Home
Features
Pricing
Security
Support
Contact sales
Login
Get started
Contact sales
Login
Get started

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is entered into by and between SuperVize, LLC (“Processor”) and the User ( “Covered Entity”) on the Effective Date (date the user account was created), and governs Processor’s processing of Personal Data (including, where applicable, Protected Health Information (“PHI”) or education-related data) on behalf of User.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Protected Health Information (PHI)” has the same meaning as defined under HIPAA (45 C.F.R. § 160.103).
  • “Services” means the SaaS platform and associated services provided by Processor.
  • “Sub-processor” means any third-party engaged by Processor to process Personal Data on behalf of Controller.

2. Compliance with Applicable Privacy Law

Processor shall comply with all applicable U.S. federal and California law and regulations, including:

  • HIPAA/HITECH (if Customer is a “covered entity” or “business associate” under HIPAA) — including the Privacy, Security, and Breach Notification Rules.
  • FERPA (if handling education records of students at educational institutions)
  • CCPA/CPRA (if Processor qualifies as a “service provider” or “contractor” under California law)

3. Purpose and Use Limitation

Processor shall only process Personal Data as necessary to provide the Services, or as otherwise instructed in writing by Controller. Processor shall not retain, use, or disclose Personal Data for any other purpose (e.g., alone or combined with other data) except as required by law. For PHI, use and disclosure shall be limited to permitted purposes under HIPAA, HITECH and this DPA.

4. Prohibitions on Sale or Unauthorized Sharing

Processor is prohibited from selling, sharing, or otherwise using Personal Data in any manner not permitted by the written contract. Under CCPA/CPRA definitions, Processor acts as a “service provider” which may not disclose or sell Personal Data to third parties outside the scope of the engagement.

5. Security Safeguards

Processor shall implement and maintain appropriate technical, administrative, and physical safeguards to protect Personal Data (including PHI) from unauthorized access, disclosure, alteration, or destruction — at a level consistent with HIPAA Security Rule where applicable, and consistent with industry best practices.

6. Sub-processor Use

Controller must be informed of any Sub-processor; Processor shall require any Sub-processor to comply with the same data protection obligations as those in this DPA (or a separate written agreement).

7. Data Subject Rights & Cooperation

Processor will assist Controller in responding to data subject requests, including:

  • Individuals’ right under CCPA/CPRA to access, correct, delete, or limit use of Personal Data;
  • Under FERPA: requests for access, amendment, or deletion of education records;
  • Under HIPAA: requests for access, amendment, or accounting of disclosures of PHI.

8. Breach Notification

Processor shall notify Controller without unreasonable delay after becoming aware of any unauthorized access or disclosure of Personal Data (including PHI), and provide reasonable details to assist Controller’s breach response obligations (e.g., required notices under HIPAA or other applicable laws).

9. Termination; Data Return or Destruction

Upon termination or expiration of the Services, User may request return or secure deletion of all Personal Data (including PHI). If deletion is not practical – as determined solely by Processor, Processor shall securely isolate such data and limit further processing.

10. Audit Rights

Subject to reasonable notice and confidentiality requirements, Controller has the right to audit Processor’s compliance with this DPA (or to request evidence of compliance, such as security assessments).

11. Liability and Indemnity

Processor and User agree that liability for unauthorized use or disclosure of Personal Data shall be subject to applicable law, including HIPAA, HITECH, FERPA, and CCPA/CPRA, and any other liability limitations provided in this DPA.

12. Miscellaneous

This DPA constitutes the entire agreement between Processor and User regarding the processing of Personal Data and shall be governed by the laws of the State of California, United States. Any disputes arising under this DPA shall be resolved according to the exclusive jurisdiction of the courts located in California, United States.

Interested in Seeing SuperVIZE in Action?
Company
Home
Features
Pricing
Security
Legal
Support
Data Processing Addendum
BAA
Acceptable Use Policy
Privacy Policy
Terms & Services
Follow Us
Copyright © 2025 Supervize. All rights reserved.