DATA PROCESSING AGREEMENT
This Data Processing Agreement ("Agreement") forms part of the Terms of Service between the healthcare provider or organization ("Customer") and Transcribe Health Corporation ("Transcribe Health"), a corporation incorporated under the federal laws of Canada. This Agreement sets out the terms under which Transcribe Health processes Personal Information on behalf of the Customer in connection with the Services.
This Agreement is made pursuant to PIPEDA Principle 4.1.3, which requires that an organization transferring personal information to a third party for processing ensure a comparable level of protection while the information is being processed. Where the Customer is subject to HIPAA, this Agreement operates in conjunction with the Business Associate Agreement.
Effective Date: June 19, 2026
1. DEFINITIONS AND INTERPRETATION
In this Data Processing Agreement, the following terms have the meanings set out below. Where a term is defined in PIPEDA or the HIPAA Rules, the statutory definition shall prevail to the extent of any inconsistency.
- "Agreement" means this Data Processing Agreement, including all Schedules annexed hereto.
- "Customer" means the healthcare provider, clinic, or other organization that has entered into the Terms of Service with Transcribe Health and on whose behalf Personal Information is processed.
- "Data Subject" means the individual to whom Personal Information relates, including patients whose consultations are transcribed through the Services.
- "Personal Data" has the same meaning as "Personal Information" and is used interchangeably with it throughout this Agreement; where the Customer or a Data Subject is subject to the GDPR or UK GDPR, "Personal Data" bears the meaning given in Article 4(1) of the GDPR.
- "Personal Information" means information about an identifiable individual, as defined in section 2(1) of PIPEDA, including health information and Protected Health Information as defined under HIPAA.
- "Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Services" means the AI-powered medical transcription platform and related services provided by Transcribe Health to Customer under the Terms of Service.
- "Sub-processor" means any third party engaged by Transcribe Health to process Personal Information on behalf of the Customer.
- "Transcribe Health" means Transcribe Health Corporation, a corporation incorporated under the federal laws of Canada, acting as the processor of Personal Information on behalf of the Customer.
- "GDPR" means Regulation (EU) 2016/679, and "UK GDPR" means that Regulation as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018.
- "Supervisory Authority" means any data protection or privacy regulator with jurisdiction over the processing, including the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Information and Privacy Commissioners of British Columbia and Alberta, the competent EU supervisory authority, the UK Information Commissioner's Office, and the California Privacy Protection Agency or California Attorney General.
2. SCOPE AND PURPOSE OF PROCESSING
2.1. Purpose Limitation
Transcribe Health processes Personal Information solely for the purpose of providing the Services described in the Terms of Service. This processing is limited to: (a) receiving and temporarily storing audio recordings of healthcare consultations; (b) transcribing audio recordings into text using artificial intelligence; (c) generating clinical documentation from transcriptions; (d) storing transcriptions and generated documents for the retention period configured by the Customer; and (e) operating the standalone Assistant chat feature, which receives clinical questions submitted by Authorized Users (which may include patient context), retrieves relevant excerpts from public medical literature sources, generates AI-authored answers with literature citations, persists the resulting conversations server-side, and supplies prior messages within a conversation to the AI provider as context for subsequent turns.
Transcribe Health shall not process Personal Information for any purpose other than those specified in this Agreement and the Terms of Service, unless required to do so by applicable law. In such a case, Transcribe Health shall inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
2.2. Nature of the Processing
The processing consists of automated transcription of audio recordings containing doctor-patient consultations using artificial intelligence models, storage of audio files, persistent storage of transcription text, and generation of structured clinical notes. By default, and regardless of any optional retention policy, audio recordings are automatically and permanently deleted ninety (90) days after transcription is completed, and transcript and session records are retained for seven (7) years (subject to a six-year HIPAA minimum) and then automatically deleted. These default windows apply to every Customer organization and are enforced automatically by the platform. Separately, the Customer may optionally enable an earlier automatic-deletion policy, configurable in 1-day to 30-day windows and disabled by default; when enabled, it deletes Content earlier than the default windows.
