Data Processing Agreement
Hepta Data — heptadata.com | Pursuant to GDPR Article 28
Version 1.0 | Effective Date: 1 March 2026
This Data Processing Agreement (‘DPA’) forms part of the Terms of Service (‘Main Agreement’) between the Customer (Data Controller) and Polygon Digital Ltd. (‘Polygon Digital’, ‘Processor’) for the provision of the Hepta Data platform and services.
This DPA reflects the parties' agreement with respect to the processing of personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, ‘GDPR’).
1. Definitions
In this DPA, the following terms shall have the meanings set out below. All capitalised terms not defined herein shall have the meaning ascribed to them in the Main Agreement or the GDPR.
‘Controller’ means the Customer, who determines the purposes and means of processing personal data.
‘Processor’ means Polygon Digital Ltd., who processes personal data on behalf of the Controller.
‘Data Subject’ means the identified or identifiable natural person to whom the personal data relates.
‘Personal Data’ has the meaning set out in GDPR Article 4(1).
‘Processing’ has the meaning set out in GDPR Article 4(2).
‘Sub-processor’ means any Processor engaged by Polygon Digital Ltd. to carry out processing activities on behalf of the Controller.
‘Supervisory Authority’ means the Data Protection Commission of Ireland, or any other competent data protection authority in the EU/EEA.
2. Details of Processing
2.1 Nature and Purpose
The Processor shall process personal data for the purpose of providing the Hepta Data practice management and workflow automation platform, including: scheduling and calendar management, form and document processing, automated communications, reporting and analytics, and related administrative services. The Processor acts strictly on the documented instructions of the Controller.
2.2 Categories of Data Subjects
- Employees, practitioners, and administrative staff of the Controller
- Clients, patients, and service users of the Controller's practice
- Third parties whose data the Controller submits to the platform
2.3 Categories of Personal Data
- Contact details (name, email, phone number, address)
- Scheduling and appointment data
- Form responses and questionnaire data
- Document content uploaded by the Controller
- Communication records (emails sent via Gmail integration)
- Calendar event data (via Google Calendar integration)
Note: Hepta Data is a non-clinical, non-medical-grade administrative platform. The Controller is responsible for ensuring that any sensitive personal data (including special categories under GDPR Art. 9) uploaded to the platform is done so in compliance with applicable law. The Processor does not act as a clinical data repository.
2.4 Duration of Processing
Processing shall continue for the duration of the Main Agreement plus any legally required retention periods, or until the Controller provides written instructions for earlier deletion.
3. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law
- Ensure that all persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures pursuant to GDPR Article 32
- Respect the conditions for engaging Sub-processors set out in Clause 6
- Assist the Controller with its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs)
- Delete or return all personal data to the Controller upon termination of the Main Agreement, at the Controller's choice
- Make available all information necessary to demonstrate compliance with GDPR Article 28 and permit audits
- Notify the Controller without undue delay upon becoming aware of a personal data breach
4. Controller Instructions
The Controller instructs the Processor to process personal data as necessary to provide the Hepta Data services described in the Main Agreement. The Controller warrants that it has a lawful basis for providing personal data to the Processor and that all instructions given are lawful. Any additional or varying instructions shall be provided in writing.
5. Security Measures
The Processor implements and maintains the following technical and organisational measures:
Technical Measures
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access control (RBAC) limiting access to authorised personnel
- Automated vulnerability scanning and dependency updates
- Multi-factor authentication for administrative access to production systems
- Regular automated backups with tested recovery procedures
Organisational Measures
- Staff data protection training and confidentiality agreements
- Written information security policy
- Incident response and breach notification procedures
- Vendor due diligence process for sub-processors
- Regular internal security reviews
6. Sub-processors
6.1 Authorisation
The Controller provides general written authorisation for the Processor to engage sub-processors for the provision of the Hepta Data services, subject to the conditions in this Clause 6.
6.2 Current Sub-processors
| Sub-processor | Service | Location | Safeguard |
|---|---|---|---|
| Google LLC | Gmail API & Calendar API | USA (EU adequacy: SCCs) | SCCs + DPA |
| Supabase (or equiv.) | Database hosting | EU region | GDPR compliant |
| Azure / AWS | Cloud infrastructure | EU region | EU SCCs |
| Sentry (or equiv.) | Error monitoring | USA | SCCs |
6.3 Changes to Sub-processors
The Processor shall notify the Controller of any intended changes to sub-processors (addition or replacement) by email to the Controller's registered contact address with at least 30 days' notice. The Controller may object to such changes in writing within 14 days of notification on grounds directly related to GDPR compliance. If the parties cannot resolve the objection, the Controller may terminate the affected services without penalty.
7. International Transfers
Where processing involves the transfer of personal data outside the EEA, the Processor shall ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (Module 2 or 3 as applicable) pursuant to Commission Implementing Decision 2021/914. A copy of applicable SCCs will be made available to the Controller upon request.
8. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to requests by Data Subjects exercising their rights under GDPR (Articles 15–22). The Processor shall notify the Controller promptly upon receiving any such request directly and shall not respond to the Data Subject except on documented instructions from the Controller.
9. Data Breaches
The Processor shall notify the Controller without undue delay, and in any case within 48 hours, upon becoming aware of a personal data breach involving the Controller's data. The notification shall include the information required under GDPR Article 33(3) to the extent then available. The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach.
10. Data Protection Impact Assessments
Where requested, the Processor shall provide reasonable assistance to the Controller in carrying out a Data Protection Impact Assessment (DPIA) under GDPR Article 35, and in consulting with the competent Supervisory Authority pursuant to Article 36.
11. Return and Deletion of Data
Upon termination or expiry of the Main Agreement, the Processor shall, at the Controller's election within 30 days of termination: (a) return all personal data to the Controller in a structured, commonly used format; or (b) securely delete all personal data, and certify in writing that such deletion has been completed. The Processor may retain personal data where required by applicable law, informing the Controller of such retention.
12. Audit Rights
The Controller (or a third-party auditor bound by confidentiality) may, on reasonable prior written notice of at least 30 days and no more than once per calendar year, request an audit of the Processor's data processing activities to verify compliance with this DPA. The Processor may satisfy this obligation by providing relevant third-party audit reports (e.g., SOC 2, ISO 27001) where available.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Main Agreement, except where such limitations are prohibited by GDPR or applicable law. Each party shall indemnify the other for fines, penalties, or damages resulting from its own breach of this DPA or GDPR obligations.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of Ireland. The parties submit to the exclusive jurisdiction of the Irish courts, without prejudice to Data Subjects' rights to bring claims before any competent Supervisory Authority in the EU/EEA.
15. Entire Agreement
This DPA forms part of and is incorporated into the Main Agreement. In the event of conflict between this DPA and the Main Agreement on matters of data protection, this DPA shall prevail.
Signatures
By signing below, the parties agree to be bound by this Data Processing Agreement.
Customer (Data Controller)
Signature: ___________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________
Polygon Digital Ltd. (Data Processor)
Signature: ___________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________
Polygon Digital Ltd., 3 The Grove, Donabate, Co. Dublin, K36 KD27, Ireland | info@heptadata.com | heptadata.com