Back to Legal Hub
GDPR Compliance

Data Processing Addendum

Updated:February 5, 2026
Version:2.0
Length:~5,000 words

Legal Document

This document constitutes part of your legal agreement with Scribeable. Please read it carefully.

Data Processing Addendum (DPA)

GDPR and International Data Protection Compliance

Between Scribeable, Inc. and Customer

Effective Date: Upon Execution

PREAMBLE

This Data Processing Addendum ("DPA") forms part of the Platform Terms of Use and/or Business Associate Agreement (collectively, the "Principal Agreement") between Scribeable, Inc. ("Scribeable," "Processor," or "Data Processor") and the customer identified in the Principal Agreement ("Customer," "Controller," or "Data Controller").

This DPA reflects the parties' agreement with respect to the processing of Personal Data (as defined below) in connection with the European Union General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the revised Swiss Federal Act on Data Protection (revFADP, effective September 1, 2023), and other applicable data protection laws (collectively, "Data Protection Laws").

Where Scribeable processes Personal Data in the course of providing services under the Principal Agreement, the parties agree to comply with the terms and conditions set forth in this DPA.

1. DEFINITIONS

1.1 Key Terms

Capitalized terms not otherwise defined herein shall have the meanings set forth in the Principal Agreement or Data Protection Laws. For purposes of this DPA:

(a) "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with an entity.

(b) "Authorized Sub-processor" means a third-party Sub-processor authorized under Section 5 of this DPA.

(c) "Customer Personal Data" means any Personal Data that Scribeable processes on behalf of Customer in the course of providing services under the Principal Agreement.

(d) "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including:

  • The GDPR (Regulation (EU) 2016/679)
  • The UK GDPR and UK Data Protection Act 2018
  • The revised Swiss Federal Act on Data Protection (revFADP, effective September 1, 2023)
  • California Consumer Privacy Act (CCPA/CPRA)
  • Other applicable U.S. state privacy laws
  • HIPAA (where applicable)

(e) "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

(f) "EEA" means the European Economic Area.

(g) "Personal Data" means any information relating to an identified or identifiable natural person that Scribeable processes on behalf of Customer, including Protected Health Information under HIPAA.

(h) "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

(i) "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

(j) "Restricted Transfer" means a transfer of Customer Personal Data to a country outside the EEA, UK, or Switzerland that is not subject to an adequacy decision under Data Protection Laws.

(k) "Standard Contractual Clauses" or "SCCs" means:

  • For data transfers from the EEA: The standard contractual clauses for processors set forth in the European Commission's Implementing Decision 2021/914 of 4 June 2021
  • For data transfers from the UK: The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office
  • For data transfers from Switzerland: The Swiss Federal Data Protection and Information Commissioner's approved standard contractual clauses

(l) "Sub-processor" means any Processor engaged by Scribeable to process Customer Personal Data.

(m) "Supervisory Authority" means an independent public authority established by an EU Member State, the UK, or Switzerland to oversee compliance with Data Protection Laws.

2. SCOPE AND ROLES

2.1 Relationship of the Parties

(a) Controller-Processor Relationship: With respect to Customer Personal Data, Customer is the Data Controller and Scribeable is the Data Processor. Scribeable shall process Customer Personal Data only on documented instructions from Customer as set forth in this DPA and the Principal Agreement.

(b) Independent Data Controllers: Each party may also process personal data for which it is an independent Data Controller. Such processing is governed by each party's respective privacy policy, not this DPA.

2.2 Customer Instructions

(a) Documented Instructions: Scribeable shall process Customer Personal Data only in accordance with Customer's documented instructions unless required to do otherwise by applicable law. The Principal Agreement and this DPA constitute Customer's complete instructions for processing Customer Personal Data.

(b) Scope of Instructions: Customer instructs Scribeable to process Customer Personal Data to:

  • Provide the Platform services as described in the Principal Agreement
  • Generate AI-powered clinical summaries
  • Transcribe voice recordings
  • Integrate with EHR systems
  • Provide clinical decision support
  • Maintain backups and disaster recovery
  • Provide technical support
  • Comply with applicable laws

(c) Additional Instructions: Customer may issue additional written instructions that are consistent with the terms of the Principal Agreement. Scribeable will inform Customer if an instruction infringes Data Protection Laws.

