Data Processing Agreement

Version 1.1.0·Effective 2026-06-01

Data Processing Agreement

This Data Processing Agreement (the "DPA") is between Phiusion Labs Inc., an Ontario corporation ("Processor" or "Phiusion"), and the practitioner identified at signature ("Controller"). It takes effect on [EFFECTIVE_DATE_OF_THIS_DPA] and runs with the Phiusion Labs Terms of Service (the "Services Agreement"). The Services Agreement governs the SaaS relationship; this DPA governs Personal Data handling and controls on any conflict.

This DPA implements GDPR Art. 28(3), the equivalent Quebec Law 25 art. 18 obligations, and the cross-border transfer requirements at GDPR Art. 44 and Art. 46(2)(c).

1. Recitals and Scope

A. Phiusion's role. The Controller uses Phiusion to capture skin photographs, record health background, run skin assessments, document regimens, sell professional skincare, and store wellness sessions. Phiusion is the Controller's "processor" (GDPR Art. 4(8)) and mandataire (Law 25 art. 18).

B. Controller's role. A licensed health practitioner determining purposes and means — controller (GDPR Art. 4(7)) and "person carrying on an enterprise" (Law 25 art. 1).

C. Universkin SAS as sub-processor. Phiusion engages Universkin SAS (Sophia Antipolis, France) ("Universkin") as its GDPR Art. 28(2) sub-processor for SkinXS and related operations. Flow-down: Intercompany DPA + BAA at D15.

D. Universkin's controller leg is out of scope. Where a patient separately consents under Patient AI Improvement Consent (D11), Universkin processes that training data under an independent controller-leg agreement at D15 — outside this DPA. Phiusion's flow-down ends at the patient-consent boundary. Within this DPA, Phiusion and Universkin are processor and sub-processor and not joint controllers within Art. 26. The Controller's only counterparty on the AI-improvement leg is Universkin.

E. Wellness positioning does not modify legal scope. Wellness positioning (§16) defends against medical-device classification but does not remove patient records from GDPR, Law 25, or PIPEDA. Health background, photographs, and assessment refinements remain "special categories" (Art. 9(1)) and "sensitive personal information" (Law 25 art. 12).

F. Cross-reference to D15. D15 contains Universkin's Art. 28(3) flow-down, the challenge-or-notify covenant, and an engineering attestation that SkinXS does not persist face-geometry vectors past the API request absent D11 consent.

G. Scope and routing. This DPA is for you if you are a Quebec controller under Law 25 or an EU-established controller. A practitioner who is both a Quebec controller and an Ontario PHIPA custodian signs both this DPA (Quebec patients) and D21 (Ontario PHI), keyed to province of treatment.

EU-established practitioners: covered (§7.2) — but Phiusion does not actively market to EU residents; contact privacy@phiusionlabs.app before signing.

If you are someone else:

  • HIPAA Covered Entities (US): Business Associate Agreement (D13).
  • Ontario PHIPA custodians: PHIPA HINP Services Agreement (D21).
  • Alberta HIA, Manitoba/Atlantic PHIA, Saskatchewan HIPA trustees, other Canadian custodians/trustees: bilateral IM agreement via sales@phiusionlabs.app.
  • US non-HIPAA-CE practitioners (wellness-only, aestheticians, retailers): do not sign this DPA; contact sales@phiusionlabs.app. If signed contrary to this section, the DPA is voidable at Phiusion's election; contact privacy@phiusionlabs.app for re-routing.

2. Definitions

Capitalized terms not defined here take their meaning from GDPR Art. 4 or, for Quebec controllers, from Law 25.

  • "Controller" — GDPR Art. 4(7); "person carrying on an enterprise" under Law 25.
  • "Personal Data" — GDPR Art. 4(1); "personal information" under Law 25 and PIPEDA. Limited to data Phiusion processes on the Controller's behalf.
  • "Personal Data Breach" — GDPR Art. 4(12); "confidentiality incident" under Law 25 art. 3.5.
  • "Privacy Officer" — the named Phiusion individual responsible under Law 25 art. 3.1; privacy@phiusionlabs.app.
  • "Processing" — GDPR Art. 4(2).
  • "Processor" — GDPR Art. 4(8); "person acting on behalf of" the Controller under Law 25 art. 18.
  • "Special Categories of Personal Data" — GDPR Art. 9(1); "sensitive personal information" under Law 25 art. 12.
  • "Sub-processor" — any third party engaged by Phiusion to process Personal Data on Phiusion's behalf.

