Skip to main content
GetFitHealth Logo
Legal

Data Processing Agreement

Our commitment to transparency, privacy, and compliance. Last updated: January 15, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between GetFitHealth, Inc. ("Processor" or "we") and you ("Controller" or "you") for the provision of our healthcare technology services. This DPA reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, CCPA, HIPAA, and other relevant privacy laws.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party appointed by the Processor to process Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.

3. Scope and Nature of Processing

3.1 Subject Matter

The Processor will process Personal Data on behalf of the Controller for the purpose of providing healthcare technology services, including platform hosting, data storage, analytics, and related services.

3.2 Duration

Processing will continue for the duration of the service agreement and for a reasonable period thereafter as necessary to fulfill legal obligations or as instructed by the Controller.

3.3 Nature and Purpose

The nature and purpose of processing includes:

  • Hosting and maintaining healthcare applications and platforms
  • Storing and managing patient health records and medical data
  • Processing appointment scheduling and patient communications
  • Providing analytics and reporting services
  • Facilitating secure data transmission and access
  • Supporting compliance with healthcare regulations

3.4 Types of Personal Data

The types of Personal Data processed may include:

  • Contact information (name, email, phone, address)
  • Identification data (date of birth, government ID numbers)
  • Health information (medical history, diagnoses, treatments)
  • Insurance information
  • Billing and payment information
  • Technical data (IP addresses, device information, usage data)

3.5 Categories of Data Subjects

Data Subjects may include:

  • Patients and healthcare consumers
  • Healthcare providers and practitioners
  • Administrative staff and employees
  • Website visitors and platform users

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if it believes an instruction infringes Data Protection Laws.

4.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training on data protection.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest (TLS 1.3, AES-256)
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms (MFA, RBAC)
  • Intrusion detection and prevention systems
  • Regular backups and disaster recovery procedures
  • Security incident response procedures
  • Employee security awareness training

4.4 Sub-processing

The Processor may engage Sub-processors to assist in providing the services. The Processor shall:

  • Maintain a list of authorized Sub-processors
  • Notify the Controller of any intended changes to Sub-processors
  • Ensure Sub-processors are bound by data protection obligations equivalent to this DPA
  • Remain fully liable for the acts and omissions of Sub-processors

4.5 Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection to processing.

4.6 Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 24 hours) upon becoming aware of a Personal Data breach. The notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

4.7 Deletion and Return

Upon termination of services, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless retention is required by law.

4.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an authorized auditor.

5. Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis for processing Personal Data
  • Provide clear and documented processing instructions
  • Ensure compliance with Data Protection Laws in its jurisdiction
  • Obtain necessary consents from Data Subjects where required
  • Respond to Data Subject requests in accordance with applicable laws
  • Notify the Processor of any restrictions or special requirements

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable
  • Additional security measures to protect data in transit

7. Liability and Indemnification

Each party shall be liable for damages caused by its processing of Personal Data in violation of this DPA or Data Protection Laws. The Processor shall indemnify the Controller against claims arising from the Processor's breach of this DPA.

8. List of Sub-processors

The Processor currently uses the following Sub-processors:

  • Amazon Web Services (AWS) - Cloud infrastructure and hosting (USA)
  • Vercel Inc. - Application hosting and deployment (USA)
  • Supabase Inc. - Database services (USA)
  • SendGrid (Twilio) - Email delivery services (USA)

The Controller will be notified of any changes to this list with at least 30 days' notice and may object to the use of a new Sub-processor.

9. Contact Information

For questions about data processing, please contact our Data Protection Officer:

  • Email: hello@getfithealth.co
  • Phone: (678) 786-7368
  • Mail: Data Protection Officer, GetFitHealth, Inc., Atlanta, GA, United States

On This Page

Legal Information

Questions?

If you have any questions about our legal policies, please don't hesitate to contact us.

Contact Legal Team