The processing also includes operation of the standalone Assistant chat feature. For each user turn, the Customer's Authorized User submits a free-text clinical question (which may contain Personal Information about a patient if the user chooses to include such context); Transcribe Health retrieves relevant excerpts from public medical literature sources; the question, retrieved excerpts, and prior messages from the same conversation are transmitted to a contracted AI sub-processor under zero-retention terms for inference; and the AI-generated response together with its literature citations is returned to the user and persisted in Transcribe Health's Canadian infrastructure. Assistant conversations are scoped to a single Authorized User within a single Customer organization; content is not concatenated or shared across users, conversations, or organizations. Assistant conversations persist until the Authorized User deletes them, the Customer deletes the user's account, or the Customer terminates the Agreement.
Retrieval of literature citations relies on a local index of de-identified literature metadata hosted inside Transcribe Health's Canadian infrastructure (queried using the raw user question, which does not leave Transcribe Health's infrastructure) and on parallel calls to public, non-PHI-receiving medical-research APIs. External calls carry only PHI-scrubbed query variants derived from the user's question (for example, a generic drug name or symptom phrase); they do not carry user identifiers, organization identifiers, conversation identifiers, patient identifiers, or any other Personal Information. Because no Personal Information is transmitted to these public research APIs, they are public data sources rather than Sub-processors of Personal Information under this Agreement and are therefore not listed in Schedule C.
Where the Customer's Authorized Users install the Transcribe Health Medical Scribe Chrome extension, the processing additionally includes a browser-side capture path. The Extension captures consultation audio in the browser and, before any data leaves the user's device, encrypts that audio using a per-session symmetric key generated and scoped client-side to the active browser session. The Extension transmits ciphertext (not plaintext audio) to Transcribe Health's backend; the backend decrypts the audio only inside Transcribe Health's Canadian processing environment for transcription and clinical-note generation, and the decrypted audio is then subject to the same retention rules described above. The Extension also generates non-content telemetry (a recording session identifier, the detected EHR system, the extension version, capture and insertion timestamps, and integrity hashes) used to maintain a tamper-evident audit log retained locally for a limited rolling window and mirrored to Transcribe Health's server-side audit log. The Extension introduces no new Sub-processor: it communicates only with Transcribe Health's existing Canadian backend, which then engages the Sub-processors listed in Schedule C on the same terms as the rest of the Services.
2.3. Categories of Personal Information
The Personal Information processed under this Agreement includes: patient names and identifiers mentioned during consultations; health information including symptoms, diagnoses, treatment plans, medications, and medical history discussed during consultations; healthcare provider names and professional identifiers; and any other personal information verbally communicated during recorded consultations.
Through the Assistant chat feature, the categories of Personal Information further include: free-text questions and any patient context an Authorized User chooses to include in those questions (which may constitute Protected Health Information, including symptoms, diagnoses, treatments, medications, dates, ages, and other clinical details); the AI-generated answers returned in response, including any health information they reproduce or summarize; the literature citations and excerpts attached to those answers; conversation titles (typically authored by the user or auto-summarized from the first question); the ordered history of messages within a conversation; the identifier of the Authorized User who created the conversation; and timestamps.
2.4. Categories of Data Subjects
Data Subjects whose Personal Information is processed under this Agreement include: patients whose healthcare consultations are recorded and transcribed; healthcare providers (physicians, nurses, specialists) who participate in recorded consultations; and other individuals whose information may be incidentally captured during recorded consultations.
3. OBLIGATIONS OF TRANSCRIBE HEALTH
3.1. Compliance with Instructions
Transcribe Health shall process Personal Information only on documented instructions from the Customer, including with regard to transfers of Personal Information outside of Canada. The Terms of Service, this Agreement, and the Customer's configuration of the Services constitute the Customer's complete instructions for the processing of Personal Information. Any additional or alternative instructions must be agreed upon separately in writing.
3.2. Confidentiality
Transcribe Health shall ensure that all persons authorized to process Personal Information have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Information is restricted to personnel who require access to perform the Services, in accordance with the principle of least privilege.
3.3. Security Measures
Transcribe Health implements and maintains appropriate technical and organizational measures to protect Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in Schedule B to this Agreement and include, without limitation: AES-256 encryption for data at rest; TLS 1.2 or higher for data in transit; multi-factor authentication for all user accounts; role-based access controls with the principle of least privilege; comprehensive audit logging of all access to Personal Information; automated session timeouts; regular vulnerability assessments; and documented incident response procedures.