3. Subject Matter, Duration, Nature, and Purpose

Per GDPR Art. 28(3); detail in Annex I:

  • Subject matter. Personal Data placed into Phiusion to provide skin-wellness services to the Controller's patients.
  • Duration. Services Agreement term plus any §13 tail.
  • Nature. Storage, hosting, retrieval, transmission, backup, skin-assessment refinement; ephemeral biometric processing during a SkinXS request; LLM generation of plain-language summaries; payment, email, and shipping flows architecturally excluded.
  • Purposes. Skin assessment and refinement; regimen documentation; sale, fulfilment, tracking of professional skincare products; record-keeping; security, audit, breach response. Out of scope: AI-improvement model training (D11 + D15) and any use not necessary for the Services Agreement.

4. Types of Personal Data and Categories of Data Subjects

Personal Data categories (Art. 28(3)):

  • patient personal data (name, contact details, date of birth, internal patient identifier);
  • patient health background (Art. 9(1));
  • photographs of the patient's face and skin (Art. 9(1));
  • skin assessment results and the Controller's refinements (Art. 9(1));
  • skincare regimen documentation and product order history;
  • biometric identifiers (face-geometry vectors for skin-feature scoring, not identity verification within LCCJTI art. 44 and outside GDPR Art. 9(1)'s "for the purpose of uniquely identifying" trigger per Art. 4(14)) — ephemeral within a SkinXS API request under this DPA;
  • these vectors are persisted for AI-improvement training only with separate D11 consent (D15 controller leg, outside this DPA; subject of the LCCJTI art. 45 declaration in §14).

Data subjects: the Controller's patients.

5. Phiusion's Obligations as Processor

Commitments track GDPR Art. 28(3)(a)–(h) and the equivalent Law 25 art. 18.

5.1 (a) Documented instructions

Phiusion processes Personal Data only on the Controller's documented instructions, including for cross-border transfers, unless required by EU, Member State, Quebec, or Canadian law. The Services Agreement, this DPA, and the platform configuration constitute those instructions. Where law obligates processing outside them, Phiusion informs the Controller beforehand unless law prohibits notice on important public-interest grounds.

5.2 (b) Confidentiality

Phiusion's workforce is bound by written confidentiality undertakings as a condition of engagement; flowed down to each Sub-processor under §6.

5.3 (c) Security (Art. 32)

Phiusion implements technical and organizational measures appropriate to the risk. Summary in Annex II; operational detail in D17 (DPIA) and D19 (Breach Playbook).

5.4 (d) Sub-processor authorization

General written authorization is given, subject to §6. Phiusion provides at least thirty (30) days' advance notice of any new Sub-processor; the Controller may object in writing, and an unresolved objection may trigger termination without penalty.

In emergencies (vendor outage, security incident, regulator order, insolvency), Phiusion may act on shorter notice, publishing within twenty-four (24) hours, with full documentation within seven (7) days.

5.5 (e) Data-subject-rights assistance

Phiusion assists with requests under GDPR Arts. 15–22 and Law 25 arts. 27–30. DSAR tooling produces JSON/CSV (PDF on request) within fifteen (15) calendar days so the Controller meets the 30-day statutory window. Requests: privacy@phiusionlabs.app.

Under the universal-protection model, every patient gets the same rights regardless of residence. Erasure of medical-record content is subject to the §13 retention exception.

5.6 (f) Assistance with Arts. 32–36

Phiusion assists with GDPR Arts. 32–36 — security, breach notification (§9), data-subject communication, DPIAs (§10), and prior consultation. D17 is supplied for reference.

5.7 (g) Return or destruction at end of services

Per GDPR Art. 28(3)(g) and Law 25 art. 23, on the Controller's instruction Phiusion deletes or returns all Personal Data at end of services, unless EU, Member State, Quebec, or Canadian medical-record retention law requires storage (§13, D18).

5.8 (h) Audit rights

Phiusion makes available information necessary to demonstrate compliance and contributes to audits by the Controller or its mandated auditor. May be satisfied via SOC 2, ISO/IEC 27001, or equivalent attestations plus written responses. On-site inspection on reasonable notice, subject to multi-tenant constraints.

6. Sub-processors

6.1 Authorization and flow-down

General written authorization is given. Current list: content/legal/sub-processors.ts; updates per §5.4. By written contract, each Sub-processor accepts data-protection obligations equivalent to this DPA. Where a Sub-processor fails, Phiusion remains fully liable to the Controller.

