Data Processing Agreement

2.1. Purpose Limitation

Transcribe Health processes Personal Information solely for the purpose of providing the Services described in the Terms of Service. This processing is limited to: (a) receiving and temporarily storing audio recordings of healthcare consultations; (b) transcribing audio recordings into text using artificial intelligence; (c) generating clinical documentation from transcriptions; and (d) storing transcriptions and generated documents for the retention period configured by the Customer.

Transcribe Health shall not process Personal Information for any purpose other than those specified in this Agreement and the Terms of Service, unless required to do so by applicable law. In such a case, Transcribe Health shall inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

2.2. Nature of the Processing

The processing consists of automated transcription of audio recordings containing doctor-patient consultations using artificial intelligence models, temporary storage of audio files, persistent storage of transcription text, and generation of structured clinical notes. Audio recordings are automatically deleted based on the Customer's configured retention period (default: 30 days). Transcription text and clinical documents are retained until deleted by the Customer or until the retention period expires.

2.3. Categories of Personal Information

The Personal Information processed under this Agreement includes: patient names and identifiers mentioned during consultations; health information including symptoms, diagnoses, treatment plans, medications, and medical history discussed during consultations; healthcare provider names and professional identifiers; and any other personal information verbally communicated during recorded consultations.

2.4. Categories of Data Subjects

Data Subjects whose Personal Information is processed under this Agreement include: patients whose healthcare consultations are recorded and transcribed; healthcare providers (physicians, nurses, specialists) who participate in recorded consultations; and other individuals whose information may be incidentally captured during recorded consultations.

3.1. Compliance with Instructions

Transcribe Health shall process Personal Information only on documented instructions from the Customer, including with regard to transfers of Personal Information outside of Canada. The Terms of Service, this Agreement, and the Customer's configuration of the Services constitute the Customer's complete instructions for the processing of Personal Information. Any additional or alternative instructions must be agreed upon separately in writing.

3.2. Confidentiality

Transcribe Health shall ensure that all persons authorized to process Personal Information have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Information is restricted to personnel who require access to perform the Services, in accordance with the principle of least privilege.

3.3. Security Measures

Transcribe Health implements and maintains appropriate technical and organizational measures to protect Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in Schedule B to this Agreement and include, without limitation: AES-256 encryption for data at rest; TLS 1.2 or higher for data in transit; multi-factor authentication for all user accounts; role-based access controls with the principle of least privilege; comprehensive audit logging of all access to Personal Information; automated session timeouts; regular vulnerability assessments; and documented incident response procedures.

Transcribe Health shall regularly test, assess, and evaluate the effectiveness of these technical and organizational measures and shall update them as necessary to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects.

3.4. Sub-processing

The Customer provides general authorization for Transcribe Health to engage Sub-processors for the purposes of delivering the Services. The current list of Sub-processors is set out in Schedule C to this Agreement and is available at transcribe.health/legal/dpa. Transcribe Health shall provide at least thirty (30) days' advance written notice before engaging any new Sub-processor or replacing an existing one. The Customer shall have thirty (30) days from receipt of such notice to object on reasonable grounds. If the Customer objects and Transcribe Health cannot reasonably accommodate the objection, the Customer may terminate the affected Services without penalty.

Transcribe Health shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this Agreement. Transcribe Health shall remain liable to the Customer for the acts and omissions of each Sub-processor to the same extent as if Transcribe Health were performing the services of each Sub-processor directly.

3.5. Assistance with Data Subject Rights

Transcribe Health shall assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under PIPEDA (including access, correction, and withdrawal of consent) and under applicable provincial privacy legislation. Given the nature of the Services, the Customer retains direct control over session data through the platform interface and may access, correct, or delete Personal Information without requiring Transcribe Health's intervention.