Transcribe Health shall regularly test, assess, and evaluate the effectiveness of these technical and organizational measures and shall update them as necessary to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.
3.4. Sub-processing
The Customer provides general authorization for Transcribe Health to engage Sub-processors for the purposes of delivering the Services. The current list of Sub-processors is set out in Schedule C to this Agreement and is available at transcribe.health/legal/dpa. Transcribe Health shall provide at least thirty (30) days' advance written notice before engaging any new Sub-processor or replacing an existing one. The Customer shall have thirty (30) days from receipt of such notice to object on reasonable grounds. If the Customer objects and Transcribe Health cannot reasonably accommodate the objection, the Customer may terminate the affected Services without penalty.
Transcribe Health shall impose on each Sub-processor, by way of a written contract, the same data protection obligations as those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing meets the requirements of applicable data protection law, including GDPR Article 28(4). Where a Sub-processor fails to fulfil its data protection obligations, Transcribe Health shall remain liable to the Customer for the performance of that Sub-processor's obligations, subject to the limitations of liability in §10.
3.5. Assistance with Data Subject Rights
Transcribe Health shall assist the Customer, by appropriate technical and organizational measures and insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights. Given the nature of the Services, the Customer retains direct control over session, transcript, clinical-document, and Assistant-conversation data through the platform interface and may locate, export, correct, restrict, or delete Personal Information without requiring Transcribe Health's intervention. Where a request cannot be satisfied through self-service tooling, Transcribe Health shall provide reasonable assistance upon the Customer's documented request.
The rights with respect to which Transcribe Health provides assistance include: under PIPEDA and applicable provincial legislation (including Quebec Law 25, BC PIPA, and Alberta PIPA) — access to and correction of Personal Information; withdrawal of consent; deindexation and the cessation of dissemination under Quebec Law 25 §7; and information about automated decision-making under Quebec Law 25 §12.1. Under the GDPR and UK GDPR (for EU/UK data subjects): the right of access (Article 15) — satisfied through export of a Data Subject's records; rectification (Article 16) — satisfied through in-platform editing of transcripts and clinical notes; erasure (Article 17) — satisfied through deletion tooling and the deletion procedures in §3.7, subject to the mandatory retention periods set out in §3.7 and to Transcribe Health's and the Customer's overriding legal-retention obligations; restriction of processing (Article 18); data portability (Article 20) — satisfied through export in a commonly used, machine-readable format; objection (Article 21); and rights relating to automated individual decision-making, including profiling (Article 22). For clarity, where a Data Subject requests erasure of Personal Information that Transcribe Health or the Customer is required by law to retain (including audio and transcript records subject to the retention periods in §3.7), the data will be restricted from active processing and deleted only upon expiry of the applicable mandatory retention period, in accordance with GDPR Article 17(3)(b) and equivalent provisions of Canadian law.
Automated decision-making (Article 22; Quebec Law 25 §12.1; for EU/UK data subjects and Quebec residents where applicable). The Services apply automated processing to generate draft transcriptions, clinical documentation, and Assistant-chat responses. None of these constitutes a decision based solely on automated processing that produces legal effects concerning a Data Subject or similarly significantly affects them. All AI-generated output is a draft intended for review, correction, and approval by a qualified healthcare professional before it is relied upon or entered into a medical record; a human is in the loop at the point of every clinically significant decision. Transcribe Health does not make solely automated decisions about Data Subjects on the Customer's behalf. Transcribe Health shall provide the Customer with reasonable information about the logic involved and the categories of input used, to the extent such information is available to Transcribe Health from its AI Sub-processors and necessary for the Customer to respond to a Data Subject's Article 22 or §12.1 request.
Transcribe Health shall also provide reasonable information and assistance to support a Privacy Impact Assessment that the Customer is required to conduct, including any assessment required under Quebec Law 25 §17 in respect of the transfer of Personal Information of Quebec residents outside Quebec, and any Data Protection Impact Assessment under §3.5b.