6.2 Universkin SAS as primary sub-processor

Universkin SAS (Sophia Antipolis, France) operates SkinXS. Flow-down D15 imposes:

  • processing restrictions equivalent to those on Phiusion;
  • Art. 32 security equivalent to §5.3;
  • 24-hour breach notice to Phiusion (matches §9 SLA);
  • the challenge-or-notify covenant (§7.4);
  • an engineering attestation that SkinXS does not persist face-geometry vectors past the API request without D11 consent.

6.3 Infrastructure sub-processors with data scope

Each carries an Art. 28 DPA (and HIPAA BAA where indicated):

  • Supabase, Inc. — DB, auth, object storage for patient records, health background, photographs, assessment results. DPA + BAA, Team + HIPAA add-on.
  • Vercel, Inc. — hosting and edge runtime. DPA + BAA, Pro + HIPAA add-on.
  • Anthropic, PBC — LLM for plain-language skin-overview regeneration. DPA + BAA; ZDR. Hard limit: BAA + engineering invariant cover only /v1/messages on the first-party Anthropic API. No other surface (Batch, Files, Skills, Code Execution, Computer Use, Web Fetch, third-party MCP, beta) receives Personal Data; enforced by a code-level check.
  • Sentry (Functional Software, Inc.) — error monitoring on Business tier under Art. 28 DPA. Personal Data gated by beforeSend scrubbing + route blocklist; residual-risk config at docs/legal/internal/sentry-option-c-acknowledgment.md.

Architecturally excluded from Personal Data paths (enforced in code):

  • Stripe, Inc. — payments (cart total + Controller billing/shipping + card data).
  • SendGrid (Twilio Inc.) — transactional email (opaque order IDs + "log in to view" patterns).
  • Google Maps Platform (Google LLC) — Controller-form address autocomplete.
  • AfterShip Limited — carrier tracking (order_id, tracking_number, carrier, status, shipping address).
  • remove.bg (Kaleido AI GmbH) — retired; replaced by a self-hosted model.

Authoritative list: Annex III + content/legal/sub-processors.ts. Procurement matrix: content/legal/internal/sub-processor-baa-verification.md (copy under §5.8).

7. International Transfers (Art. 44)

Map: Quebec — §§7.1, 7.3, 7.4. EU — §§7.2, 7.3, 7.4.

7.1 Quebec controllers — Phiusion → Universkin

Canada → France leg basis:

  1. PIPEDA Sched 1 §4.1.3 — Phiusion's accountability for third-party-processed data, flowed down via D15.
  2. Law 25 art. 17 EFVP — the Controller's pre-transfer assessment that France (GDPR-subject) affords equivalent protection. Phiusion supports the EFVP via D17, D20, this DPA, and D15.

Commission Decision 2002/2/EC operates inbound (EU → Canada) (§7.2); not the basis for the Canada → France outbound leg.

7.2 EU controllers — Phiusion as Canadian processor

For EU-established controllers, the EU → Phiusion (Canada) transfer relies on Commission Decision 2002/2/EC (PIPEDA adequacy) under GDPR Art. 45. The onward Phiusion → Universkin leg is Canada → France and does not implicate the EU controller's Chapter V export obligations. Onward US Sub-processor legs: SCCs under §7.3.

Phiusion represents that, in providing the Services to EU controllers, it operates within PIPEDA commercial activities and within Commission Decision 2002/2/EC. This representation survives termination for §13 retained-data obligations.

7.3 Sub-processor transfers to the US — Standard Contractual Clauses

For US-stored Sub-processors (Supabase, Vercel, Anthropic, Sentry), transfers rely on the SCCs in Commission Implementing Decision (EU) 2021/914, incorporated per Annex II:

  • Module 3 (processor → processor) — Phiusion → US-Sub-processor. Phiusion exports as the Controller's processor; the US Sub-processor imports.
  • Module 2 (controller → processor) — incorporated on a stand-by basis for direct EU-controller → Phiusion engagements only if and to the extent Commission Decision 2002/2/EC (PIPEDA adequacy, §7.2) ceases to apply or is restricted. While the adequacy decision is in force, that leg relies on Art. 45 and Module 2 is dormant.
  • Module 1 (controller → controller) — Phiusion's own controller activities (billing, telemetry) are outside this DPA's scope; governed by the Phiusion Privacy Notice / vendor DPAs.

The AI-improvement controller leg (Universkin as controller for D11 data) sits outside this DPA; governed by D15.

