DPA

Data Processing Agreement

Effective 2026-04-28. Terms governing Carevoices' processing of personal data on behalf of customers.

1. Introduction

This Data Processing Agreement ("DPA") supplements the Master Service Agreement ("MSA") between Carevoices ("Processor") and the Customer ("Controller") and applies whenever Carevoices processes personal data on behalf of Customer. Where Engagement involves Protected Health Information under HIPAA, the Carevoices Business Associate Agreement (BAA) supersedes conflicting provisions in this DPA.

2. Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person, as defined under applicable privacy law (GDPR, CCPA/CPRA, etc.).
  • Processing — Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or destruction.
  • Controller — The party that determines the purposes and means of Processing — typically the Customer.
  • Processor — The party that Processes Personal Data on behalf of the Controller — Carevoices.
  • Sub-processor — Any third party engaged by Carevoices to assist in Processing.
  • Covered Engagement — Any Carevoices research engagement contracted under the MSA.

3. Subject Matter and Scope of Processing

Carevoices Processes Personal Data on Customer's behalf for the purpose of conducting AI-moderated qualitative research engagements. Categories of data may include: clinician panelist contact and license information, study response data (transcripts, recordings), Customer-provided stimuli and study briefs, and (where applicable under BAA) Protected Health Information.

4. Data Residency

All Personal Data Processed by Carevoices is stored and processed within the United States, specifically in AWS and GCP regions located in the continental United States. Carevoices does not route Personal Data through international processing. EU data residency in EU AWS/GCP regions is on the Carevoices roadmap for 2027 but is not currently available.

5. International Transfers

Where Personal Data of EU, UK, or Swiss data subjects is Processed, the parties rely on the Standard Contractual Clauses ("SCCs") issued by the European Commission (Decision 2021/914) as the legal basis for transfer to the United States. Carevoices implements supplementary technical and organizational measures including encryption in transit and at rest, access controls, and audit logging.

6. Sub-processors

Customer authorizes Carevoices to engage sub-processors for the purposes of providing the Service. Current sub-processors include: cloud infrastructure providers (AWS, GCP), payment processors (Stripe), identity verification (Persona), email infrastructure (SendGrid), and third-party AI model providers (Anthropic, OpenAI, Google) under contractual no-training terms. Carevoices maintains an up-to-date sub-processor list available on request and provides 30 days' notice of new sub-processor additions.

7. Security Measures

Carevoices implements appropriate technical and organizational measures including:

  • Encryption of Personal Data at rest and in transit (TLS 1.2+)
  • Role-based access controls with least-privilege principles
  • Audit logging of access to Personal Data
  • Multi-factor authentication for all administrative access
  • Regular security testing and vulnerability assessment
  • Incident response and breach notification procedures

SOC 2 Type II audit is in evidence-collection phase. Letter of audit attestation available on request to qualified parties under NDA.

8. Data Subject Rights

Carevoices supports Controller's obligations to data subjects exercising rights under applicable privacy law, including rights of access, correction, deletion, and portability. Carevoices will assist Controller in responding to data subject requests within reasonable timeframes specified in the MSA.

9. Personal Data Breach Notification

Carevoices will notify Controller without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a Personal Data Breach affecting Controller's data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Audit Rights

Customer has the right to audit Carevoices' compliance with this DPA, exercisable on reasonable notice and at Customer's expense. Carevoices may satisfy audit obligations by providing third-party audit reports (e.g., SOC 2 Type II once available) under NDA.

11. Return or Deletion of Personal Data

Upon termination of an Engagement, Carevoices will return or delete Personal Data within timeframes specified in the MSA, typically 30-90 days post-termination unless extended retention is contractually agreed.

12. HIPAA Cross-Reference

For Engagements involving Protected Health Information under HIPAA, the Carevoices Business Associate Agreement governs PHI handling and supersedes conflicting provisions in this DPA. Where this DPA imposes stricter requirements than the BAA on non-PHI Personal Data, this DPA controls for non-PHI Personal Data.

13. Sunshine Act Cooperation

For pharmaceutical or medical device Customers with Open Payments reporting obligations, Carevoices captures necessary panelist data (NPI, state license, specialty, address) at intake and provides CMS-format export data on request. Customer is responsible for filing Open Payments reports with CMS.

14. Changes to This DPA

Carevoices may update this DPA periodically to reflect changes in applicable law or Service capabilities. Material changes will be communicated to Customers with reasonable notice.

15. Contact

For data protection inquiries: privacy@carevoices.health. For HIPAA-specific requests including BAA copies: compliance@carevoices.health.