(d) Unlawful Instructions: If Scribeable believes that an instruction from Customer infringes Data Protection Laws, Scribeable will promptly inform Customer and may refuse to comply with the instruction until Customer confirms or modifies it.

2.3 Purpose Limitation

Scribeable shall not process Customer Personal Data:

  • For any purpose other than as instructed by Customer
  • In a manner incompatible with the purposes specified in this DPA
  • For its own purposes (except as required by law)
  • To train artificial intelligence or machine learning models
  • To create derivative datasets for sale or distribution

(e) Data Minimization: Processor shall process only the minimum amount of personal data necessary to fulfill the purposes specified in this Addendum. Processor shall not collect, retain, or process personal data beyond what is strictly necessary for the performance of the Services.

2.4 Duration of Processing

Scribeable's processing of Customer Personal Data will continue for the duration of the Principal Agreement, unless otherwise agreed or required by law.

3. DATA PROCESSOR OBLIGATIONS

3.1 Compliance with Data Protection Laws

Scribeable shall:

  • Comply with all applicable Data Protection Laws in its processing of Customer Personal Data
  • Implement and maintain appropriate technical and organizational measures as described in Annex II
  • Assist Customer in meeting its obligations under Data Protection Laws
  • Respond promptly to Customer's reasonable requests regarding compliance

3.2 Confidentiality

(a) Confidentiality Obligations: Scribeable shall ensure that all personnel authorized to process Customer Personal Data:

  • Are bound by enforceable obligations of confidentiality
  • Have received appropriate training on data protection
  • Are granted access only on a need-to-know basis
  • Process Customer Personal Data only as instructed by Customer

(b) Survival: Confidentiality obligations shall survive termination of this DPA and the Principal Agreement.

3.3 Security Measures

(a) Technical and Organizational Measures: Scribeable shall implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex II (Security Measures), including:

  • Pseudonymization and encryption of Personal Data
  • Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore availability and access to Personal Data in a timely manner
  • Regular testing, assessment, and evaluation of security measures

(b) Risk Assessment: In assessing appropriate security measures, Scribeable will take into account:

  • The state of the art
  • Implementation costs
  • The nature, scope, context, and purposes of processing
  • Risk of varying likelihood and severity for Data Subject rights

(c) Security Reviews: Scribeable will regularly review and update its security measures to maintain compliance with Data Protection Laws.

3.4 Personal Data Breach Notification

(a) Notification Obligation: Scribeable shall notify Customer without undue delay after becoming aware of a Personal Data Breach, and in no event later than 24 hours after discovery.

(b) Breach Information: The notification shall include, to the extent known:

  • Nature of the Personal Data Breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Name and contact details of Scribeable's data protection officer or other contact point
  • Likely consequences of the Personal Data Breach
  • Measures taken or proposed to address the breach and mitigate its effects

(c) Investigation and Remediation: Scribeable shall:

  • Promptly investigate the Personal Data Breach
  • Take reasonable steps to remediate the breach
  • Prevent further unauthorized access
  • Cooperate with Customer's breach response activities
  • Provide updates as the investigation progresses

(d) No Delay in Notification: Scribeable's obligation to report does not relieve Customer of its own obligation to notify Supervisory Authorities or Data Subjects as required by Data Protection Laws.

3.5 Data Subject Rights

(a) Assistance Obligation: Taking into account the nature of processing, Scribeable shall assist Customer by implementing appropriate technical and organizational measures to enable Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

(b) Direct Requests: If Scribeable receives a request from a Data Subject directly, Scribeable shall:

  • Not respond to the request without Customer's prior written authorization
  • Promptly inform Customer of the request
  • Provide Customer with reasonable assistance in responding
  • Follow Customer's documented instructions regarding the request

(c) Fees: Scribeable may charge a reasonable fee for assistance beyond the scope of its standard obligations, based on the complexity and number of requests.

3.6 Data Protection Impact Assessment

Upon Customer's request, Scribeable shall provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with Supervisory Authorities as required by Data Protection Laws, to the extent that such assistance relates to Scribeable's processing of Customer Personal Data.

