Data Processing Agreement

Effective Date: 2026-04-02

This Data Processing Agreement ("DPA") forms part of the contract between the Client and Compath App for the provision of data analytics and communication services ("Services") and applies to the processing of Personal Data on behalf of the Client.

This DPA has been designed to comply with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Definitions

For the purposes of this DPA:

• "Controller" means the Client, the entity that determines the purposes and means of the processing of Personal Data.
• "Processor" means Compath App, operated by Marton Lasetzky, acting on behalf of the Controller to process Personal Data.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).
• "Data Subject" means the individual to whom Personal Data relates (e.g., patients, clients).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51.

2. Scope and Subject Matter of Processing

2.1 Subject Matter

This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in connection with the provision of the Services.

2.2 Duration of Processing

Processing will continue for the duration of the service contract and may extend up to 24 months following termination, unless the Controller instructs earlier deletion.

2.3 Nature and Purpose of Processing

The Processor processes Personal Data for the following purposes:

• Analytics, reporting, and business intelligence
• Marketing performance and attribution analysis
• Operational and financial insights
• Patient and client engagement insights
• Automated communication workflows ("Best Actions")
• Email, SMS, and phone communication services
• Data integration and ETL (Extract, Transform, Load) processes

2.4 Types of Personal Data

The Processor may process the following categories of Personal Data:

• Identification data: Name, email address, phone number, patient identifiers
• Treatment data: Service types, treatment dates, pricing, schedules (may include special category health data under GDPR Article 9)
• Appointment data: Booking dates, times, status, identifiers
• Financial data: Payment amounts, dates, revenue data, bank transaction data
• Marketing data: UTM parameters, click IDs (gclid, fbclid), web analytics events, session data
• Advertising data: Campaign performance, spend, conversions
• Calendar data: Appointment events, staff schedules, availability
• Call tracking data: Phone call events, duration, caller numbers

2.5 Categories of Data Subjects

Personal Data may relate to:

• Patients of the Controller's clinic(s)
• Prospective patients (leads, website visitors)
• Staff members (doctors, specialists, administrative personnel)
• Clinic administrators and authorized users

2.6 Special Categories of Personal Data

The Processor may process special category data (health data) under GDPR Article 9, depending on the nature of treatment data provided by the Controller. The Controller is solely responsible for establishing a valid legal basis for such processing.

3. Processor's Obligations (Article 28 GDPR)

3.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, which include:
  • This Data Processing Agreement
  • The Terms of Service
  • The Service contract or commercial agreement (where applicable)
  • The Controller's configuration and use of the Service (including data uploads, integration connections, communication workflows, and feature selections)
• Inform the Controller immediately if any instruction appears to violate GDPR or other applicable data protection laws
• Not process Personal Data for any purposes other than those specified by the Controller

3.2 Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data:

• Are subject to binding obligations of confidentiality
• Have received appropriate training on data protection and security
• Only access Personal Data to the extent necessary for their duties

3.3 Security Measures (Article 32 GDPR)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

• AES-256 encryption of data at rest (database, file storage)
• TLS 1.2+ encryption of data in transit (HTTPS)
• Secure authentication (JWT-based with refresh tokens)
• Two-factor authentication (2FA) support using TOTP
• Role-based access control (RBAC)
• IP allowlist authentication for webhooks
• Regular security patching and updates
• Vulnerability scanning and monitoring

Organisational Measures:

• AWS VPC network isolation with private subnets (staging/production)
• Secrets management (AWS Secrets Manager)
• Principle of least privilege (IAM)
• Audit logging (AWS CloudWatch)
• Continuous monitoring and alerting
• Incident response procedures
• Regular security reviews

3.4 Sub-processors

3.4.1 General Authorisation

The Controller grants general authorisation for the Processor to engage Sub-processors, subject to the conditions set out in this section.

3.4.2 Current Sub-processors

The Processor currently engages the following Sub-processors:

• Amazon Web Services (AWS) – cloud hosting, database storage, file storage, secrets management, security, audit logging
• Metabase – business intelligence analytics and reporting platform
• SendGrid (Twilio) – transactional and marketing email delivery
• DIDWW – phone call tracking and telephony services
• Google (Calendar API, Ads API) – calendar data retrieval and advertising services (when connected by Controller)
• Meta (Facebook/Instagram) – advertising services (when connected by Controller)

3.4.3 Sub-processor Changes

The Processor shall:

• Provide the Controller with at least 30 days' advance notice of any intended changes to Sub-processors
• Allow the Controller to object to such changes on reasonable grounds
• Maintain an up-to-date list of Sub-processors available upon request

3.4.4 Sub-processor Obligations

The Processor shall:

• Ensure that Sub-processors are subject to data protection obligations equivalent to those in this DPA
• Enter into written contracts with Sub-processors imposing GDPR-compliant obligations
• Remain fully liable to the Controller for the performance of Sub-processors

