Data Processing Agreement (DPA)

1. Background and Purpose

Elevyo Health AB provides the digital health platform “Healthfinder”, which is used by the Data Controller to collect, store, and visualize health-related information. In this context, Elevyo processes personal data on behalf of the Data Controller and acts as Data Processor in accordance with the General Data Protection Regulation (GDPR).

This Agreement is automatically accepted by the Data Controller upon registration of a new organisation in the Healthfinder application and remains accessible under Settings → Legal Documents as well as on elevyohealth.com/DPA.

 

2. Roles and Responsibilities

·       • The Data Controller determines the purposes and lawful basis of processing personal data of end-users and remains responsible for compliance with GDPR.

• The Data Processor processes personal data only on documented instructions from the Data Controller and in accordance with this Agreement.

• If an end-user, HCP, or organisation requests deletion of personal data, the Data Processor shall support the Data Controller in fulfilling such requests, including deletion or anonymisation of related records and logs where feasible.

Where an end-user requests deletion of their data directly through the application, Elevyo Health AB will notify the Data Controller and initiate deletion or anonymisation in accordance with the Controller’s lawful instructions.

 

3. Purpose and Instructions

The Data Processor shall only process personal data for the following purposes:

• To provide secure storage, processing of data, and technical support within Healthfinder.

• To enable health and risk scoring, insights, and reporting as agreed in the Terms of Service.

• To ensure all data processing is conducted in accordance with GDPR and this Agreement.

 

4. Security Measures

The Data Processor shall implement appropriate technical and organisational measures under Article 32 GDPR, including:

• Access controls, encryption, and pseudonymisation where appropriate.

• Secure authentication, audit logging, and least-privilege access.

• Continuous vulnerability monitoring and regular security patching.

• Periodic security reviews performed at least annually within the Elevyo Health QMS.

The Data Processor shall ensure that all personal data processed on behalf of the Data Controller is treated as strictly confidential.
The Data Processor shall ensure that only authorised personnel have access to personal data and that such personnel are subject to an appropriate statutory or contractual duty of confidentiality.
The Data Processor shall further ensure that access rights are reviewed regularly and withdrawn immediately when no longer required for the performance of this Agreement.

 

5. Sub-processors

The Data Processor may engage sub-processors for hosting, storage, or support purposes, provided that:

• Each sub-processor is bound by a written agreement ensuring GDPR compliance.

• Sub-processors meet equivalent security and confidentiality obligations.

• The Data Controller is informed of any new sub-processors before engagement.

Current sub-processors:

• Hetzner Online GmbH – Hosting and infrastructure (EU/EEA)

• Coolify – Self-hosted deployment platform managed by Elevyo Health AB

• PostgreSQL – Database engine



 

6. Incident Management

In the event of a personal data breach (such as unauthorised access, loss, alteration, or disclosure of personal data), the Data Processor shall:

• Notify the Data Controller without undue delay and no later than 24 hours after becoming aware of the incident.

• Provide all information necessary for the Data Controller to comply with Articles 33–34 of the GDPR, including:

o The nature of the breach and categories of affected data subjects and data records;

o The likely consequences of the breach;

o The measures taken or proposed to address the breach and mitigate possible adverse effects.

• Maintain an internal incident log documenting the facts, effects, and remedial actions related to each breach in accordance with Article 33 (5) GDPR.

• Ensure that such documentation is available to the Data Controller and, upon request, to the competent supervisory authority.

 

7. Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling data-subject rights under the GDPR, including access, rectification, deletion, restriction, portability, and objection.

When an end-user requests deletion directly through the application, the Data Processor shall notify the Data Controller and carry out deletion or anonymisation according to the Controller’s lawful instructions.

The Data Processor shall also, upon request, assist the Data Controller in:

• conducting data protection impact assessments (DPIAs) in accordance with Article 35 GDPR, and

• any prior consultation with the supervisory authority under Article 36 GDPR,

where the processing activities of the Data Processor are relevant to such assessments or reviews.

 

8. Retention and Termination

Upon termination of this Agreement or at the written request of the Data Controller, the Data Processor shall:

• Delete or return all personal data processed on behalf of the Data Controller, as instructed.

• Where full deletion is technically infeasible, irreversibly anonymise the data and remove it from all active processing systems.

• Provide a written confirmation to the Data Controller certifying that deletion or anonymisation has been completed.

• Upon the Data Controller’s reasonable request, allow for independent verification of the deletion process, either through the Data Controller or a third party agreed by both parties.

• Retain only those personal data that must be stored under applicable national law (e.g., healthcare or patient-record obligations), in which case such data shall be securely isolated and the legal basis for retention documented in a separate instruction from the Data Controller.

 

9. Record-Keeping and Audit Rights

·       The Data Processor shall maintain a record of all categories of processing activities carried out on behalf of the Data Controller in accordance with Article 30 (2) GDPR.
This record shall include at least:

·       the purposes of the processing,

·       the categories of data subjects and personal data,

·       any recipients or categories of recipients,

·       envisaged retention periods, and

·       a general description of the technical and organisational security measures.

·       The record shall be available to the Data Controller upon request and shall also be made available to the competent supervisory authority on demand.

·       The Data Controller has the right, with reasonable prior notice, to carry out or commission an audit or inspection to verify the Data Processor’s compliance with this Agreement and applicable data-protection law.
Such audits may, where appropriate, be satisfied by the Data Processor providing up-to-date third-party audit reports or certifications (such as ISO 27001, SOC 2 or equivalent) instead of an on-site inspection.

·       If an on-site audit is requested, both parties shall cooperate in good faith to define scope and schedule, and the audit shall be carried out during normal business hours without unreasonable interference to operations.
Unless otherwise agreed, the costs of audits shall be borne by the Data Controller.
The Data Processor shall provide all reasonable assistance and documentation required to facilitate the audit.