3.5b. Data Protection Impact Assessments and Prior Consultation
Taking into account the nature of the processing and the information available to it, Transcribe Health shall provide the Customer with reasonably necessary information, documentation, and assistance to enable the Customer to (a) carry out Data Protection Impact Assessments under GDPR Article 35 and equivalent assessments under applicable law, including the high-risk processing inherent in AI-assisted clinical documentation; (b) consult with a Supervisory Authority under GDPR Article 36 where the Customer is required to do so; and (c) respond to inquiries, investigations, audits, or orders from a Supervisory Authority. Such assistance is provided at the Customer's reasonable request and to the extent the relevant information is within Transcribe Health's possession or control. Transcribe Health maintains, and makes available through its Trust Center, security documentation, sub-processor information, and Transfer Impact Assessment summaries intended to support these assessments. (Applicable to EU/UK data subjects and Quebec residents where applicable.)
3.6. Breach Notification
In the event of a Security Incident involving Personal Information processed under this Agreement, Transcribe Health shall notify the Customer without undue delay, and in any event within five (5) business days of becoming aware of the Security Incident, and earlier where reasonably feasible given the severity of the incident and the Customer's own notification deadlines under applicable law. A "Security Incident" for this purpose includes a breach of security safeguards under PIPEDA, a confidentiality incident under Quebec Law 25 §3.5, and a personal data breach under GDPR Article 4(12) (where applicable). The initial notification shall include, to the extent reasonably available and consistent with GDPR Article 33(3): (a) a description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of records concerned; (b) the name and contact details of Transcribe Health's designated incident response contact (the Security Officer); (c) a description of the likely consequences of the Security Incident; and (d) a description of the measures taken or proposed to be taken to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects. Where it is not possible to provide all of this information at once, it may be provided in phases without further undue delay, and Transcribe Health shall supplement the initial notification as further information becomes available.
This five-business-day notice obligation runs to the Customer and applies in addition to, and is consistent with, Transcribe Health's breach-notification obligations as a Business Associate under the Business Associate Agreement, which likewise require notice to the Customer within five (5) business days of discovery. Nothing in this Section alters the Customer's own obligation, as a Covered Entity or controller, to notify affected individuals and regulators within the timeframes required of the Customer by HIPAA (including the 60-day individual-notification deadline under 45 C.F.R. §164.404), PIPEDA, Quebec Law 25, BC PIPA, Alberta PIPA, the GDPR, or other applicable law. Following the initial notification, Transcribe Health shall provide the Customer with regular status updates at reasonable intervals until the incident is resolved. Transcribe Health shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Security Incident, including preserving and providing forensic evidence and logs.
3.7. Deletion and Return of Data
Upon termination of the Services or upon the Customer's request, Transcribe Health shall, at the Customer's election, either return to the Customer all Personal Information in a commonly used, machine-readable format or delete all Personal Information processed on behalf of the Customer, including copies held by Sub-processors and in backup systems. Deletion from active systems shall be completed within thirty (30) days of the request, and from backup systems within ninety (90) days. Independently of any deletion request, the platform enforces mandatory default retention windows on every Customer organization: audio recordings are automatically and permanently deleted ninety (90) days after transcription is completed, and transcript and session records are retained for seven (7) years (subject to a six-year HIPAA minimum) and then automatically deleted. The Customer may also delete Sessions, audio recordings, transcription text, and clinical documents earlier, and — where the Customer has enabled the optional automatic retention policy (configurable in 1-day to 30-day windows and disabled by default) — that policy triggers earlier deletion. Audit logs are retained for at least six (6) years to satisfy HIPAA Security Rule documentation requirements (45 CFR 164.312(b) and 164.530(j)).
Upon completion of deletion, Transcribe Health shall provide the Customer with written certification confirming that all Personal Information has been deleted in accordance with this section, including confirmation that Sub-processors have completed their deletion obligations.
3.8. Audit Rights
Transcribe Health shall make available to the Customer all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Transcribe Health shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes PIPEDA or other applicable data protection provisions.