3.6. Breach Notification

In the event of a security breach involving Personal Information processed under this Agreement, Transcribe Health shall notify the Customer without unreasonable delay and in any event within forty-eight (48) hours of becoming aware of the breach. The initial notification shall include, to the extent reasonably available: a description of the nature of the breach including the categories and approximate number of Data Subjects affected; the name and contact details of Transcribe Health's designated incident response contact; a description of the likely consequences of the breach; and a description of the measures taken or proposed to be taken to address the breach. Where full details are not available within the initial notification window, Transcribe Health shall provide a preliminary notification and supplement it with additional information as it becomes available.

Following the initial notification, Transcribe Health shall provide the Customer with regular status updates at intervals of no less than every twenty-four (24) hours until the incident is resolved. Transcribe Health shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach, including preserving and providing forensic evidence and logs. This notification obligation is in addition to, and does not replace, the obligations under the HIPAA Breach Notification Rule set out in the Business Associate Agreement.

3.7. Deletion and Return of Data

Upon termination of the Services or upon the Customer's request, Transcribe Health shall, at the Customer's election, either return to the Customer all Personal Information in a commonly used, machine-readable format or delete all Personal Information processed on behalf of the Customer, including copies held by Sub-processors and in backup systems. Deletion from active systems shall be completed within thirty (30) days of the request, and from backup systems within ninety (90) days. Audio recordings are automatically deleted based on the Customer's retention settings. Transcription data and clinical documents are deleted when the Customer deletes sessions or when the configured retention period expires. Audit logs are retained for six years as required by HIPAA.

Upon completion of deletion, Transcribe Health shall provide the Customer with written certification confirming that all Personal Information has been deleted in accordance with this section, including confirmation that Sub-processors have completed their deletion obligations.

3.8. Audit Rights

Transcribe Health shall make available to the Customer all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Transcribe Health shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes PIPEDA or other applicable data protection provisions.

Transcribe Health maintains a Trust Center at trust.transcribe.health where the Customer may review current security certifications, compliance documentation, and audit reports. This Trust Center serves as the primary mechanism for ongoing compliance verification.

4.1. Lawful Basis for Processing

The Customer warrants that it has obtained all necessary consents, authorizations, and legal bases required under PIPEDA, applicable provincial privacy legislation, and HIPAA for the collection and processing of Personal Information through the Services. The Customer is responsible for providing appropriate notice to Data Subjects regarding the use of AI-powered transcription services.

4.2. Instructions

The Customer is responsible for ensuring that its processing instructions to Transcribe Health comply with all applicable data protection laws. The Customer shall not instruct Transcribe Health to process Personal Information in a manner that would violate PIPEDA, HIPAA, or any other applicable law.

4.3. Data Accuracy

The Customer is responsible for the accuracy of Personal Information provided to Transcribe Health and for updating or correcting such information as necessary. The Customer acknowledges that AI transcription may contain inaccuracies and is responsible for reviewing and correcting transcription output before incorporating it into permanent medical records.

5.1. Data Storage

All persistent data (databases, files, backups) is stored in Canada on infrastructure controlled by Transcribe Health. The Customer's Personal Information at rest does not leave Canadian jurisdiction.

5.2. AI Processing Transfers

To provide AI-powered transcription, audio data and text may be transmitted to AI service providers with API endpoints located in the United States. These transfers are temporary, in-transit only, and subject to the following safeguards: data is encrypted using TLS 1.2 or higher during transmission; AI providers are contractually prohibited from retaining, storing, or using Personal Information beyond the immediate processing request; AI providers are bound by Business Associate Agreements where applicable; and transfers are limited to the minimum data necessary to perform the transcription.

Transcribe Health has conducted a Transfer Impact Assessment for these cross-border transfers and has determined that, with the contractual, technical, and organizational safeguards in place, the transfers provide a comparable level of protection to that required under PIPEDA Principle 4.1.3.

5.3. Transparency

The Customer may request information about the specific jurisdictions in which Personal Information is processed. The current list of Sub-processors and their jurisdictions is set out in Schedule C.

6.1. No Model Training

Transcribe Health does not use Personal Information processed under this Agreement to train, fine-tune, or improve any artificial intelligence or machine learning models. All AI processing is performed using pre-trained models provided by Sub-processors who are contractually bound by the same restriction.

