Data Processing Agreement (DPA)

1. Definitions

"Controller" means the customer (you) who determines the purposes and means of processing Personal Data.

"Processor" means TheraLyze.ai, which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person contained in adverse event reports.

"Processing" means any operation performed on Personal Data, including collection, storage, analysis, and transmission.

2. Scope and Role

TheraLyze.ai acts as a Data Processor under GDPR Article 28. The Controller determines:

• What data is uploaded to the platform
• How long data is retained
• Who has access to the data
• When data should be deleted

3. Data Processing Details

3.1 Nature and Purpose

Processing of adverse event reports for pharmacovigilance case management, medical coding, narrative generation, and E2B XML file creation for regulatory submission.

3.2 Types of Personal Data

• Patient initials and demographics (age, sex, weight)
• Medical history and adverse event descriptions
• Healthcare provider information
• Reporter contact details

3.3 Categories of Data Subjects

• Patients experiencing adverse events
• Healthcare professionals reporting events
• Study participants (clinical trials)

3.4 Processing Location

Primary Region: EU-West-1 (Ireland)
Backup Region: EU-Central-1 (Frankfurt)
All processing occurs within the European Union.

4. Processor Obligations

4.1 Security Measures

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access Control: Multi-factor authentication, role-based access
• Isolation: Dedicated tenant partitions, no data sharing between customers
• Monitoring: 24/7 security monitoring and audit logging
• Compliance: ISO 27001, SOC 2 Type II, HIPAA, GxP validated

4.2 Confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations and receive GDPR training.

4.3 Data Retention

Data is retained according to Controller instructions. Sandbox data can be deleted by users at any time. Production data follows regulatory retention requirements (typically 10 years for pharmacovigilance).

4.4 Sub-processors

TheraLyze.ai uses the following sub-processors:

• Amazon Web Services (AWS): Cloud infrastructure (EU regions only)
• AI Service Providers: Large language model inference (no training on customer data, EU endpoints)

Controller will be notified 30 days before adding new sub-processors.

5. Controller Rights

The Controller has the right to:

• Access all Personal Data being processed
• Request rectification or deletion of data
• Export data in machine-readable format
• Audit TheraLyze.ai's compliance (upon reasonable notice)
• Terminate processing and request data deletion

6. Data Subject Rights

TheraLyze.ai will assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 72 hours of notification.

7. Data Breach Notification

In the event of a Personal Data breach, TheraLyze.ai will:

• Notify the Controller within 24 hours of becoming aware
• Provide details of the breach, affected data, and mitigation steps
• Cooperate in breach investigation and notification to authorities

8. Data Transfer

All data remains within the European Union. No transfers to third countries occur unless explicitly requested by Controller and protected by Standard Contractual Clauses (SCCs).

9. Deletion and Return

Upon termination or Controller request, TheraLyze.ai will:

• Delete all Personal Data within 30 days
• Provide export of data in E2B XML format if requested
• Certify deletion in writing

10. Audits and Compliance

Controller may audit TheraLyze.ai's compliance once annually upon 30 days' notice. ISO 27001 and SOC 2 audit reports are available upon request.

11. Liability and Indemnification

Each party is liable for damages caused by breach of GDPR obligations. TheraLyze.ai maintains cyber liability insurance of €5 million.

12. Contact Information

Data Protection Officer: dpo@theralyze.ai
Security Team: security@theralyze.ai
General Inquiries: support@theralyze.ai

13. Governing Law

This DPA is governed by the laws of Ireland and GDPR. Disputes will be resolved in Irish courts.