Transcribe Health maintains a Trust Center at trust.transcribe.health where the Customer may review Transcribe Health's current security documentation, compliance status, sub-processor list, and, once available, third-party audit reports. The Customer's audit and inspection rights under this Section are satisfied by Transcribe Health making available, through the Trust Center, its SOC 2 Type II report and ISO 27001 certification and Statement of Applicability once such reports and certifications are issued, together with responses to a reasonable number of the Customer's written security questionnaires. Transcribe Health does not represent that it currently holds a SOC 2 Type II report or ISO 27001 certification; its SOC 2 Type II examination is in progress, and the Trust Center reflects current certification status. The Customer may exercise an on-site or independent third-party audit right beyond this only (a) where required by a binding order of a Supervisory Authority, (b) following a confirmed Security Incident affecting the Customer's Personal Information, or (c) where applicable data protection law confers a non-waivable audit right that this substitution cannot satisfy. Any such audit shall be conducted on reasonable prior written notice, during business hours, subject to confidentiality obligations, in a manner that does not compromise the security or privacy of other customers' data, and no more than once in any twelve-month period absent a Supervisory Authority order or confirmed Security Incident.
4. OBLIGATIONS OF THE CUSTOMER
4.1. Lawful Basis for Processing
The Customer warrants that it has obtained all necessary consents, authorizations, and legal bases required under PIPEDA, applicable provincial privacy legislation, and HIPAA for the collection and processing of Personal Information through the Services. The Customer is responsible for providing appropriate notice to Data Subjects regarding the use of AI-powered transcription services.
4.2. Instructions
The Customer is responsible for ensuring that its processing instructions to Transcribe Health comply with all applicable data protection laws. The Customer shall not instruct Transcribe Health to process Personal Information in a manner that would violate PIPEDA, HIPAA, or any other applicable law.
4.3. Data Accuracy
The Customer is responsible for the accuracy of Personal Information provided to Transcribe Health and for updating or correcting such information as necessary. The Customer acknowledges that AI transcription may contain inaccuracies and is responsible for reviewing and correcting transcription output before incorporating it into permanent medical records.
4.4. Privacy and Impact Assessments
The Customer is responsible for conducting any Data Protection Impact Assessment, Privacy Impact Assessment, or equivalent assessment required of it as controller under applicable law before initiating processing through the Services, including (a) any Data Protection Impact Assessment required under GDPR Article 35 for high-risk processing (where applicable), and (b) any Privacy Impact Assessment required under Quebec Law 25 §17 in respect of communicating or transferring Personal Information of Quebec residents outside Quebec, including to Transcribe Health's infrastructure or its Sub-processors. Transcribe Health shall provide reasonable cooperation and information to support such assessments in accordance with §3.5 and §3.5b.
5. CROSS-BORDER TRANSFERS
5.1. Data Storage
All persistent data (databases, files, backups) is stored in Canada on infrastructure controlled by Transcribe Health. The Customer's Personal Information at rest does not leave Canadian jurisdiction.
5.2. AI Processing Transfers
To provide AI-powered transcription, audio data and text may be transmitted to AI service providers with API endpoints located in the United States. These transfers are temporary, in-transit only, and subject to the following safeguards: data is encrypted using TLS 1.2 or higher during transmission; AI providers are contractually prohibited from retaining, storing, or using Personal Information beyond the immediate processing request; AI providers are bound by Business Associate Agreements where applicable; and transfers are limited to the minimum data necessary to perform the transcription.
Transcribe Health has conducted a Transfer Impact Assessment for these cross-border transfers and has determined that, with the contractual, technical, and organizational safeguards in place, the transfers provide a comparable level of protection to that required under PIPEDA Principle 4.1.3.
Transcribe Health has conducted, and maintains, a dedicated Transfer Impact Assessment for the cross-border processing involved in the standalone Assistant chat feature, addressing the categories of data transmitted to the contracted AI Sub-processor, the zero-retention contractual terms, the PHI-scrubbing applied to external medical-literature queries, and the residual-risk analysis for the United States endpoint. A summary of this assessment is available to the Customer through the Trust Center on request.
5.3. Transparency
The Customer may request information about the specific jurisdictions in which Personal Information is processed. The current list of Sub-processors and their jurisdictions is set out in Schedule C.
6. AI-SPECIFIC PROVISIONS
6.1. No Model Training
Transcribe Health does not use Personal Information processed under this Agreement to train, fine-tune, or improve any artificial intelligence or machine learning models. All AI processing is performed using pre-trained models provided by Sub-processors who are contractually bound by the same restriction.
6.2. AI Output Accuracy
The Customer acknowledges that AI-generated transcriptions and clinical documentation are produced by automated systems and may contain errors, omissions, or inaccuracies. Transcribe Health does not guarantee the accuracy of AI-generated output. The Customer is solely responsible for reviewing, verifying, and approving all AI-generated content before incorporating it into medical records or relying on it for clinical decision-making.
