top of page

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between HEALinc (“Processor” or “Service Provider”) and the customer or user entity (“Customer” or “Controller”) governing the use of healinc.com (the “Platform”).

This DPA applies where HEALinc processes Personal Data on behalf of the Customer.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable individual.

  • “Processing” has the meaning given under applicable data protection laws.

  • “Applicable Data Protection Laws” includes GDPR, UK GDPR, CCPA/CPRA, and other similar laws.

  • “Sub-processor” means any third party engaged by HEALinc to process Personal Data.

2. Roles of the Parties

  • Customer acts as Controller of Personal Data.

  • HEALinc acts as Processor and processes Personal Data solely on documented instructions from Customer, unless otherwise required by law.

3. Scope and Purpose of Processing

HEALinc processes Personal Data only to:

  • Provide, operate, and maintain the Platform

  • Enable secure collaboration, file storage, and communication

  • Process transactions and account activity

  • Ensure platform security, integrity, and compliance

4. Data Types and Categories

Types of Personal Data

  • Contact and account identifiers

  • Authentication credentials

  • User-generated content and uploaded files

  • Transaction metadata

  • Technical and usage data

Categories of Data Subjects

  • Authorized users of the Platform

  • Employees, contractors, or members of Customer

5. Confidentiality

HEALinc ensures that:

  • Personnel authorized to process Personal Data are bound by confidentiality obligations

  • Access is limited to what is necessary for service delivery

6. Security Measures

HEALinc implements commercially reasonable administrative, technical, and organizational safeguards, including:

  • Access controls and authentication

  • Encryption in transit and at rest where appropriate

  • Monitoring, logging, and incident response procedures

  • Vendor and sub-processor risk management

7. Sub-processing

  • Customer authorizes HEALinc to engage Sub-processors as necessary.

  • HEALinc remains responsible for Sub-processor compliance.

  • Sub-processors are bound by written agreements providing equivalent data protection.

8. Data Subject Rights Assistance

HEALinc will reasonably assist Customer with:

  • Data access, correction, deletion, and portability requests

  • Regulatory inquiries or audits, to the extent legally required

9. Data Breach Notification

HEALinc will notify Customer without undue delay upon becoming aware of a confirmed Personal Data breach, including:

  • Nature of the breach

  • Categories of affected data

  • Mitigation actions taken

10. Data Retention and Deletion

  • Personal Data is retained only as long as necessary to provide the Platform and comply with legal obligations.

  • Upon termination, HEALinc will delete or return Personal Data within a commercially reasonable timeframe, unless retention is legally required.

11. Cross-Border Transfers

Where applicable, HEALinc uses recognized safeguards (e.g., Standard Contractual Clauses) for international data transfers.

12. Audit Rights

Upon reasonable notice and subject to confidentiality, HEALinc will provide information necessary to demonstrate compliance with this DPA.

13. Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

14. Precedence

In the event of conflict, this DPA governs data protection obligations.

HIPAA-ADJACENT SAFE LANGUAGE (NON-HIPAA REPRESENTATION)

This section is designed to signal healthcare-grade diligence without falsely claiming HIPAA compliance.

HIPAA-Related Use Disclosure

HEALinc is not a Covered Entity or Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), unless expressly agreed to in a separate written Business Associate Agreement (“BAA”).

The Platform is not intended to store, process, or transmit Protected Health Information (“PHI”) unless explicitly authorized under a signed BAA.

Healthcare-Grade Safeguards

Notwithstanding the above, HEALinc applies security and privacy practices aligned with industry standards commonly used in healthcare and regulated environments, including:

  • Role-based access controls

  • Encryption best practices

  • Audit logging and monitoring

  • Incident response procedures

  • Vendor security assessments

Customer Responsibility

Customers are responsible for:

  • Determining whether their use of the Platform involves PHI

  • Ensuring appropriate configurations and access controls

  • Executing a BAA if HIPAA-regulated use is required

HEALinc disclaims responsibility for PHI uploaded without an executed BAA.

No Medical Services Disclaimer

The Platform:

  • Does not provide medical advice, diagnosis, or treatment

  • Does not replace professional healthcare services

  • Serves solely as a collaboration, communication, and transaction platform

Optional BAA Availability

HEALinc may offer a separate Business Associate Agreement upon request for enterprise customers, subject to technical and contractual review.

bottom of page