Data Processing Agreement – Physicare.ai

For the purposes of this Data Processing Agreement:

Customer

means the clinic, practice, employer, regulated healthcare professional, or other legal entity that enters into the applicable agreement with Physicare.ai

Physicare.ai

means the legal entity providing the Services

Controller

means the entity that determines the purposes and means of the Processing of Personal Data, including where applicable a controller, custodian, trustee, responsible person, or equivalent primary decision-maker under applicable privacy or health information law

Processor

means the entity that Processes Personal Data on behalf of the Controller, including where applicable a service provider, agent, affiliate, information manager, mandatary, or equivalent service role under applicable law

Personal Data

means personal information, personal data, personal health information, or other equivalent protected information processed under this Data Processing Agreement

Processing

means any operation performed on Personal Data, including collection, use, storage, disclosure, transmission, deletion, or destruction

Subprocessor

means a third party engaged by Physicare.ai to Process Personal Data on behalf of the Customer

Applicable Privacy Law

means all laws applicable to the Processing of Personal Data under the Services, including as applicable PIPEDA, Québec Law 25, PHIPA, HIA, HIPA, PHIA, PIPA, GDPR, UK GDPR, and any related regulations

1. Scope and Roles

This Data Processing Agreement governs the Processing of Personal Data by Physicare.ai on behalf of the Customer in connection with the Services.

The parties acknowledge that, in relation to Customer Personal Data processed through the Services for patient care, clinical administration, or related business operations:

• the Customer generally acts as Controller
• Physicare.ai acts as Processor

The parties further acknowledge that Physicare.ai may act as an independent controller with respect to limited Business Data it processes for its own legitimate business purposes, including account administration, billing, service security, fraud prevention, legal compliance, support, and service communications. Such Processing is governed by the Privacy Policy and applicable law, and not by this Data Processing Agreement except to the extent expressly stated.

Where applicable law uses different terminology, references in this Data Processing Agreement to Controller and Processor include equivalent legal roles under that law.

2. Customer Instructions

Physicare.ai shall Process Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law.

The Customer instructs Physicare.ai to Process Personal Data as necessary to:

• provide, host, operate, maintain, secure, and support the Services
• authenticate users and manage access
• provide transcription, documentation, workflow, and AI-assisted functionality
• maintain service reliability, backup, monitoring, and incident response
• comply with lawful requests and legal obligations
• carry out other Processing expressly authorized by the Customer through the configuration or use of the Services

If Physicare.ai believes that an instruction violates applicable law, Physicare.ai may suspend the affected Processing and shall inform the Customer unless prohibited by law.

The Customer represents and warrants that it has all rights, authorities, notices, consents, and other lawful grounds necessary to disclose Personal Data to Physicare.ai and authorize the Processing described in the applicable agreement.

3. Nature and Purpose of Processing

The nature of the Processing includes hosting, storing, organizing, transmitting, retrieving, structuring, analyzing, securing, backing up, and deleting Personal Data in connection with the Services.

The purpose of the Processing is to provide the Services to the Customer and its authorized users, including clinical documentation support, transcription, workflow support, patient program delivery, administrative features, service maintenance, and security.

4. Categories of Data and Data Subjects

The categories of Personal Data may include:

• account and identity information
• business contact information
• authentication data
• billing and subscription information
• audit and log data
• technical and usage information
• patient-related information submitted by the Customer
• clinical notes
• transcriptions
• appointment and scheduling information
• program, assessment, or questionnaire data
• other health-related information submitted through the Services

The categories of Data Subjects may include:

• healthcare professionals
• clinic staff
• administrators
• patients
• prospective patients where entered by the Customer
• contractors or other authorized users of the Customer
• business contacts related to the Customer account

5. Confidentiality

Physicare.ai shall ensure that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional.

Physicare.ai shall ensure that access to Personal Data is limited to personnel who require access for the purposes of providing or supporting the Services.

6. Security Measures

Physicare.ai shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the data, the state of the art, the costs of implementation, and the risks presented by the Processing.

Such measures may include, as appropriate:

• encryption in transit and at rest
• role-based access controls
• least-privilege access management
• authentication controls
• logging and monitoring
• secure hosting practices
• backup and recovery mechanisms
• incident response procedures
• internal access restrictions
• workforce training and confidentiality obligations

Physicare.ai may update or modify its security measures from time to time, provided that such changes do not materially reduce the overall level of protection for Personal Data.

7. AI-Assisted Processing

Where the Services include AI-assisted features, Physicare.ai shall Process Personal Data only as necessary to provide the requested functionality and in accordance with the Customer's documented instructions.

Physicare.ai shall not use identifiable Customer Personal Data to train generalized third-party AI models unless expressly authorized in writing by the Customer and permitted by applicable law.

AI-generated outputs are assistive only. The Customer remains solely responsible for reviewing, validating, and approving all outputs before use and for ensuring that no clinical decision is based solely on AI-generated output.

8. Subprocessors

The Customer authorizes Physicare.ai to engage Subprocessors to support the delivery of the Services.

Physicare.ai shall ensure that each Subprocessor is bound by written obligations that provide a level of protection for Personal Data that is no less protective than the obligations set out in this Data Processing Agreement, to the extent applicable to the services performed by that Subprocessor.