6.3. Human Oversight
The Services are designed to augment, not replace, the professional judgment of healthcare providers. The Customer shall ensure that qualified healthcare professionals review all AI-generated output before it is finalized. Transcribe Health provides tools within the platform for reviewing and editing transcriptions and clinical notes.
7. GOVERNMENT AND LAW ENFORCEMENT REQUESTS
7.1. Notification
If Transcribe Health receives a request from a government authority or law enforcement agency for access to Personal Information processed on behalf of the Customer, Transcribe Health shall promptly notify the Customer of the request before disclosing any data, unless such notification is prohibited by applicable law. Where notification is prohibited, Transcribe Health shall use commercially reasonable efforts to challenge the prohibition and to redirect the requesting authority to obtain the data directly from the Customer.
7.2. Minimum Disclosure
In the event that Transcribe Health is compelled by law to disclose Personal Information to a government authority, Transcribe Health shall disclose only the minimum amount of information required to satisfy the legal obligation and shall use commercially reasonable efforts to protect the confidentiality of the disclosed information.
8. HIPAA BUSINESS ASSOCIATE PROVISIONS
Where the Customer is a Covered Entity or Business Associate under HIPAA, the terms of the Business Associate Agreement (available at transcribe.health/legal/baa) are incorporated by reference into this Agreement. In the event of a conflict between this Agreement and the Business Associate Agreement with respect to the handling of Protected Health Information, the Business Associate Agreement shall prevail.
9. INSURANCE
Transcribe Health is procuring cyber-liability and technology errors-and-omissions insurance appropriate to the nature and scale of the Services and intends to maintain such coverage once bound. Transcribe Health makes no representation in this Agreement as to any specific coverage amount or that any such policy is currently in force, and any reference to insurance shall not be construed as a guarantee of coverage, an admission of liability, or a substitute for the limitations of liability in §10. Upon the Customer's written request following the binding of a policy, Transcribe Health shall confirm the existence and general scope of its then-current coverage, subject to the confidentiality terms of this Agreement.
10. LIABILITY AND INDEMNIFICATION
10.1. Liability
Each party shall be liable for damages caused by processing that infringes applicable data protection laws. Transcribe Health shall be liable for damages caused by processing that does not comply with this Agreement or that is outside of or contrary to the Customer's lawful instructions.
10.2. Indemnification
Transcribe Health shall indemnify, defend, and hold harmless the Customer from and against any third-party claims, damages, losses, and expenses (including reasonable legal fees) arising from Transcribe Health's breach of this Agreement, its negligent or wrongful processing of Personal Information, or its failure to comply with applicable data protection laws. The Customer shall indemnify, defend, and hold harmless Transcribe Health from and against any third-party claims arising from the Customer's unlawful processing instructions, failure to obtain required consents, or breach of the Customer's obligations under this Agreement.
10.3. Limitation
Except as set out in this Section, the total aggregate liability of either party arising out of or in connection with this Agreement, the Business Associate Agreement, and the Terms of Service shall be subject to, and shall not exceed, the single combined limitation of liability set out in the Terms of Service, which applies as one shared cap across this Agreement, the Business Associate Agreement, and the Terms of Service. For the avoidance of doubt, this Agreement does not establish any separate or higher liability cap specific to Personal Information or Protected Health Information; the Terms of Service cap governs, including in respect of (i) Security Incidents and breaches of confidentiality affecting Personal Information, and (ii) a party's indemnification obligations under §10.2, including claims and administrative fines flowing from a Data Subject or a Supervisory Authority under GDPR Article 82 (where applicable).
The Terms of Service cap shall not apply only to liability that cannot lawfully be excluded or limited under applicable law, including liability for death or personal injury caused by a party's negligence and liability for fraud or fraudulent misrepresentation. Nothing in this Section operates to limit or exclude any liability to the extent such limitation or exclusion is prohibited by the mandatory provisions of applicable data protection law.
11. TERM AND TERMINATION
11.1. Term
This Agreement shall commence on the date the Customer accepts the Terms of Service and shall continue for as long as Transcribe Health processes Personal Information on behalf of the Customer.
