DRAFT — for information only

This is not the executed agreement and is subject to change. The wording below is a working draft pending legal counsel review and does not create binding obligations. To request the binding, executed Data Processing Agreement, contact [email protected] (alternate: [email protected]).

Data Processing Agreement (DPA) — Accurecord

Parties: Accurecord, Inc. (“Processor”) and the Customer (“Controller”) | Effective: on the earlier of acceptance or first processing.

DRAFT — requires legal counsel review before execution. Companion to the BAA (docs/compliance/BAA_TEMPLATE.md); the BAA governs PHI under HIPAA, this DPA governs personal data under GDPR/UK-GDPR/CCPA. Where they overlap on PHI, the BAA controls.

1. Roles & scope

Processor processes personal data only on documented instructions from Controller to provide the Service (the Terms of Service + customer configuration are such instructions). Subject matter: medical-coding processing. Duration: the subscription term. Data subjects: Controller’s workforce users and the patients whose clinical data Controller submits.

2. Categories of data

  • Account/user data: name, work email, role, authentication identifiers.
  • Clinical data / PHI: condition text and chart documents submitted for coding (also governed by the BAA). Special-category data under GDPR Art. 9.

3. Processor obligations

  1. Process only on Controller’s instructions; notify Controller if an instruction appears to violate applicable law.
  2. Ensure persons authorized to process are under confidentiality obligations.
  3. Implement the technical & organizational measures in Annex A.
  4. Assist Controller with data-subject requests, DPIAs, and regulator inquiries, taking into account the nature of processing.
  5. Breach notification: notify Controller without undue delay (and in any case consistent with the BAA’s breach terms) after becoming aware of a personal data breach, with the information reasonably available.
  6. At Controller’s choice, delete or return personal data at the end of the service, subject to legal retention (see Privacy Policy / Annex A).
  7. Make available information needed to demonstrate compliance and allow audits (satisfiable via SOC 2 report + the in-product audit-export tooling).

4. Subprocessors

Controller provides general authorization for the subprocessors listed on the Trust page (currently Microsoft Azure, OpenAI, Stripe). Processor will give advance notice of any new or replacement subprocessor with PHI/personal-data access and a reasonable window to object. Processor imposes data-protection terms on each subprocessor no less protective than this DPA.

5. International transfers

Where personal data is transferred out of the EEA/UK/Switzerland, the parties incorporate the applicable Standard Contractual Clauses (and UK Addendum), with Processor as importer; the technical measures in Annex A are the supplementary measures.

6. Liability

Liability under this DPA is subject to the limitations in the Terms of Service, except where applicable data-protection law provides otherwise.

Annex A — Technical & organizational measures

  • Encryption: AES-256-GCM for PHI at rest (app/crypto.py); TLS 1.2+ in transit; secrets in Azure Key Vault.
  • PHI minimization: identifier scrubbing before any LLM call (app/core/phi_scrubber.py); OpenAI configured zero-retention.
  • Access control: per-org tenancy, SHA-256-hashed API keys, tiered access, OIDC/SAML SSO, SCIM provisioning, IP-based anomaly blocking.
  • Auditability: operational audit log + HIPAA Accounting-of-Disclosures ledger; customer-exportable (CSV / FHIR AuditEvent).
  • Resilience: managed Postgres backups, single-revision deploy with health gating, recurring retention purges.
  • Program: targeting SOC 2 Type II; annual penetration test; documented controls in docs/compliance/.

Annex B — Subprocessors

See the Trust page (accurecord.io/trust) for the live list; current: Microsoft Azure (hosting), OpenAI (LLM, PHI-scrubbed, zero-retention), Stripe (billing, no PHI).

DRAFT document — for information only. Not the executed agreement. To request the binding, executed DPA, contact [email protected]. © 2026 Accurecord, Inc. All rights reserved.