Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller" or "Customer") and OnlyHIPAA, Inc. ("Processor") and governs the processing of personal data submitted to or generated by the OnlyHIPAA platform.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below, as further defined by applicable law including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection legislation:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed in connection with the services.
• "Processing" means any operation or set of operations performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• "Controller" means the natural or legal person who determines the purposes and means of the processing of personal data - i.e., the Customer.
• "Processor" means the natural or legal person who processes personal data on behalf of the Controller - i.e., OnlyHIPAA, Inc.
• "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.

2. Scope of Processing

OnlyHIPAA processes personal data solely to provide the services described in the Terms of Service, acting on documented instructions from Customer. The scope of processing includes:

• Storing and processing account information and compliance data submitted by Customer
• Generating compliance assessments, reports, and analytics based on Customer inputs
• Maintaining audit logs of platform activity
• Providing customer support and responding to Customer requests

OnlyHIPAA will not process personal data for any purpose other than those specified in this DPA or the Terms of Service, or as required by applicable law. If applicable law requires processing beyond Customer's instructions, OnlyHIPAA will inform Customer unless prohibited from doing so.

3. Sub-processors

Customer authorizes OnlyHIPAA to engage sub-processors to assist in delivering the services. Current sub-processors are used for the following functions:

• Cloud hosting and infrastructure: Primary data hosting, storage, and compute services (AWS)
• Transactional email delivery: Delivery of account notifications and security alerts
• Payment processing: Stripe, for billing and subscription management

A current list of sub-processors is maintained at onlyhipaa.com/sub-processors. All sub-processors are bound by data processing agreements that impose obligations no less protective than those in this DPA.

OnlyHIPAA will notify Customer at least 30 days before adding a new sub-processor that will process Customer personal data. Customer may object to the addition of a new sub-processor within 14 days of notification; if the parties cannot resolve the objection, Customer may terminate the services with a pro-rated refund of prepaid fees.

4. Security Measures

OnlyHIPAA implements and maintains appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, or disclosure, including:

• Encryption at rest: AES-256 encryption for all stored personal data
• Encryption in transit: TLS 1.3 for all data transmitted to and from the platform
• Access controls: Role-based access with least-privilege principles and regular access reviews
• Multi-factor authentication: MFA enforcement for all personnel with access to production systems and customer data
• Audit logging: Tamper-evident logging of all access to and operations on personal data
• Vulnerability management: Annual third-party penetration testing and ongoing security scanning
• Incident response: Documented security incident response procedures tested at least annually

5. Data Subject Rights

OnlyHIPAA will, taking into account the nature of the processing, assist Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

If OnlyHIPAA receives a data subject request that relates to Customer personal data, OnlyHIPAA will promptly notify Customer and will not respond to the data subject directly except to acknowledge receipt and refer the data subject to Customer. OnlyHIPAA will acknowledge and forward such requests to Customer within 72 hours of receipt.

6. Breach Notification

In the event of a personal data breach affecting Customer personal data, OnlyHIPAA will notify Customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include, to the extent then known:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the data protection point of contact
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

OnlyHIPAA will cooperate with Customer and take reasonable steps to assist in the investigation, containment, and notification obligations arising from any breach. Customer is responsible for determining whether the breach requires notification to supervisory authorities or data subjects.

7. Deletion and Return

Upon termination or expiration of the services, OnlyHIPAA will, at Customer's election, either delete or return all personal data within 30 days of the termination date. OnlyHIPAA will provide written confirmation of deletion upon request.

OnlyHIPAA may retain personal data beyond the 30-day period only to the extent required by applicable law (such as audit log retention under HIPAA), in which case the retained data will remain subject to the protections of this DPA for as long as it is retained.

8. Audits

Customer may conduct, or commission a third-party auditor to conduct, an audit of OnlyHIPAA's processing activities and security measures to verify compliance with this DPA, subject to the following conditions:

• Customer must provide at least 30 days prior written notice of the intended audit
• Audits may be conducted no more than once per calendar year, absent a security incident
• Audits are conducted at Customer's expense
• Any third-party auditor must execute a confidentiality agreement acceptable to OnlyHIPAA before beginning the audit

In lieu of a direct audit, Customer may request OnlyHIPAA's most recent third-party audit reports (SOC 2 Type II, penetration test executive summary) as evidence of compliance.

9. International Transfers

Personal data submitted to OnlyHIPAA is processed and stored in the United States. If you are located in the European Union, European Economic Area, or United Kingdom, personal data transferred to the United States is covered by the Standard Contractual Clauses (SCCs) issued by the European Commission, which are incorporated by reference into this DPA. For UK customers, the UK International Data Transfer Addendum applies.

Customer agrees that by entering into this DPA, it enters into the applicable SCCs with OnlyHIPAA. Copies of the applicable transfer mechanisms are available upon request at [email protected].

10. HIPAA Business Associate Agreement

For customers who are HIPAA covered entities or business associates, the separately executed Business Associate Agreement (BAA) between Customer and OnlyHIPAA, Inc. governs the handling of protected health information (PHI) as defined under HIPAA and its implementing regulations.

Where any provision of this DPA conflicts with a provision of the BAA with respect to the handling of PHI, the BAA shall control. For personal data that is not PHI, this DPA controls. Both agreements are complementary and are read together as part of the overall data governance framework between the parties.

11. Contact

For questions regarding this DPA, data processing activities, or to exercise your rights under this agreement, contact:

OnlyHIPAA, Inc.
Data Protection Contact
[email protected]

To request a signed copy of this DPA or our HIPAA Business Associate Agreement, contact [email protected].