11.2. Termination for Material Security Deficiency
If an audit or assessment reveals a material security deficiency in Transcribe Health's processing of Personal Information, and Transcribe Health fails to remediate the deficiency within thirty (30) days of receiving written notice, the Customer may terminate this Agreement and the related Services without penalty.
11.3. Survival
The following obligations shall survive the termination or expiry of this Agreement for as long as Transcribe Health retains any Personal Information of the Customer and thereafter to the extent required by applicable law: the obligations with respect to the confidentiality and security of Personal Information; the return or deletion of Personal Information under §3.7; assistance with and cooperation in audits and Supervisory Authority inquiries under §3.5b and §3.8; breach notification and incident-assistance obligations under §3.6 with respect to Security Incidents affecting Personal Information processed during the term; the limitations of liability and indemnification under §10; and the provisions of the Business Associate Agreement.
12. GENERAL PROVISIONS
12.1. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of laws principles.
12.2. Amendments and Regulatory Changes
Transcribe Health may update this Agreement from time to time to reflect changes in its processing activities, Sub-processors, or applicable law. Material changes will be communicated to the Customer with at least thirty (30) days' advance written notice. Continued use of the Services after such notice constitutes acceptance of the updated Agreement. In the event that new data protection legislation or regulatory guidance materially affects the obligations of either party under this Agreement, both parties shall negotiate in good faith to amend this Agreement to ensure continued compliance.
12.3. Severability
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
12.4. Entire Agreement
This Agreement, together with the Terms of Service, Privacy Policy, Business Associate Agreement, and (where applicable) the California Consumer Privacy Addendum in §13, constitutes the entire agreement between the parties with respect to the processing of Personal Information and supersedes all prior agreements, representations, and understandings relating to data processing.
13. CALIFORNIA CONSUMER PRIVACY ADDENDUM
This Section applies where, and to the extent that, the Customer is a "business" and Transcribe Health processes the Personal Information of California residents on the Customer's behalf, within the meaning of the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, "CCPA"). Terms used in this Section and defined in the CCPA have the meanings given there.
13.1. Service Provider Status
The parties acknowledge that Transcribe Health is a "Service Provider" as defined in CCPA §1798.140(ag), processing Personal Information that the Customer discloses to it for the limited and specified business purpose of providing the Services under the Terms of Service.
13.2. Restrictions on Use
Transcribe Health shall not: (a) sell or share (as those terms are defined in the CCPA) Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the specific business purpose of performing the Services, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Information outside the direct business relationship between the parties; or (d) combine Personal Information received from or on behalf of the Customer with Personal Information that Transcribe Health receives from or on behalf of any other person, or collects from its own interaction with a consumer, except as permitted under CCPA §1798.140(ag)(1)(D) and its implementing regulations. Transcribe Health certifies that it understands and will comply with the restrictions in this Section.
13.3. Consumer Rights Assistance
Transcribe Health shall provide reasonable assistance to enable the Customer, as the business, to honor verifiable consumer requests to know, access, correct, and delete Personal Information, and to honor requests to limit the use and disclosure of sensitive personal information, in accordance with §3.5.
13.4. Sub-processors
Transcribe Health shall engage Sub-processors that process Personal Information of California residents only under a written contract that binds them to the equivalent restrictions and obligations set out in this Section, as required by CCPA §1798.140(ag)(1).
