PixioDoc LogoPixioDocBack to Home

Data Processing Agreement

Effective Date: November 8, 2025

Version 1.0 | Last Updated: November 8, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the PixioDoc Terms of Service and applies to all Personal Data processed by PixioDoc in connection with the Services we provide to healthcare professionals.

PixioDoc (Service Provider)

  • Support: support@pixiodoc.com

Purpose: This DPA supplements and, from the date you agree to it, forms part of your agreement with PixioDoc. It supersedes any conflicting provisions in the Terms of Service regarding the transfer and processing of Personal Data.

Who Should Read This: Healthcare professionals using PixioDoc who need to comply with GDPR, HIPAA, Swiss FADP, or other data protection regulations.

2. Key Definitions

These terms are used throughout this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person. This includes patient names, medical images, healthcare professional credentials, and any other data that can identify someone.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Controller" means you, the healthcare professional or organization that determines what data to collect and how to use it.

"Processor" means PixioDoc, which processes data on your behalf according to your instructions.

"Data Subject" means the individual whose Personal Data is being processed (your patients or authorized users).

"Sub-processor" means third-party service providers we use to help deliver PixioDoc (like Supabase for hosting or RevenueCat for payments).

"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.

"Covered Data" means all Personal Data you provide to PixioDoc, including patient records, medical images, treatment logs, and your account information.

3. Roles and Responsibilities

3.1 Your Role as Controller

As a healthcare professional using PixioDoc, you are the Controller (also called "business" under US privacy laws). This means you:

Your Responsibilities:

  • Determine what data to collect - You decide what patient information to store in PixioDoc
  • Obtain patient consent - Get appropriate authorization before uploading health data
  • Provide privacy notices - Tell patients how their data will be used
  • Handle patient rights requests - Respond to access, deletion, and correction requests
  • Ensure lawful basis - Have legal grounds for processing health data (consent, legal obligation, etc.)
  • Manage sharing permissions - Control who has access to patient data

3.2 Our Role as Processor

PixioDoc acts as a Processor (also called "service provider" under US privacy laws). This means we:

Our Commitments:

  • Follow your instructions - Process data only as you direct through the app
  • Implement security measures - Protect data with encryption and access controls
  • Maintain confidentiality - Restrict access to authorized personnel only
  • Assist with compliance - Help you meet your data protection obligations
  • Report incidents - Notify you of any security breaches within 48 hours
  • Delete data when requested - Remove data after account termination

3.3 Processing Instructions

We process your data only:

  • To provide the Services as described in our Terms of Service
  • According to your instructions via the app interface
  • As necessary to comply with applicable laws
  • To improve the Services using anonymized, aggregated data

We Will NEVER:

  • ❌ Sell your data or patient data
  • ❌ Use patient data for advertising
  • ❌ Share data with unauthorized third parties
  • ❌ Process data outside the scope of the Services
  • ❌ Train AI models on your patient data
  • ❌ Combine your data with data from other sources

4. Data We Process

The complete details of data processing are documented below:

4.1 Categories of Data

Healthcare Professional Data:

  • Contact information (name, email)
  • Professional credentials (type, number)
  • Account information (email, password hash)
  • Usage data (features accessed, session times)
  • Device information (IP address, device type)

Patient Data (as uploaded by you):

  • Patient identifiers (your custom IDs)
  • Demographic information (name, DOB, gender) - optional
  • Medical images and videos
  • Treatment notes and annotations
  • Progress tracking data
  • Timeline information

Authorized Users Data:

  • Names and email addresses
  • Access permissions (View Only, Editor, Admin)
  • Sharing activity logs
  • Consent confirmations

4.2 Special Categories of Data

PixioDoc is designed to process health data, which is a special category of Personal Data under GDPR Article 9 requiring enhanced protection.