Physicare.ai remains responsible for the performance of its Subprocessors to the extent required by applicable law.

Physicare.ai shall maintain a current list of material Subprocessors and make it available to the Customer upon request or through a designated webpage.

Where reasonably appropriate, Physicare.ai shall provide notice of new material Subprocessors before authorizing them to Process Customer Personal Data.

9. International Transfers

Physicare.ai primarily hosts production data in Canada, but may transfer or permit access to Personal Data outside Quebec or outside Canada where necessary to provide the Services or support functions.

Where Personal Data is transferred across borders, Physicare.ai shall implement appropriate safeguards as required by Applicable Privacy Law, which may include:

• contractual protections
• transfer impact assessments
• standard contractual clauses
• supplementary technical or organizational safeguards
• equivalent lawful transfer mechanisms

Physicare.ai shall reasonably assist the Customer with information necessary to assess international transfers, subject to confidentiality, security, and legal limitations.

10. Assistance to the Customer

Taking into account the nature of the Processing and the information available to Physicare.ai, Physicare.ai shall provide reasonable assistance to the Customer in fulfilling its obligations under Applicable Privacy Law, including where applicable with respect to:

• data subject rights requests
• privacy impact assessments
• transfer assessments
• breach response
• security documentation reasonably required for compliance or procurement review

Where Physicare.ai receives a request from a Data Subject relating to Personal Data processed on behalf of the Customer, Physicare.ai may:

• refer the request to the Customer
• notify the Customer of the request
• refrain from responding directly except as required by law or authorized by the Customer

11. Security Incidents and Breach Notification

Physicare.ai shall maintain processes to identify, investigate, document, and respond to Security Incidents affecting Personal Data.

If Physicare.ai becomes aware of a confirmed Security Incident affecting Personal Data processed on behalf of the Customer, Physicare.ai shall notify the Customer without undue delay and, where reasonably practicable, within forty-eight hours after confirmation.

Such notice shall include, to the extent known at the time:

• the nature of the Security Incident
• the categories of affected Personal Data
• the categories of affected Data Subjects
• the likely consequences of the Security Incident
• the measures taken or proposed to address the Security Incident
• information reasonably necessary for the Customer to meet its legal obligations

Physicare.ai may provide information in phases as it becomes available.

Unless required by applicable law, Physicare.ai shall not notify affected individuals or regulators of a Security Incident relating solely to Customer-controlled Personal Data without first consulting the Customer.

12. Return and Deletion of Data

Upon termination or expiration of the applicable agreement, and upon the Customer's written request, Physicare.ai shall, subject to the terms of the applicable agreement and Applicable Privacy Law:

• return Customer Personal Data in a reasonable format
• provide an export where technically available
• delete or destroy Customer Personal Data in its possession or control

Physicare.ai may retain Personal Data to the extent required by applicable law, for legitimate backup retention cycles, dispute resolution, fraud prevention, security investigation, or enforcement of legal rights, provided that any retained Personal Data remains protected in accordance with this Data Processing Agreement.

If the Customer does not request return or deletion within the period specified in the applicable agreement, Physicare.ai may delete Customer Personal Data in accordance with its standard retention and deletion practices, subject to Applicable Privacy Law.

13. Audit and Compliance Information

Physicare.ai shall make available to the Customer information reasonably necessary to demonstrate compliance with this Data Processing Agreement, subject to confidentiality, security, legal, and proportionality limitations.

Where required by applicable law or reasonably necessary for enterprise procurement or regulatory diligence, the parties may agree on a reasonable mechanism for compliance review, which may include questionnaires, document review, certifications, summaries of independent assessments, or a mutually agreed audit process.

Any audit or review must:

• be limited to information relevant to the Services and the Processing of Customer Personal Data
• avoid unreasonable disruption to Physicare.ai's business or security
• be subject to confidentiality obligations
• not provide access to the data or confidential information of other customers

14. Records and Cooperation

Physicare.ai shall maintain records of Processing activities where required by applicable law.

Physicare.ai shall cooperate with the Customer, to the extent reasonably necessary and proportionate, in relation to regulatory inquiries, investigations, or proceedings concerning the Processing of Personal Data under the Services.

15. Liability

This Data Processing Agreement is subject to the limitation of liability and exclusion provisions in the applicable agreement, unless otherwise agreed in writing.

Nothing in this Data Processing Agreement shall exclude or limit liability to the extent prohibited by Applicable Privacy Law.

16. Order of Precedence

In the event of a conflict between this Data Processing Agreement and the applicable agreement with respect to the Processing of Personal Data, this Data Processing Agreement prevails to the extent of that conflict.

In the event of a conflict between this Data Processing Agreement and the Privacy Policy, this Data Processing Agreement prevails with respect to Customer Personal Data processed on behalf of the Customer.

17. Governing Law

This Data Processing Agreement shall be governed by the governing law specified in the applicable agreement, unless Applicable Privacy Law requires otherwise.

Schedule 1 – Subject Matter and Duration

For questions regarding this Data Processing Agreement, contact will@physicare.ai