3.7 Records of Processing Activities

Scribeable shall maintain written records of all categories of processing activities carried out on behalf of Customer, containing:

  • Name and contact details of Scribeable and each Sub-processor
  • Categories of processing carried out on behalf of Customer
  • Where applicable, Restricted Transfers
  • Description of technical and organizational security measures

3.8 Deletion or Return of Personal Data

(a) Upon Termination: Upon termination or expiration of the Principal Agreement, Scribeable shall, at Customer's election:

  • Delete all Customer Personal Data, or
  • Return all Customer Personal Data to Customer

(b) Retention for Legal Obligations: Scribeable may retain Customer Personal Data to the extent required by applicable law, provided that Scribeable will:

  • Notify Customer of the requirement to retain
  • Ensure the confidentiality of retained Personal Data
  • Process retained Personal Data only as required by law
  • Delete retained Personal Data when no longer required

(c) Certification: Upon Customer's request, Scribeable shall provide written certification that it has complied with its deletion obligations.

(d) Sub-processor Data: Scribeable shall ensure that all Sub-processors delete or return Customer Personal Data in accordance with this Section.

4. AUDITS AND COMPLIANCE

4.1 Audit Rights

(a) Customer's Right to Audit: Customer may audit Scribeable's compliance with this DPA:

  • No more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach)
  • Upon at least 30 days' prior written notice
  • During regular business hours
  • In a manner that does not unreasonably interfere with Scribeable's operations

(b) Audit Procedures: Audits shall be conducted:

  • By Customer or its authorized third-party auditors
  • Subject to reasonable confidentiality obligations
  • At Customer's expense (unless a non-compliance is discovered)
  • With reasonable cooperation from Scribeable

(c) Audit Reports: Customer may request copies of Scribeable's third-party audit reports or certifications, including:

  • SOC 2 Type II reports
  • ISO 27001 certifications
  • HIPAA compliance assessments
  • Penetration testing summaries

4.2 Cooperation with Supervisory Authorities

Scribeable shall:

  • Cooperate with Supervisory Authorities at Customer's request
  • Provide information requested by Supervisory Authorities
  • Notify Customer of any orders or requests from Supervisory Authorities
  • Comply with Supervisory Authority directives

4.3 Demonstration of Compliance

Upon reasonable request, Scribeable shall make available to Customer information necessary to demonstrate compliance with this DPA and Data Protection Laws.

5. SUB-PROCESSORS

5.1 Authorization to Use Sub-processors

(a) General Authorization: Customer provides general authorization for Scribeable to engage Sub-processors to process Customer Personal Data, subject to the conditions set forth in this Section.

(b) Current Sub-processors: A list of Scribeable's current Authorized Sub-processors is set forth in Annex III and is available at https://www.scribeable.ai/legal/subprocessors or upon request.

5.2 Sub-processor Requirements

Scribeable shall:

  • Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those in this DPA
  • Ensure Sub-processors provide appropriate security measures
  • Remain fully liable to Customer for Sub-processor performance
  • Conduct appropriate due diligence before engaging Sub-processors

5.3 New Sub-processors

(a) Notification: Scribeable shall inform Customer of any intended changes concerning the addition or replacement of Sub-processors:

  • At least 30 days before authorizing any new Sub-processor
  • By email to Customer's registered email address
  • By updating the Sub-processor list at the designated URL

(b) Objection Right: Customer may object to Scribeable's use of a new Sub-processor on reasonable data protection grounds by notifying Scribeable in writing within 15 days of notification.

(c) Resolution: If Customer objects:

  • The parties shall work together in good faith to find a commercially reasonable solution
  • If no solution can be found, Customer may terminate the affected services without penalty
  • Scribeable may seek alternative Sub-processors to accommodate Customer's concerns

5.4 Sub-processor Liability

Scribeable shall be liable for the acts and omissions of its Sub-processors to the same extent as if Scribeable itself had performed such acts or omissions.

6. INTERNATIONAL DATA TRANSFERS

6.1 Restricted Transfers

Customer acknowledges and agrees that Scribeable may transfer Customer Personal Data to countries outside the EEA, UK, or Switzerland, including to the United States, for the purposes of providing the services under the Principal Agreement.

6.2 Standard Contractual Clauses

(a) Incorporation of SCCs: For any Restricted Transfer of Customer Personal Data, the parties agree to be bound by the Standard Contractual Clauses, which are incorporated herein by reference and form an integral part of this DPA.