⚕️ Important for Healthcare Data:

You must ensure you have a lawful basis for processing health data, such as:

  • Explicit patient consent (most common for medical imaging)
  • Healthcare purposes (treatment, diagnosis, health management)
  • Legal obligations (required medical record keeping)
  • Vital interests (protecting someone's life or health)

✓ You certify that you have obtained all necessary consents and authorizations before uploading health data to PixioDoc.

4.3 Purpose of Processing

PurposeData Processed
Service DeliveryAll data necessary for app functionality
AuthenticationEmail, password, MFA codes, session tokens
Medical Image StoragePatient images, videos, annotations
Progress TrackingTreatment logs, timeline data, comparisons
Secure SharingUser emails, access permissions, consent logs
Technical SupportAccount info, usage logs, error reports
Security & ComplianceActivity logs, access logs, audit trails
Service ImprovementAnonymized usage data (no PHI)

4.4 Data Retention

Data TypeRetention Period
Patient RecordsUntil you delete them (or account termination + 30 days)
Medical Images/VideosUntil you delete them (or account termination + 30 days)
Activity Logs1 year (HIPAA requirement), then auto-deleted
Backup Data30 days (daily backups with 30-day retention)
Deleted Data30-day grace period, then permanent deletion

5. Security Measures

We implement comprehensive technical and organizational measures to protect your data:

5.1 Technical Safeguards

🔒 Encryption

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 with modern cipher suites
  • Key Management: FIPS 140-2 compliant HSMs
  • Certificate Pinning: Prevents man-in-the-middle attacks

🔐 Access Controls

  • Row Level Security: Database-enforced data isolation
  • Multi-Factor Authentication: Email verification codes
  • Biometric Authentication: Optional Face ID/Touch ID
  • Session Management: 15-minute auto-timeout
  • Role-Based Access: View Only, Editor, Admin levels

📊 Monitoring & Logging

  • 24/7 Security Monitoring: Real-time threat detection
  • Comprehensive Audit Logs: All data access tracked
  • Activity Logging: 27 activity types tracked for 1 year
  • Automated Alerts: Suspicious activity notifications

🛡️ Network Security

  • Firewalls: Network perimeter protection
  • Intrusion Detection: Automated threat identification
  • DDoS Protection: Cloudflare protection
  • Network Segmentation: Isolated customer data

5.2 Organizational Safeguards

  • Limited Access: Only authorized personnel with business need
  • Employee Training: Regular data protection and security training
  • Confidentiality Agreements: All employees sign NDAs
  • Background Checks: For employees with data access
  • Incident Response Plan: Documented breach procedures
  • Regular Audits: Quarterly security reviews
  • Penetration Testing: Annual third-party assessments

5.3 Data Center Security

  • Physical Security: Secure facilities with 24/7 monitoring (managed by Supabase)
  • Redundancy: Automatic replication within EU region
  • Backup & Recovery: Daily encrypted backups with 30-day retention
  • Disaster Recovery: Business continuity planning

6. Sub-Processors

We use the following trusted third-party service providers (sub-processors) to help deliver PixioDoc:

6.1 Authorized Sub-Processors

Sub-ProcessorServiceLocationData Processed
Supabase Inc.Database hosting, authenticationEU (primary), SingaporeAll customer data
Amazon Web ServicesCloud infrastructureEU regionAll customer data
Google LLCPush notifications, analyticsUSADevice tokens, usage data
RevenueCatSubscription managementUSAUser ID, subscription status
Zoho (ZeptoMail)Transactional emailsUSA/EUEmail addresses, user names
CloudflareCDN, DDoS protectionGlobalIP addresses, request logs
Fly.ioApplication hostingEU/USAApplication data
VercelApplication hostingUSAApplication data
GitHubCode repository, OAuthUSAOAuth tokens
SentryError monitoringUSAError logs, user IDs

Last updated: November 8, 2025

6.2 Sub-Processor Requirements

All sub-processors are contractually required to:

  • Sign Business Associate Agreements (BAA) for HIPAA compliance
  • Maintain SOC 2 or ISO 27001 certification (or equivalent)
  • Implement equivalent security measures to protect data
  • Comply with GDPR and Swiss FADP requirements
  • Use EU servers for data processing where applicable
  • Provide data encryption at rest and in transit
  • Maintain confidentiality of all processed data

6.3 Changes to Sub-Processors

30-Day Notice: We will notify you at least 30 days before adding or changing any sub-processors.

