, Lewes, DE 19958, United States. Email: privacy@cevi.ai. To request a signed copy of this DPA, email legal@cevi.ai.