top of page

Data Processing Addendum (DPA) — Placeholder Version

Version: v.1.0.0

Last Updated: {{DATE}}

This is a temporary Data Processing Addendum (DPA). It is not legally binding and is not intended as legal advice. A final version, including HIPAA-specific requirements, will be issued after attorney review.

1. Purpose of This Addendum

This Data Processing Addendum (“Addendum”) supplements the Terms & Conditions and other agreements between Home Therapy Labs (“HTL”, “Processor”, “we”, “our”) and the customer (“Controller”, “you”, “your”) regarding HTL’s processing of personal data on your behalf.

 

This placeholder DPA provides general transparency but does not replace a finalized legal DPA or Business Associate Agreement (BAA).

2. Definitions

For purposes of this Addendum:

  • “Personal Data” means any information relating to an identified or identifiable individual processed by HTL on your behalf.

  • “Processing” means any operation performed on Personal Data (e.g., storage, transmission, retrieval, organization).

  • “Controller” means the entity that determines the purpose and means of processing Personal Data.

  • “Processor” means the entity that processes Personal Data on behalf of the Controller.

  • “Sub-Processors” are third parties engaged by HTL to support processing activities.

  • “Applicable Law” includes relevant privacy and data protection laws (HIPAA, state privacy laws, GDPR where applicable).

 

This placeholder does not represent full compliance; the final DPA will.

3. Roles of the Parties

  • The Controller determines how and why Personal Data is used.

  • HTL acts as a Processor by providing platform services and processing data solely as necessary to deliver those services.

  • Certain subscription tiers may also involve HTL acting as a Business Associate under HIPAA; in those cases, a formal BAA will be provided separately.

4. Processing of Personal Data

HTL will process Personal Data only:

  • To provide, maintain, and improve the Services

  • To support communication between families, providers, clinics, and authorized users

  • To perform administrative functions such as customer support, analytics, logs, and security

  • In accordance with your documented instructions

  • As required by law

 

HTL will not:

  • Sell Personal Data

  • Use Personal Data for advertising

  • Use Personal Data for any purpose other than delivering the Services

5. Sub-Processors

HTL may engage trusted third-party providers (“Sub-Processors”) including:

  • Cloud hosting (e.g., Azure)

  • Payment processors (e.g., Stripe)

  • Messaging providers (e.g., email/SMS vendors)

  • Infrastructure and security services

  • Analytics and monitoring tools

 

HTL will ensure Sub-Processors are subject to appropriate confidentiality and security obligations.

A full list will be provided in the final DPA.

6. Security Measures

HTL uses reasonable and appropriate technical and organizational safeguards, including:

  • Encryption of data in transit and at rest

  • Access controls and role-based permissions

  • Secure development and deployment practices

  • Audit logging and monitoring

  • Backup and redundancy measures

  • Regular security reviews

 

The finalized DPA will include more detailed security disclosures.

7. Data Subject Rights

HTL will assist the Controller, when possible, with:

  • Access requests

  • Correction or deletion requests

  • Restriction of processing

  • Data export (portability)

  • Account-level configuration to support privacy controls

 

HTL will not respond directly to such requests unless instructed by the Controller or required by law.

8. Cross-Border Data Transfers

HTL may store and process data in the United States.

If data is transferred internationally, HTL will follow applicable legal requirements.

A final DPA may include additional transfer mechanisms such as SCCs (Standard Contractual Clauses) if needed.

9. Incident Notification

In the event of a confirmed data breach affecting Personal Data, HTL will:

  • Notify the Controller without undue delay

  • Provide known details as information becomes available

  • Assist in required notifications or mitigation efforts

 

This placeholder DPA does not define legal timelines; the final version will.

10. Deletion or Return of Data

Upon termination of services or upon request, HTL will:

  • Delete Personal Data from active systems, or

  • Return Personal Data to the Controller (if requested), where technically feasible

 

Some backup or archived copies may persist temporarily due to standard retention practices.

11. Limitations

This placeholder DPA is not a substitute for:

  • A legally binding DPA

  • A Business Associate Agreement (HIPAA)

  • Any state-specific data privacy contracts

 

A final set of documents will be provided after legal counsel review.

12. Contact Information

For data protection questions, contact:

[email protected]

bottom of page