Right to Object: If you object on reasonable data protection grounds:

  • Notify us within 5 days of receiving notice
  • We'll work together to find an acceptable solution (30 days)
  • If no solution found, you may terminate affected Services

Notification Methods: Email to your registered address, in-app notification

7. International Data Transfers

🌍 Primary Data Location:

All data is stored in the European Union (Frankfurt, Germany) and NEVER leaves the EU/EEA region.

This eliminates most international transfer concerns for EU/EEA customers.

7.1 Transfer Mechanisms

For limited data transfers to sub-processors outside the EU/EEA (e.g., RevenueCat for payments), we use:

✓ Standard Contractual Clauses (SCCs)

EU Commission-approved contracts for international transfers (Module 2: Controller to Processor)

✓ EU-US Data Privacy Framework

For US-based sub-processors certified under the DPF (Amazon, Google, RevenueCat, etc.)

✓ UK Extension to EU-US DPF

For UK data transfers

✓ Swiss-US Data Privacy Framework

For Swiss data transfers

7.2 Transfer Impact Assessment

We have conducted comprehensive Transfer Impact Assessments (TIAs) for all international transfers to ensure your data remains protected. Key findings:

  • Low Risk: We process ordinary commercial information, not data typically targeted by foreign intelligence
  • Strong Safeguards: End-to-end encryption, access controls, audit logging
  • Legal Protections: SCCs with all sub-processors, DPF certification where applicable
  • Technical Measures: TLS 1.3, AES-256, certificate pinning, network segmentation
  • Contractual Safeguards: All sub-processors bound by equivalent data protection obligations

7.3 Standard Contractual Clauses

The Standard Contractual Clauses (SCCs) as approved by the European Commission are incorporated into this DPA for all transfers of Personal Data from the EU/EEA to PixioDoc.

SCC Details:

  • Module: Module 2 (Controller to Processor)
  • Docking Clause: Does not apply
  • Sub-processors: General authorization with 30-day notice
  • Governing Law: Irish law
  • Jurisdiction: Courts of Ireland
  • Supervisory Authority (EU): Irish Data Protection Commission

View Full SCCs: Available in Annex C of this DPA or by request at support@pixiodoc.com

8. Data Subject Rights

As the Controller, you are responsible for responding to patient requests to exercise their rights under GDPR, HIPAA, and other applicable laws. We will assist you as outlined below:

8.1 Your Responsibilities

RightDescriptionHow to Fulfill
AccessView their dataExport patient data via Settings → Export Data
RectificationCorrect inaccurate dataEdit patient records in the app
ErasureDelete their dataDelete patient profile (recoverable for 30 days)
PortabilityReceive data in portable formatExport to JSON/ZIP format
RestrictionLimit processingPause/archive patient (contact support)
ObjectionObject to processingStop using patient data, delete if requested

8.2 Our Assistance

We will assist you in fulfilling data subject rights requests by:

  • Providing self-service tools for data export, editing, and deletion
  • Responding to your requests for data access within 5 business days
  • Maintaining audit logs to verify compliance with rights requests
  • Documenting procedures in this DPA and Privacy Policy
  • Supporting your DPIA (Data Protection Impact Assessment) if required

8.3 Response Timeline

  • GDPR Requirement: Respond within 1 month (extendable to 3 months for complex requests)
  • HIPAA Requirement: Respond within 30 days (extendable by 30 days with explanation)
  • Our Support: We provide data within 5 business days when you request it

9. Security Incidents & Breach Notification

9.1 Incident Detection

We maintain 24/7 security monitoring systems to detect potential security incidents:

  • Real-time threat detection and automated alerts
  • Intrusion detection systems
  • Anomaly detection for unusual access patterns
  • Failed login attempt monitoring
  • Database query monitoring
  • File access logging

9.2 Notification Requirements

⚠️ If a Security Incident Occurs:

We will notify you within 48 hours of becoming aware of any Security Incident affecting your data.

