Data Processing Agreement (DPA)

1. The Platform (as data processor for E2EE health data) processes patients' personal data solely for the purpose and to the extent necessary for providing technical services specified in the main agreement. 2. Types of processed data: a) encrypted health data (emotion journals, clinical notes); b) identification data (name, surname, email, phone); c) booking data (dates, times, appointment status); d) therapeutic preference data (from matchmaking questionnaire); e) financial data (payment history, amounts — card data is NOT stored). 3. Categories of data subjects: patients using the Therapist's services through the Platform. 4. Nature of processing: storage, transmission, sharing of encrypted data, payment processing, algorithmic matching.

1. The Platform processes data only on documented instructions from the Therapist (as controller for E2EE health data), unless Union or Member State law requires otherwise. 2. The Platform ensures that persons authorized to process data have committed to confidentiality or are subject to an appropriate statutory duty of confidentiality. 3. The Platform applies appropriate technical and organizational security measures, including: a) end-to-end encryption (E2EE) using libsodium and AES-256-GCM; b) encryption of data at rest on Supabase servers; c) transport encryption (TLS 1.3); d) multi-factor authentication (MFA) for therapists; e) role-based access control (RBAC) with Row Level Security (RLS) policies; f) regular security audits and penetration testing. 4. The Platform does not entrust data processing to another entity (subprocessor) without prior explicit or general authorization from the Therapist. In the case of general authorization, the Platform informs the Therapist of any change in subprocessors with 14 days' notice, giving the Therapist the opportunity to object. 5. The Platform provides support in exercising the rights of data subjects and in data protection impact assessments (DPIA), if required. 6. The Platform does not make decisions about the purposes and means of processing patients' health data — these decisions are made by the Therapist.

1. The Therapist as controller of patients' health data undertakes to: a) process data in accordance with applicable regulations, including GDPR; b) fulfill information obligations towards patients (Art. 13-14 GDPR); c) ensure a legal basis for processing health data (Art. 9(2) GDPR); d) respond to data subject requests (Art. 15-22 GDPR); e) report data breaches to the supervisory authority within 72 hours (Art. 33 GDPR). 2. The Therapist declares that they have an appropriate legal basis for entrusting data processing to the Platform.

1. The Platform supports the Therapist in exercising patient rights, in particular: a) right of access to data (Art. 15 GDPR); b) right to rectification (Art. 16 GDPR); c) right to erasure — "right to be forgotten" (Art. 17 GDPR); d) right to restriction of processing (Art. 18 GDPR); e) right to data portability (Art. 20 GDPR); f) right to object (Art. 21 GDPR). 2. The Platform provides technical mechanisms enabling the exercise of these rights: a) patient data export in JSON format (export-patient-data function); b) account deletion with 30-day grace period (delete-account function); c) automatic data deletion after grace period expiry (delete-account-cron). 3. In the event of receiving a request directly from a patient, the Platform promptly forwards it to the appropriate controller (Therapist).

1. The Platform has implemented the following technical and organizational measures: a) Encryption: - End-to-end encryption (E2EE) for emotion journals and clinical notes - Algorithm: libsodium (Ed25519 + X25519) + AES-256-GCM - Encryption keys stored exclusively on end devices - Key backup secured with PIN (6 digits, encrypted) b) Access Control: - Row Level Security (RLS) at the PostgreSQL database level - Multi-factor authentication (MFA/AAL2) for therapists - Role-Based Access Control (RBAC): patient, therapist, admin c) AI Protection: - Data sanitization before sending to AI models (PII removal) - Prompt injection guard (protection against AI model attacks) - E2EE health data is NOT sent to AI in decrypted form d) Infrastructure: - Database hosting: Supabase (EU, Frankfurt) - TLS 1.3 for all connections - Content Security Policy (CSP) headers - HSTS (HTTP Strict Transport Security) e) Procedures: - Automatic data deletion after account removal (30-day grace period) - Data retention policy compliant with GDPR - Regular security reviews

1. In the event of a personal data breach, the Platform shall promptly, no later than 24 hours after discovering the breach, inform the Therapist of: a) the nature of the breach, including the categories and approximate number of affected data subjects; b) the Data Protection Officer's (DPO) contact details; c) the likely consequences of the breach; d) the measures taken or proposed to remedy the breach. 2. The Platform documents all personal data breaches, including the circumstances of the breach, its effects, and remedial actions taken. 3. The Platform cooperates with the Therapist to fulfill notification obligations to the supervisory authority (Art. 33 GDPR) and to notify affected data subjects (Art. 34 GDPR).

1. The Therapist grants the Platform general authorization to use subprocessors listed in Attachment No. 3 to the main agreement. 2. The Platform informs the Therapist of any planned change regarding the addition or replacement of a subprocessor with 14 days' notice. 3. The Therapist has the right to object to a subprocessor change within 14 days of receiving the notification. In the event of a justified objection, the Parties shall negotiate to find a solution. 4. The Platform ensures that agreements with subprocessors impose on them at least the same data protection obligations as those arising from this agreement.

1. When using subprocessors based outside the European Economic Area (USA: OpenAI, xAI, Stripe, Mailtrap, Expo), the Platform ensures appropriate transfer safeguards based on: a) Standard Contractual Clauses (SCC) adopted by the European Commission; b) adequacy decisions (if applicable); c) Binding Corporate Rules (BCR) of the subprocessor (if applicable). 2. Before transferring data to AI models (OpenAI, xAI), the Platform applies a sanitization procedure removing personal identifiers (PII). E2EE-encrypted health data is not transferred to AI models in decrypted form. 3. The Platform maintains a register of data transfers outside the EEA and makes it available to the Therapist upon request.

1. This processing agreement remains in effect for the entire duration of the main agreement (Therapeutic Platform Cooperation Agreement). 2. Upon termination of services, the Platform shall, at the Therapist's choice: a) delete patients' personal data; or b) return patients' personal data to the Therapist, unless Union or Member State law requires continued storage. 3. Technical data deletion mechanism: a) 30-day grace period after agreement termination or account deletion; b) automatic full data deletion after grace period expiry (delete-account-cron); c) E2EE-encrypted data on the Therapist's end devices remains outside the Platform's control. 4. The Platform confirms data deletion in writing within 14 days of completing the deletion process.

1. The Platform makes available to the Therapist all information necessary to demonstrate compliance with obligations under Art. 28 GDPR. 2. The Platform allows audits, including inspections, by the Therapist or an authorized auditor, after prior agreement on the date with 14 days' notice. 3. The Platform promptly informs the Therapist if, in its opinion, an issued instruction violates GDPR or other data protection regulations. 4. Audit costs are borne by the Therapist, unless the audit reveals significant violations of the Platform's obligations — in which case the costs are borne by the Platform.