7.4 Supplementary measures (EDPB Recommendations 01/2020)

Measures against US Sub-processor surveillance exposure and comparable French exposure of Universkin:

  • Encryption — TLS 1.2+ in transit; AES-256 at rest.
  • Access control — RLS partitions records by Controller; role-based, audited.
  • Audit logging of disclosures and admin actions.
  • Universkin challenge-or-notify covenant (D15, an EDPB Rec. 01/2020 supplementary measure) — Universkin must (i) challenge French legal demands before complying; (ii) notify Phiusion and the Controller within 24 hours where lawful; (iii) suspend pending Phiusion's reasonable opportunity to intervene. Demands covered: administrative-intelligence access under Code de la sécurité intérieure L. 851-1 et seq. and judicial requisitions under Code de procédure pénale arts. 60-1, 60-2, 77-1-1. Mirrored on the US side by (i) architectural exclusion of US Sub-processors from persisted face-geometry paths (Universkin/FR-only, D11 consent), and (ii) for photographs and clinical text on US Sub-processors, signed BAA + DPA, SCC Module 3, encryption (above), RLS, and per-vendor TIAs at D20.
  • Data minimization — §6.3 routes the smallest data set necessary to each vendor.

Effectiveness against FISA §702 / EO 14086 and Code de la sécurité intérieure L. 821-1 et seq. is assessed in per-vendor TIAs at D20. This DPA does not conclude Schrems-II adequacy; it commits Phiusion to maintain the measures and update TIAs on material change.

8. Security Measures (Art. 32)

Measures summarised in Annex II; detail in D17 and D19. Reviewed at least annually; underlying documents updated on material change.

9. Personal Data Breach Notification (Art. 33)

9.1 Service-level timing

Phiusion notifies the Controller of any Personal Data Breach without undue delay and within twenty-four (24) hours of becoming aware (or of a §6.2 Sub-processor notifying it).

The Controller's 72-hour clock to the supervisory authority starts on the Controller's awareness (when Phiusion's notice arrives). For Quebec, the Law 25 art. 3.5 notice to the Commission d'accès à l'information du Québec is required where the incident presents a serious risk of injury (risque qu'un préjudice sérieux soit causé); Phiusion supports the Controller's art. 3.5 filing, not filing in its own name. The 24-hour SLA matches the SLA flowed down to Universkin under D15.

9.2 Notification content

Per GDPR Art. 33(3), the notice includes (to the extent known): breach nature (categories + approximate subjects/records); Privacy Officer contact (§14); likely consequences; measures taken or proposed. Supplemented in phases.

9.3 Channel and cooperation

Notices go to the Controller's email of record, with direct follow-up for severe incidents. The Privacy Officer supplies what the Controller needs for its notifications under GDPR Arts. 33–34. Steps: D19.

10. DPIA Assistance (Art. 35(7))

Per GDPR Art. 28(3)(f), Art. 35(7), and Law 25 art. 3.3, Phiusion supplies the D17 DPIA covering SkinXS photo processing. The Controller may incorporate D17 by reference into its DPIA or EFVP; Phiusion assists with updates where deployment introduces materially different processing.

11. Data-Subject Rights Assistance (Art. 28(3)(e))

DSAR tooling per §5.5. Under the universal-protection model, the same rights apply regardless of residence; patients with statutes beyond GDPR/Law 25 (US consumer-health, Ontario PHIPA, HIPAA §164.524 — and, listed for completeness, Illinois BIPA for an Illinois-resident patient of an EU/QC controller) use the Privacy Officer channel. DSARs: privacy@phiusionlabs.app.

12. Audit Rights (Art. 28(3)(h))

Audit rights are governed by §5.8 (Audit and inspection).

13. Return or Destruction (Art. 28(3)(g))

On termination, at the Controller's choice, Phiusion returns or destroys all Personal Data and retains no copies — except where:

  • the Controller's professional regulatory regime requires retention (Quebec: regulation under the Controller's order of professions — typically 5 years from last entry for physicians under RLRQ c. M-9, r. 20.3, with parallel rules for other regulated professions; EU member-state laws, 10–30 years). Phiusion preserves the records on the Controller's behalf and instruction.
  • D18 sets a longer period (e.g., 10 years for wellness sessions; age of majority plus 10 years for minors).
  • a litigation hold, regulatory order, or court order requires preservation.

Where return or destruction is not feasible, Phiusion continues this DPA's protections, limits processing to those purposes, and destroys data once they end. The retained-categories list and disposition timeline are delivered within thirty (30) days.