3.5 Data Subject Rights

The Processor shall, to the extent possible:

• Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection)
• Provide the Controller with necessary information and access to facilitate such responses
• Not respond directly to Data Subjects without prior authorization from the Controller

3.6 Assistance with Compliance

The Processor shall assist the Controller in:

• Ensuring compliance with GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation)
• Conducting Data Protection Impact Assessments (DPIAs) where required
• Consultations with Supervisory Authorities where necessary

3.7 Data Breach Notification (Article 33 GDPR)

The Processor shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data breach
• Provide the following information (to the extent available):
  • Nature of the breach (categories and approximate number of Data Subjects and records affected)
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
• Cooperate with the Controller in investigating and remediating the breach
• Document all Personal Data breaches and make this documentation available to the Controller and Supervisory Authorities upon request

3.8 Deletion or Return of Data

Upon termination of the Services or upon request by the Controller, the Processor shall:

• Delete or return all Personal Data to the Controller, as instructed
• Delete existing copies unless retention is required by law
• Provide certification of deletion upon request
• Default retention period: up to 24 months after termination, unless otherwise instructed

3.9 Audit Rights

The Processor shall:

• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28
• Allow for and contribute to audits, including inspections, conducted by the Controller or an authorized auditor
• Provide audit evidence upon reasonable request
• Audits may be conducted on reasonable notice (minimum 14 days) during business hours, no more than once per year unless a breach has occurred

4. Controller's Obligations

4.1 Lawfulness of Processing

The Controller warrants that:

• Processing instructions comply with GDPR and other applicable data protection laws
• A valid legal basis exists for all processing activities (GDPR Articles 6 and 9 where applicable)
• Necessary consents and authorizations have been obtained from Data Subjects

4.2 Data Quality

The Controller is responsible for:

• Ensuring the accuracy and completeness of Personal Data provided to the Processor
• Providing clear and lawful processing instructions
• Responding to Data Subject rights requests

4.3 Cooperation

The Controller shall:

• Cooperate with the Processor in fulfilling data protection obligations
• Respond to audit requests and provide necessary access
• Notify the Processor promptly of any errors or issues with processing

5. International Data Transfers

5.1 Data Location

Primary Personal Data processing and storage occurs within the European Union (AWS eu-central-1, Frankfurt, Germany).

5.2 Transfers Outside the EU/EEA

Where Sub-processors process Personal Data outside the EU/EEA, such transfers are subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (where applicable)
• Additional technical and organisational measures (encryption, access controls)

5.3 Controller Consent

By entering into this DPA, the Controller authorizes international transfers as described, subject to compliance with applicable safeguards.

6. Liability and Indemnification

6.1 Joint and Several Liability (Article 82 GDPR)

Under GDPR Article 82, both Controller and Processor may be held liable for damages arising from data protection violations. Each party is liable only for the damage caused by its own processing that infringes GDPR.

6.2 Processor Liability

The Processor is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.

6.3 Indemnification

Each party agrees to indemnify the other for claims, fines, and damages arising from its breach of this DPA or GDPR.

7. Term and Termination

7.1 Term

This DPA takes effect on the date the Controller begins using the Services and continues until termination of the Services contract.

7.2 Termination Rights

• Either party may terminate this DPA if the other commits a material breach and fails to remedy it within 30 days of written notice
• The Controller may terminate immediately if the Processor breaches data protection obligations in a manner that poses significant risk to Data Subjects

7.3 Effect of Termination

Upon termination, the Processor shall delete or return all Personal Data as instructed by the Controller, subject to Section 3.8.

8. Governing Law and Disputes

8.1 Governing Law

This DPA is governed by the laws of Hungary and must be interpreted in accordance with GDPR and applicable EU data protection law.

8.2 Dispute Resolution

Disputes shall be resolved through good-faith negotiation. If unresolved within 30 days, disputes may be submitted to the courts of Budapest, Hungary.

8.3 Supervisory Authority Rights

Nothing in this DPA limits the rights of Data Subjects or Supervisory Authorities under GDPR.

9. Amendments

This DPA may be amended:

• To comply with changes in data protection laws
• By mutual written agreement of the parties
• With 30 days' notice for non-material changes

Material changes require the Controller's explicit consent.

10. Entire Agreement

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding data processing.

In the event of conflict, the order of precedence is:

1. This Data Processing Agreement
2. Service contract or commercial agreement (if applicable)
3. Terms of Service
4. Privacy Policy

11. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

12. Contact Information

For questions regarding this DPA, please contact:

Processor:
Name: Marton Lasetzky
Trading as: Compath App
Email: marton.lasetzky@compath.hu
Address: Budapest, Hungary

Related Documents:

• Privacy Policy
• Terms of Service

This Data Processing Agreement is effective as of the date the Controller first uses the Compath App Services.