13.5. Compliance and Notice
Transcribe Health shall comply with its obligations as a Service Provider under the CCPA and shall notify the Customer if it determines that it can no longer meet those obligations. The Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
SCHEDULES
SCHEDULE A: PROCESSING DETAILS
| Subject Matter | AI-powered transcription of healthcare consultations, generation of clinical documentation, and operation of the standalone Assistant chat feature (evidence-based clinical Q&A with literature citations) |
| Duration | For the term of the Customer's subscription to the Services. By default, and regardless of any optional retention policy, audio recordings are automatically and permanently deleted 90 days after transcription is completed, and transcript and session records are retained for seven (7) years (subject to a six-year HIPAA minimum) and then automatically deleted. These default windows apply to every organization and are enforced automatically by the platform. The Customer may optionally enable an earlier automatic-deletion policy, configurable from 1 to 30 days and disabled by default, which deletes Content earlier than the default windows. |
| Nature of Processing | Automated transcription of audio recordings, temporary audio storage, persistent text storage, AI-generated clinical note creation, and operation of the standalone Assistant chat: receipt of user-submitted clinical questions (which may include patient context), retrieval of excerpts from public medical literature sources, transmission of the question and prior conversation context to a zero-retention AI sub-processor for inference, return of an AI-generated answer with literature citations, and persistent storage of the resulting conversation and message history |
| Purpose | To provide the Customer with transcription, clinical documentation, and clinical-intelligence (Assistant chat) services as described in the Terms of Service |
| Categories of Data Subjects | Patients, healthcare providers, and other individuals whose information is captured during recorded consultations or included by Authorized Users in Assistant questions |
| Categories of Personal Information | Health information (symptoms, diagnoses, treatments, medications, medical history), patient identifiers (names, dates of birth as mentioned), provider identifiers, free-text clinical questions and any patient context submitted to the Assistant chat, AI-generated answers and the literature citations attached to them, conversation titles, and message history |
| Sensitive Data | Health information constituting sensitive personal information under PIPEDA (and Quebec Law 25), special-category data under GDPR Article 9 (health data), and Protected Health Information under HIPAA. The Assistant chat may receive such sensitive data through free-text questions if Authorized Users elect to include patient context. |
SCHEDULE B: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Encryption
- AES-256 encryption for all data at rest (databases, file storage, backups)
- TLS 1.2 or higher for all data in transit
- Encrypted database connections between application services
- Key management: encryption keys are managed separately from the data they protect, with access restricted to the Security Officer and the platform's automated key-handling components. Per-session symmetric keys used for browser-side capture are generated and scoped per session and are not reused across sessions.
Access Control
- Multi-factor authentication required for all user accounts
- Role-based access control (RBAC) with capability-based permissions
- Principle of least privilege enforced across all services
- Automated session timeout after period of inactivity
- Organization-level data isolation in multi-tenant architecture
Monitoring and Logging
- Comprehensive audit logging of all access to Personal Information
- PHI access logging with separate retention (6 years)
- Real-time security event monitoring
- Automated alerting for suspicious activity
Infrastructure Security
- Self-hosted Kubernetes infrastructure in Canada
- Network segmentation with firewall rules
- High-availability architecture with automatic failover
- Regular security patching and vulnerability management
Data Management
- Configurable data retention with automatic deletion
- Backup integrity: encrypted backups are subject to periodic restore validation to confirm recoverability and integrity
- Bounded backup lifecycle: residual encrypted backup copies age out on a bounded, automated cycle following deletion from active systems, consistent with the retention periods in §3.7
- Secure data deletion procedures
Pseudonymisation and Data Minimisation
- De-identified literature index: the Assistant retrieval index holds only de-identified medical-literature metadata; raw patient questions are not transmitted to external research APIs, which receive only PHI-scrubbed query variants
- Minimisation of cross-border payloads: only the minimum data necessary for AI inference is transmitted to AI Sub-processors, under zero-retention terms
- Tenant and user isolation: Assistant conversations are scoped to a single Authorized User within a single Customer organization and are not combined across users, conversations, or organizations
Organizational Measures
- Security Officer (the founder), serving as the HIPAA Security Officer and privacy contact
- Documented security policies and procedures
- Annual security awareness training (scheduled in the compliance calendar)
- Documented incident response plan with defined escalation procedures
- Regular risk assessments and security evaluations
- Business Associate Agreements with all Sub-processors handling PHI
SCHEDULE C: LIST OF SUB-PROCESSORS
The following Sub-processors are authorized to process Personal Information on behalf of the Customer as of the effective date of this Agreement. This list is reconciled to, and kept consistent with, the canonical sub-processor list published at the Transcribe Health Trust Center (trust.transcribe.health). Any references to certifications below are to the named Sub-processor's own third-party attestations, not to certifications held by Transcribe Health.
Google Cloud Platform / Vertex AI
Anthropic
Stripe
Cloudflare
GitHub
Contact Information
Transcribe Health Corporation Security Officer: hello@transcribe.health
By accepting this Data Processing Agreement, the Customer acknowledges that it has read, understood, and agrees to be bound by its terms, including the Schedules annexed hereto.