Notification Will Include:

  • Nature of the breach (what happened)
  • Categories and approximate number of affected records
  • Potential consequences and risks
  • Measures taken to contain and mitigate
  • Contact point for further information
  • Status of investigation

Notification Methods: Email to your registered address, in-app notification, phone call for critical incidents

9.3 Your Obligations

Upon receiving breach notification, you must:

  • Assess patient notification requirement: GDPR requires notification within 72 hours if breach likely results in risk to rights and freedoms
  • Notify supervisory authority: Your national DPA within 72 hours (GDPR) or HHS within 60 days (HIPAA)
  • Document the incident: Maintain records of breach and response actions
  • Cooperate with investigation: Work with us to understand and mitigate the incident

9.4 Our Remediation

We will take immediate action to:

  • Contain the incident and prevent further unauthorized access
  • Investigate root cause and determine scope of impact
  • Implement additional security measures to prevent recurrence
  • Provide regular updates on investigation status
  • Cooperate with regulatory investigations
  • Document lessons learned and improve security procedures

9.5 No Liability Acknowledgment

Our notification of or response to a Security Incident does not constitute an acknowledgement of fault or liability. Liability is governed by the Terms of Service.

10. Audits and Compliance

10.1 Your Audit Rights

You may audit our compliance with this DPA once per calendar year.

Audit Process:

  1. Written Notice: Provide 30 days' advance written notice to support@pixiodoc.com
  2. Scope Agreement: We'll agree in writing on audit scope, timing, and confidentiality terms
  3. Documentation Review: We'll provide security certifications, audit reports, and compliance documentation
  4. Third-Party Auditor: You may engage an independent auditor (at your expense, subject to confidentiality agreement)
  5. Business Hours Only: Conducted during normal business hours to minimize disruption

10.2 Documentation We Provide

Upon request, we can provide:

  • SOC 2 Type II Report (planned) - Third-party security audit
  • ISO 27001 Certification (planned) - Information security management
  • Penetration Test Results - Annual third-party security testing (summary)
  • Security Questionnaires - Completed vendor security assessments
  • Sub-processor List - Current authorized sub-processors with safeguards
  • Incident Reports - Summary of any security incidents (if applicable)

10.3 Audit Results

Audit results are your Confidential Information and may not be disclosed except:

  • To your legal and compliance advisors
  • To regulatory authorities upon valid request
  • As required by law

10.4 Cost Responsibility

You bear all costs associated with audits, including third-party auditor fees, travel expenses, and staff time.

11. Data Return and Deletion

11.1 Upon Termination

When your subscription ends or you delete your account:

Timeline:

  • Within 30 days: You may request a copy of your data via Settings → Export Data (self-service)
  • 30-day grace period: Data hidden but recoverable - contact support to restore
  • After 30 days: All data permanently deleted using cryptographic erasure

11.2 What Gets Deleted

  • All patient records (IDs, demographics, notes)
  • All medical images and videos
  • All treatment logs and annotations
  • All activity logs and audit trails
  • Your account information and credentials
  • All backup copies (within backup retention period)

11.3 Exceptions

We may retain certain data longer if:

  • Legal obligation: Required by law to retain for specific period (e.g., tax records)
  • Legal claims: Necessary to establish, exercise, or defend legal claims
  • Aggregated data: De-identified, anonymized data used for analytics (no personal information)

11.4 Deletion Method

Data is deleted using industry-standard secure deletion methods:

  • Cryptographic erasure (encryption keys destroyed)
  • Database record deletion with immediate vacuum
  • File system overwriting
  • Backup purge after retention period

12. HIPAA Business Associate Agreement

For U.S. healthcare professionals subject to HIPAA, this DPA incorporates the terms of a Business Associate Agreement (BAA).