(b) Module Selection: The parties agree that, where applicable:

  • For transfers from Customer to Scribeable: Module Two (Controller-to-Processor) applies
  • For transfers from Scribeable to Sub-processors: Module Three (Processor-to-Processor) applies

(c) SCC Details: For purposes of the SCCs:

  • The data exporter is Customer
  • The data importer is Scribeable (or the Sub-processor, as applicable)
  • The optional clauses are selected/modified as set forth in Annex I
  • Annex I (Description of Transfer) is set forth in Annex I to this DPA
  • Annex II (Technical and Organizational Measures) is set forth in Annex II to this DPA
  • Annex III (List of Sub-processors) is set forth in Annex III to this DPA
  • The competent Supervisory Authority is Customer's local authority
  • The governing law is as specified in the SCCs

(d) Annex IV Reference: The complete text of the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor) is incorporated by reference and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj. A copy will be provided upon request.

6.3 UK and Swiss Addenda

(a) UK Addendum: For Restricted Transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (Version B1.0, in force 21 March 2022) applies to transfers of personal data from the UK, with the following details:

  • Table 1 (Parties): Parties as identified in Annex I of this DPA. Exporter: Customer (Data Controller). Importer: Scribeable, Inc. (Data Processor).
  • Table 2 (Selected SCCs): The selected SCCs are Module Two (Controller to Processor) as set forth in Section 6.2(b).
  • Table 3 (Appendix Information): Annex I (Description of Transfer), Annex II (Technical and Organizational Measures), and Annex III (List of Sub-processors) of this DPA.
  • Table 4 (Ending this Addendum): The Importer may end this Addendum as set out in Section 19 of the IDTA.

(b) Swiss Addendum: For Restricted Transfers subject to Swiss law, the SCCs apply as amended for Swiss law, with:

  • References to "GDPR" shall be understood as references to the revised Swiss Federal Act on Data Protection (revFADP, effective September 1, 2023)
  • The Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority
  • Data Subjects also have the right to file complaints with the Swiss Federal Data Protection and Information Commissioner

6.4 Alternative Transfer Mechanisms

If the Standard Contractual Clauses are modified, replaced, or invalidated, the parties will negotiate in good faith to adopt alternative transfer mechanisms recognized under Data Protection Laws.

6.5 Supplementary Measures

In addition to the Standard Contractual Clauses, Scribeable implements supplementary technical, organizational, and contractual measures to ensure adequate protection, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Contractual restrictions on access by government authorities
  • Regular security assessments
  • Incident response procedures

6.6 Transfer Impact Assessment

Scribeable has conducted a Transfer Impact Assessment and determined that, together with the SCCs and supplementary measures, Customer Personal Data transferred to the United States receives an adequate level of protection.

7. LIABILITY AND INDEMNIFICATION

7.1 Liability Under Data Protection Laws

(a) Joint and Several Liability: As between Customer and Scribeable, each party shall be liable to Data Subjects for damages caused by processing that infringes Data Protection Laws, in accordance with Data Protection Laws.

(b) Allocation of Liability:

  • Customer is liable for damages caused by processing that is not compliant with Customer obligations under Data Protection Laws
  • Scribeable is liable for damages caused by processing that is not compliant with Scribeable's obligations under this DPA and Data Protection Laws
  • Scribeable is not liable for damages caused by processing in accordance with Customer's unlawful instructions

(c) Exemption from Liability: Either party is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage.

7.2 Limitation of Liability

Subject to Section 7.1 and except as otherwise required by Data Protection Laws:

  • The total liability of either party under this DPA is subject to the limitation of liability provisions in the Principal Agreement
  • Nothing in this DPA limits either party's liability for fraud, gross negligence, or willful misconduct

7.3 Indemnification

(a) Scribeable's Indemnification: Scribeable shall indemnify and hold Customer harmless from claims brought by Data Subjects or Supervisory Authorities arising from Scribeable's breach of this DPA or Data Protection Laws, except to the extent caused by Customer's unlawful instructions.

