Data Processing Agreement (DPA)

1. Background and Purpose

Elevyo Health AB provides the digital health platform “Healthfinder”, which is used by the Data Controller to collect, store, and visualize health-related information. In this context, Elevyo processes personal data on behalf of the Data Controller and acts as Data Processor in accordance with the General Data Protection Regulation (GDPR).

 

2. Roles and Responsibilities

·       The Data Controller determines the purposes and lawful basis of processing personal data of end-users and remains responsible for compliance with GDPR.

·       The Data Processor processes personal data only on documented instructions from the Data Controller and in accordance with this Agreement.

·       If an end-user, HCP, or organisation requests deletion of personal data, the Data Processor shall support the Data Controller in fulfilling such requests, including deletion or anonymisation of related records and logs where feasible.

 

3. Purpose and Instructions

The Data Processor shall only process personal data for the following purposes:

·       To provide secure storage, processing of data, and technical support within Healthfinder.

·       To enable health and risk scoring, insights, and reporting as agreed in the Terms of Service.

·       To ensure all data processing is conducted in accordance with GDPR and this Agreement.

 

4. Security Measures

The Data Processor agrees to implement appropriate technical and organisational measures under Article 32 of the GDPR, including:

·       Access controls and role-based permissions.

·       Encryption and pseudonymisation where appropriate.

·       Secure authentication and activity logging.

·       Regular security audits, testing, and documentation.

 

5. Sub-processors

The Data Processor may engage sub-processors for hosting, storage, or support purposes, provided that:

·       A written agreement is in place ensuring GDPR compliance.

·       Sub-processors meet the same security and confidentiality obligations.

·       The Data Controller is informed of any new sub-processors in advance.

Current sub-processors include:

Hetzner Online GmbH (hosting, servers, infrastructure within EU/EEA).

Coolify (self-hosted deployment platform, managed by Elevyo Health AB).

PostgreSQL (database engine).

 

6. Incident Management

In the event of a personal data breach, the Data Processor shall:

·       Notify the Data Controller without undue delay.

·       Provide all necessary details to comply with Articles 33–34 GDPR.

·       Document the incident and actions taken.

 

7. Data Subject Rights

The Data Processor shall support the Data Controller in fulfilling data subject rights under GDPR, including:

·       Right of access, rectification, deletion, and data portability.

·       Right to restrict processing or object to processing.

·       Handling of complaints and inquiries.

 

8. Retention and Termination

Upon termination of the agreement, the Data Processor shall:

·       Delete or return all personal data according to the Data Controller’s instructions.

·       Ensure erasure from backups and logs within a reasonable time, or anonymise if full erasure is technically infeasible.

·       Document and confirm the completion of this process in writing.

If a healthcare professional or organisation account is terminated, end-user data will be anonymised unless the Data Controller instructs otherwise.

 

9. Miscellaneous

·       Swedish law applies.

·       Disputes shall be settled in Gothenburg District Court.

·       The Data Processor shall maintain a record of processing activities under Article 30.2 GDPR.

·       Audits may be requested by the Data Controller with reasonable notice.