12.1 Our HIPAA Commitments

We agree to:

  • Not use or disclose PHI except as permitted by this DPA or required by law
  • Implement appropriate safeguards to prevent unauthorized use or disclosure
  • Report Security Incidents to you within 48 hours
  • Ensure sub-contractors comply with HIPAA requirements (BAAs in place)
  • Make PHI available to individuals upon your request
  • Make PHI available for amendment upon your request
  • Maintain accounting of PHI disclosures
  • Make internal practices available for HHS compliance reviews
  • Return or destroy PHI upon termination (or agreement extension)

12.2 Permitted Uses

We may use PHI for:

  • Providing the Services - As necessary to deliver PixioDoc functionality
  • Data aggregation - De-identified data for healthcare operations
  • Management and administration - Business operations (billing, support)
  • Legal requirements - As required by law

12.3 Minimum Necessary

We access only the minimum PHI necessary to provide the Services and meet our obligations under this DPA.

12.4 BAA Execution

Request a Signed BAA: Email support@pixiodoc.com with subject "BAA Request" and include:

  • Your organization name and address
  • Authorized signatory name and title
  • Contact email and phone number

We'll send an executed BAA within 5 business days.

13. Term and Termination

13.1 Effective Period

This DPA takes effect when you agree to it and remains in effect for as long as we Process Personal Data on your behalf.

13.2 Termination

This DPA terminates when:

  • You delete your PixioDoc account
  • Your subscription ends and grace period expires
  • The Terms of Service are terminated
  • All Covered Data has been returned or deleted

13.3 Survival

The following provisions survive termination:

  • Confidentiality obligations
  • Data deletion obligations
  • Limitation of liability
  • Audit rights (for prior periods)
  • Governing law and jurisdiction

14. Limitation of Liability

Our liability under this DPA is subject to the limitations set forth in the Terms of Service.

Nothing in this DPA excludes or limits liability for:

  • Fraud or willful misconduct
  • Gross negligence
  • Death or personal injury caused by negligence
  • Violations of data protection law that cannot be limited by contract

15. Governing Law and Jurisdiction

15.1 EU/EEA Customers

  • Governing Law: Irish law
  • Jurisdiction: Courts of Ireland
  • Supervisory Authority: Irish Data Protection Commission

15.2 Swiss Customers

  • Governing Law: Swiss law
  • Jurisdiction: Courts of Switzerland
  • Supervisory Authority: Swiss Federal Data Protection and Information Commissioner (FDPIC)

15.3 UK Customers

  • Governing Law: Laws of England and Wales
  • Jurisdiction: Courts of England and Wales
  • Supervisory Authority: UK Information Commissioner's Office (ICO)

15.4 U.S. Customers

  • Governing Law: Laws of the State of Delaware
  • Jurisdiction: Courts of Delaware

16. Amendments

16.1 Changes to DPA

We may update this DPA to:

  • Reflect changes in data protection laws
  • Accommodate new Services or features
  • Improve clarity or address ambiguities
  • Update sub-processor list

16.2 Notification

We will notify you of material changes 30 days in advance via:

  • Email to your registered address
  • In-app notification upon next login
  • Posting on our website with revision date

16.3 Acceptance

Continued use of the Services after changes take effect constitutes acceptance of the updated DPA.

If you do not agree to material changes, you may terminate the Services within 30 days of notification without penalty.

17. Contact Information

For questions about this DPA or to exercise your rights:

PixioDoc Data Protection Team

Email: support@pixiodoc.com

General Support: support@pixiodoc.com

Postal Address:
PixioDoc

Response Time: Within 5 business days for DPA-related inquiries

Supervisory Authorities:

Related Legal Documents:

Version History:

  • v1.0 - November 8, 2025 - Initial publication

📄 Need a Signed DPA?

For enterprise customers or healthcare organizations requiring a fully executed Data Processing Agreement:

Request Signed DPA

Include your organization name, contact details, and signatory information. We'll respond within 5 business days.