(b) Customer's Indemnification: Customer shall indemnify and hold Scribeable harmless from claims arising from:

  • Customer's failure to obtain necessary consents or authorizations
  • Customer's unlawful processing instructions
  • Customer's breach of its obligations under Data Protection Laws

7.4 Regulatory Fines

(a) Allocation of Fines: If a Supervisory Authority imposes a fine on either party for processing of Customer Personal Data:

  • The party directly responsible for the violation shall bear the fine
  • If both parties share responsibility, the fine shall be allocated proportionally

(b) Mitigation: Each party shall use reasonable efforts to mitigate any fines, including cooperating with Supervisory Authorities and implementing corrective measures.

8. TERM AND TERMINATION

8.1 Term

This DPA takes effect on the effective date of the Principal Agreement and continues for as long as Scribeable processes Customer Personal Data on behalf of Customer.

8.2 Survival

Upon termination or expiration of the Principal Agreement:

  • This DPA remains in effect until Scribeable ceases all processing of Customer Personal Data
  • Sections 3.8 (Deletion or Return), 4 (Audits), 7 (Liability), and 9 (General Provisions) survive termination

8.3 Effect on Principal Agreement

Termination of this DPA for cause may, at Customer's option, result in termination of the Principal Agreement.

9. GENERAL PROVISIONS

9.1 Order of Precedence

In the event of any conflict:

  1. The Standard Contractual Clauses prevail over this DPA
  2. This DPA prevails over the Principal Agreement (with respect to data protection matters)
  3. The Principal Agreement prevails over this DPA (with respect to non-data protection matters)

9.2 Entire Agreement

This DPA, together with the Principal Agreement and the SCCs, constitutes the entire agreement between the parties regarding processing of Customer Personal Data.

9.3 Amendment

(a) Material Amendments: Amendments to this DPA must be in writing and signed by both parties, except:

  • Updates to Annexes as permitted under this DPA
  • Changes required by Data Protection Laws or Supervisory Authority orders
  • Changes to Sub-processor list per Section 5.3

(b) Regulatory Changes: If Data Protection Laws change, the parties will negotiate in good faith to amend this DPA as necessary to maintain compliance.

9.4 Severability

If any provision of this DPA is held to be invalid or unenforceable:

  • The remaining provisions remain in full force and effect
  • The invalid provision shall be modified to the minimum extent necessary to make it valid
  • If modification is not possible, the provision shall be severed

9.5 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom such waiver is sought.

9.6 Notices

All notices under this DPA must be in writing and sent to:

For Customer: As specified in the Principal Agreement

For Scribeable: Scribeable, Inc. Attention: Data Protection Officer Email: [email protected]

9.7 Governing Law and Jurisdiction

(a) Governing Law: This DPA is governed by the same law as the Principal Agreement, except where Data Protection Laws specify otherwise.

(b) Jurisdiction:

  • For EU/EEA customers: Jurisdiction as specified in the SCCs
  • For UK customers: Courts of England and Wales (or as specified in UK Addendum)
  • For Swiss customers: Courts of Switzerland (or as specified in Swiss Addendum)
  • For other customers: As specified in the Principal Agreement

9.8 Language

This DPA is executed in English. Translations may be provided for convenience, but the English version controls in case of conflict.

9.9 Counterparts

This DPA may be executed in counterparts, each of which is deemed an original and all of which together constitute one and the same instrument.

ANNEXES

ANNEX I - DESCRIPTION OF TRANSFER

A. LIST OF PARTIES

Data Exporter:

  • Name: Customer (as identified in Principal Agreement)
  • Address: As specified in Customer's account
  • Contact: As specified in Customer's account
  • Role: Data Controller

Data Importer:

  • Name: Scribeable, Inc.
  • Address: 600 Boulevard South SW Suite 104J, Huntsville, AL 35802
  • Contact: [email protected]
  • Role: Data Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects:

  • Healthcare providers (physicians, nurses, clinicians)
  • Practice staff and administrators
  • Patients (as documented by healthcare providers)

Categories of Personal Data:

  • Provider Data: Name, email, professional credentials, license numbers, practice information
  • Patient Data (PHI): Name, DOB, medical record numbers, diagnoses, treatment information, vital signs, lab results, clinical notes, medical histories, prescriptions
  • Usage Data: Platform interaction data, timestamps, device information

Sensitive Data (if applicable):