6.2. AI Output Accuracy

The Customer acknowledges that AI-generated transcriptions and clinical documentation are produced by automated systems and may contain errors, omissions, or inaccuracies. Transcribe Health does not guarantee the accuracy of AI-generated output. The Customer is solely responsible for reviewing, verifying, and approving all AI-generated content before incorporating it into medical records or relying on it for clinical decision-making.

6.3. Human Oversight

The Services are designed to augment, not replace, the professional judgment of healthcare providers. The Customer shall ensure that qualified healthcare professionals review all AI-generated output before it is finalized. Transcribe Health provides tools within the platform for reviewing and editing transcriptions and clinical notes.

7.1. Notification

If Transcribe Health receives a request from a government authority or law enforcement agency for access to Personal Information processed on behalf of the Customer, Transcribe Health shall promptly notify the Customer of the request before disclosing any data, unless such notification is prohibited by applicable law. Where notification is prohibited, Transcribe Health shall use commercially reasonable efforts to challenge the prohibition and to redirect the requesting authority to obtain the data directly from the Customer.

7.2. Minimum Disclosure

In the event that Transcribe Health is compelled by law to disclose Personal Information to a government authority, Transcribe Health shall disclose only the minimum amount of information required to satisfy the legal obligation and shall use commercially reasonable efforts to protect the confidentiality of the disclosed information.

10.1. Liability

Each party shall be liable for damages caused by processing that infringes applicable data protection laws. Transcribe Health shall be liable for damages caused by processing that does not comply with this Agreement or that is outside of or contrary to the Customer's lawful instructions.

10.2. Indemnification

Transcribe Health shall indemnify, defend, and hold harmless the Customer from and against any third-party claims, damages, losses, and expenses (including reasonable legal fees) arising from Transcribe Health's breach of this Agreement, its negligent or wrongful processing of Personal Information, or its failure to comply with applicable data protection laws. The Customer shall indemnify, defend, and hold harmless Transcribe Health from and against any third-party claims arising from the Customer's unlawful processing instructions, failure to obtain required consents, or breach of the Customer's obligations under this Agreement.

10.3. Limitation

Except in cases of willful misconduct, gross negligence, or breach of confidentiality obligations relating to Personal Information, the total aggregate liability of either party under this Agreement shall be subject to the limitations set out in the Terms of Service. Nothing in this Agreement excludes or limits either party's liability for death or personal injury caused by negligence, fraud, or any liability that cannot be excluded or limited by applicable law.

11.1. Term

This Agreement shall commence on the date the Customer accepts the Terms of Service and shall continue for as long as Transcribe Health processes Personal Information on behalf of the Customer.

11.2. Termination for Material Security Deficiency

If an audit or assessment reveals a material security deficiency in Transcribe Health's processing of Personal Information, and Transcribe Health fails to remediate the deficiency within thirty (30) days of receiving written notice, the Customer may terminate this Agreement and the related Services without penalty.

11.3. Survival

The obligations of Transcribe Health with respect to the confidentiality and security of Personal Information, the return or deletion of Personal Information, indemnification, and the provisions of the Business Associate Agreement shall survive the termination of this Agreement.

12.1. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of laws principles.

12.2. Amendments and Regulatory Changes

Transcribe Health may update this Agreement from time to time to reflect changes in its processing activities, Sub-processors, or applicable law. Material changes will be communicated to the Customer with at least thirty (30) days' advance written notice. Continued use of the Services after such notice constitutes acceptance of the updated Agreement. In the event that new data protection legislation or regulatory guidance materially affects the obligations of either party under this Agreement, both parties shall negotiate in good faith to amend this Agreement to ensure continued compliance.

12.3. Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4. Entire Agreement

This Agreement, together with the Terms of Service, Privacy Policy, and Business Associate Agreement, constitutes the entire agreement between the parties with respect to the processing of Personal Information and supersedes all prior agreements, representations, and understandings relating to data processing.