Data Processing Agreement

Effective 1 May 2026 · Pursuant to GDPR Article 28

This Data Processing Agreement ("DPA") forms part of the MediGuard Terms of Service between MediGuard ("Processor") and the entity accepting those terms ("Controller"). In the event of conflict, this DPA takes precedence over the Terms of Service with respect to data protection matters.

1. Definitions

Terms defined in the GDPR (Regulation (EU) 2016/679) have the same meaning here. In addition:

"Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Service.
"Service" means the MediGuard EU AI Act compliance platform, including all features, APIs, and exports.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.

2. Nature and Purpose of Processing

Subject matter	Provision of the MediGuard compliance platform
Duration	For the term of the Controller's subscription, plus any retention period required by law
Nature	Storage, retrieval, AI-assisted analysis, PDF generation, and export of compliance documentation
Purpose	Enabling the Controller to fulfil EU AI Act technical documentation obligations
Data subjects	Employees, contractors, and end-users of the Controller whose data appears in documentation
Categories of data	Names, job titles, email addresses, and technical descriptions of AI systems submitted by the Controller

3. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law.
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement the technical and organisational security measures described in Section 7 of this DPA.
Respect the conditions for engaging Sub-Processors set out in Section 5.
Assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.
Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR.
At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.
Make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28, and allow for and contribute to audits conducted by the Controller or its mandated auditor.

4. Controller Instructions

The Controller's instructions are set out in the Terms of Service and this DPA. The Controller may issue further written instructions during the term. If the Processor considers any instruction to infringe the GDPR or other applicable data protection law, it shall promptly notify the Controller, and may suspend processing of the relevant data until the issue is resolved.

5. Sub-Processors

The Controller grants general written authorisation to engage the Sub-Processors listed below. The Processor shall notify the Controller of any intended changes (additions or replacements) with at least 14 days' notice, giving the Controller the opportunity to object. The Processor shall impose data protection obligations equivalent to those set out in this DPA on each Sub-Processor.

Sub-Processor	Purpose	Location
Supabase, Inc.	Authentication, database storage, and file storage	USA (EU region available)
Stripe, Inc.	Payment processing and subscription management	USA (EU data residency)
Anthropic, PBC	AI-assisted document summarisation (Summarizer feature only)	USA
Vercel, Inc.	Application hosting and content delivery	USA (EU Edge Network)

6. International Transfers

Where Personal Data is transferred to a country outside the European Economic Area that does not benefit from an adequacy decision, the transfer shall be governed by the Standard Contractual Clauses for processors adopted by the European Commission (Decision 2021/914), which are incorporated into this DPA by reference. The Processor shall maintain an up-to-date record of applicable transfer mechanisms and make it available to the Controller on request.

7. Security Measures

Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, the Processor has implemented the following technical and organisational measures:

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
Row-Level Security policies ensuring each customer's data is logically isolated.
Role-based access controls limiting internal access to Personal Data on a need-to-know basis.
Automated backups with point-in-time recovery.
Regular dependency and vulnerability scanning as part of the CI/CD pipeline.
Incident response and breach notification procedures as described in Section 8.

8. Personal Data Breach Notification

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of it. Notification shall include, to the extent then known: the nature of the breach; categories and approximate number of data subjects and records concerned; likely consequences; and measures taken or proposed to address the breach.

9. Data Subject Rights

The Processor shall promptly forward to the Controller any requests received directly from data subjects. The Processor shall not respond to such requests except on the documented instructions of the Controller, or as required by Union or Member State law. The Processor shall assist the Controller in fulfilling access, rectification, erasure, restriction, portability, and objection requests within the timescales required by applicable law.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller. The Controller shall give at least 30 days' advance written notice of any audit, bear the costs of the audit, and ensure the auditor is bound by appropriate confidentiality obligations. Audits shall not unreasonably disrupt the Processor's operations.

11. Return and Deletion of Data

Upon termination of the Terms of Service, the Processor shall, at the Controller's election: (a) return a complete copy of all Personal Data to the Controller in a machine-readable format within 30 days; or (b) securely delete all Personal Data and certify deletion in writing. The Processor may retain Personal Data to the extent required by applicable Union or Member State law, and shall inform the Controller of any such retention.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for death, personal injury, fraud, or any other liability that cannot be excluded or limited by applicable law.

13. Governing Law

This DPA is governed by the laws of Ireland and the courts of Dublin shall have exclusive jurisdiction, consistent with the Terms of Service. Where EU Member State law requires a different governing law, that law shall apply to the extent required.

14. Execution

This DPA is incorporated by reference into the Terms of Service accepted by the Controller upon account creation. No separate signature is required. Enterprise customers requiring a countersigned DPA should contact hello@mediguard.solutions.