  • Health information (all patient data qualifies as sensitive data under GDPR)
  • Professional credentials and license information
  • Authentication credentials (encrypted)

Frequency of Transfer: Continuous during active use of the Platform

Nature of Processing:

  • Collection and storage of clinical documentation
  • AI-powered analysis and summarization
  • Voice transcription
  • EHR integration and synchronization
  • Clinical decision support
  • Analytics and reporting
  • Technical support

Purpose of Processing:

  • Provide medical documentation platform services
  • Enable AI-assisted clinical documentation
  • Facilitate EHR integration
  • Support healthcare providers in clinical workflows
  • Improve platform functionality and user experience

Retention Period:

  • Active account data: Duration of customer relationship
  • PHI: 7 years after account closure (or as required by law)
  • Audit logs: 6 years minimum
  • Backups: 90 days maximum

Sub-processors: As listed in Annex III

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs. Where the data exporter is established in the EU, this shall be the supervisory authority of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, the Irish Data Protection Commission shall serve as the competent supervisory authority.

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

1. MEASURES OF PSEUDONYMISATION AND ENCRYPTION

(a) Encryption in Transit:

  • TLS 1.3 for all data transmission
  • Perfect forward secrecy
  • Strong cipher suites only

(b) Encryption at Rest:

  • AES-256 encryption for all stored data
  • Encrypted database connections
  • Encrypted backups

(c) End-to-End Encryption:

  • Client-side encryption for web export feature
  • Key derivation using HKDF(SHA-256)
  • AES-GCM authenticated encryption

(d) Pseudonymization:

  • Internal identifiers separate from personal identifiers
  • Tokenization of sensitive data elements where feasible
  • De-identification for analytics

2. MEASURES FOR ENSURING ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY, AND RESILIENCE

(a) Access Controls:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication (MFA)
  • Unique user identifiers
  • Automatic session timeout
  • Strong password requirements
  • Regular access reviews

(b) Authentication and Authorization:

  • Secure authentication protocols (OAuth 2.0)
  • Token-based authentication
  • Refresh token rotation
  • Session management
  • Authorization checks at all layers

(c) Audit Logging:

  • Comprehensive audit trails
  • Tamper-evident logs
  • Real-time monitoring
  • Log retention (6 years minimum)
  • SIEM integration

(d) Network Security:

  • Web Application Firewall (WAF)
  • DDoS protection
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Network segmentation
  • VPN for administrative access

(e) Application Security:

  • Secure development lifecycle
  • Code review and static analysis
  • Dynamic application security testing (DAST)
  • Dependency vulnerability scanning
  • Security by design principles

3. MEASURES FOR ENSURING ABILITY TO RESTORE AVAILABILITY AND ACCESS

(a) Backup and Recovery:

  • Automated daily backups
  • Encrypted backup storage
  • Geographically distributed backups
  • Regular restore testing
  • Recovery time objective (RTO): 4 hours
  • Recovery point objective (RPO): 24 hours

(b) Business Continuity:

  • Disaster recovery plan
  • Failover capabilities
  • Redundant infrastructure
  • Alternative processing sites
  • Annual DR testing

(c) Redundancy:

  • Multi-availability zone deployment
  • Load balancing
  • Database replication
  • Redundant network connections
  • Redundant power supplies

4. PROCESSES FOR REGULARLY TESTING, ASSESSING AND EVALUATING EFFECTIVENESS

(a) Security Testing:

  • Annual penetration testing by third parties
  • Quarterly vulnerability scanning
  • Regular security assessments
  • Code security reviews
  • Social engineering testing

(b) Compliance Audits:

  • SOC 2 Type II audit (annual)
  • HIPAA compliance assessment (annual)
  • ISO 27001 certification maintenance
  • Internal audits (quarterly)

(c) Monitoring and Detection:

  • 24/7 security monitoring
  • Automated threat detection
  • Log analysis and correlation
  • Anomaly detection
  • Security incident response team

(d) Continuous Improvement:

  • Security metrics and KPIs
  • Lessons learned from incidents
  • Security awareness training (quarterly)
  • Security policy reviews (annual)
  • Technology updates and patches

5. MEASURES FOR USER IDENTIFICATION AND AUTHORIZATION

(a) User Management:

  • Unique user IDs for all personnel
  • Background checks for employees with access to Personal Data
  • Confidentiality agreements for all personnel
  • Training on data protection and security
  • Immediate access revocation upon termination

(b) Segregation of Duties:

  • Separation of development, testing, and production
  • Multiple approvals for sensitive operations
  • Audit of privileged access
  • No shared accounts

6. MEASURES FOR PROTECTION OF DATA DURING TRANSMISSION

(a) Transport Layer Security:

  • TLS 1.3 mandatory for all connections
  • iOS App Transport Security with Certificate Transparency
  • HSTS (HTTP Strict Transport Security)
  • Perfect forward secrecy

(b) API Security:

  • API authentication and authorization
  • Rate limiting and throttling
  • Input validation and sanitization
  • CORS policies

7. MEASURES FOR PROTECTION OF DATA DURING STORAGE

(a) Physical Security:

  • Data centers with 24/7 security
  • Biometric access controls
  • Video surveillance
  • Environmental controls
  • Visitor logging and escorts

(b) Logical Security:

  • Database encryption
  • Filesystem encryption
  • Secure key management (HSM)
  • Data classification and labeling

8. MEASURES FOR ENSURING PHYSICAL SECURITY

(a) Facility Security:

  • Controlled access to data centers
  • Security guards and surveillance
  • Perimeter security
  • Visitor management
  • Asset inventory and tracking

(b) Device Security:

  • Full disk encryption on all devices
  • Mobile device management (MDM)
  • Remote wipe capabilities
  • Secure disposal procedures

9. MEASURES FOR ENSURING EVENTS LOGGING

(a) Comprehensive Logging:

  • Authentication events
  • Authorization events
  • Data access events
  • Administrative actions
  • System changes
  • Security events

(b) Log Management:

  • Centralized log aggregation
  • Tamper-evident log storage
  • Log integrity verification
  • Regular log review
  • Long-term log retention

10. MEASURES FOR ENSURING SYSTEM CONFIGURATION

(a) Configuration Management:

  • Hardened operating systems
  • Minimal installed software
  • Secure default configurations
  • Regular security patching
  • Change management process

(b) Vulnerability Management:

  • Regular vulnerability assessments
  • Patch management procedures
  • Zero-day threat monitoring
  • Security advisory tracking

11. MEASURES FOR INTERNAL IT AND IT SECURITY GOVERNANCE

(a) Security Governance:

  • Information security policy
  • Data protection policy
  • Incident response plan
  • Business continuity plan
  • Risk management framework

(b) Organizational Measures:

  • Chief Information Security Officer (CISO)
  • Data Protection Officer (DPO)
  • Security steering committee
  • Defined roles and responsibilities
  • Regular management reviews

12. MEASURES FOR CERTIFICATION

  • SOC 2 Type II Certification
  • ISO 27001 Certification (planned)
  • HIPAA Compliance Attestation
  • Annual compliance assessments

ANNEX III - LIST OF AUTHORIZED SUB-PROCESSORS

Current Sub-processors as of October 24, 2025:

Sub-processor Service Provided Location Safeguards
Anthropic PBC AI language models (Claude API) for clinical documentation United States BAA, SCCs, Confidentiality Agreement
Deepgram, Inc. Voice transcription services United States BAA, SCCs, Confidentiality Agreement
Google LLC Cloud infrastructure (Firebase, GCP) United States (with global presence) BAA, SCCs, DPA
Apple Inc. In-App Purchase processing United States DPA, Privacy commitments

Note: An up-to-date list of Sub-processors is available at: https://www.scribeable.ai/legal/subprocessors

Notification of Changes: Customers will be notified of changes to this list at least 30 days in advance via email.

SIGNATURES

By entering into the Principal Agreement, the parties agree to be bound by this Data Processing Addendum.

DATA CONTROLLER / CUSTOMER:

Name: ________________________________

Title: ________________________________

Signature: ____________________________

Date: _________________________________

DATA PROCESSOR / SCRIBEABLE:

Scribeable, Inc.

Name: ________________________________

Title: ________________________________

Signature: ____________________________

Date: _________________________________

Last Updated: February 5, 2026 Version: 2.0

© 2026 Scribeable, Inc. All rights reserved.

Questions?

Our legal team is available to help clarify any terms.