14. Law 25 Specifics

For Quebec controllers, the following apply alongside §§3–13:

  • French language. Per the Charter of the French Language as amended by Bill 96, Phiusion supplies Quebec-controller communications in French by default; the Controller may consent in writing to English under Charter art. 55. Patient-facing notices default to French.
  • Biometric-specific consent. Law 25 art. 12 treats biometric data as sensitive; the Loi concernant le cadre juridique des technologies de l'information (LCCJTI) requires express consent for a biometric database. Phiusion's architecture is consistent — vectors are ephemeral within a SkinXS request, persisted only with D11 consent. Photo consent: D10. AI-improvement consent: D11.
  • LCCJTI art. 45 declaration. Phiusion files the art. 45 declaration with the Commission d'accès à l'information du Québec at least sixty (60) days before the first Quebec patient enrolment. Where the Controller is Quebec-established at the effective date, the declaration is on file. Scope: the AI-improvement biometric DB at Universkin under D11/D15 (per D23 §3.3).
  • EFVP. Phiusion supports the Controller's EFVP under Law 25 art. 3.3 via D17 and D20.
  • Privacy Officer (Law 25 art. 3.1). Phiusion designates a Privacy Officer (named in the frontmatter) and publishes title and contact in the public footer per art. 3.1 ¶3. See /legal/privacy-notice-doctor §§14–15.

15. Term and Termination

a. Term. Effective on [EFFECTIVE_DATE_OF_THIS_DPA]; runs with the Services Agreement plus any §13 tail.

b. Termination for cause. Either Party may terminate on written notice if the other materially breaches this DPA (or, for the Controller, the Services Agreement) and fails to cure within thirty (30) calendar days, or immediately where cure is not possible. §13 survives.

16. Wellness-Positioning Recital

Phiusion positions its software as general wellness software. Customer-facing copy does not claim to diagnose, treat, mitigate, or prevent disease. The Controller decides every clinical action.

In short: wellness positioning keeps Phiusion's product outside FDA, Health Canada, and EU MDR/IVDR regimes (FDA 2019 General Wellness; Health Canada 2019 SaMD under MDR SOR/98-282; MDR 2017/745 / IVDR 2017/746). It does not move patient records outside GDPR, Law 25, or PIPEDA. This DPA still applies.

Anchoring points:

  • GDPR Art. 4(1) turns on whether information relates to an identified person, not marketing. Patient records, photographs, health background, assessment refinements, and regimen documentation are Personal Data.
  • GDPR Art. 9(1) covers health and biometrics used to uniquely identify a person. Skin photographs and assessment refinements concern health; face-geometry vectors are Art. 4(14) biometric data but fall outside Art. 9(1) for the wellness pipeline (no unique identification) — they re-enter Art. 9(1) only on the D11 AI-improvement leg (cross-ref §4). The Art. 9(2) basis for the wellness pipeline is 9(2)(h) (health care under professional secrecy); the AI-improvement leg relies on separate 9(2)(a) consent under D11. The 9(2)(h) basis is the Controller's; Phiusion processes on documented instructions and does not itself invoke a 9(2) ground.
  • Law 25 art. 12 treats health and biometric data as sensitive; same conclusion. For Quebec patients the basis is the patient's manifest, free, informed consent under art. 14, supported by Controller professional-secrecy under the Code des professions. The AI-improvement leg relies on separate art. 14 consent + LCCJTI art. 45, under D11 outside this DPA.

17. Signature Blocks

Phiusion Labs Inc. (Processor) By: ____________________________ — [PHIUSION_PRIVACY_OFFICER_NAME], Privacy Officer, privacy@phiusionlabs.app. Date: ____________

[CONTROLLER_LEGAL_NAME] (Controller) By: ____________________________ — [CONTROLLER_AUTHORIZED_SIGNATORY_NAME], [CONTROLLER_AUTHORIZED_SIGNATORY_TITLE], License: [CONTROLLER_LICENSE_NUMBER_AND_REGULATOR], Jurisdiction: [CONTROLLER_JURISDICTION]. Date: ____________

Annex I — Details of Processing

Per GDPR Art. 28(3) and the SCC Annex I:

  • Controller: [CONTROLLER_LEGAL_NAME], established in [CONTROLLER_JURISDICTION], regulated by [CONTROLLER_LICENSE_NUMBER_AND_REGULATOR].
  • Processor: Phiusion Labs Inc., Ontario, Canada (PIPEDA-subject within Commission Decision 2002/2/EC).
  • Primary sub-processor: Universkin SAS, Sophia Antipolis, France (D15).
  • Infrastructure sub-processors: Annex III.
  • Data subjects: Controller's patients.
  • Categories: §4 (health + biometric per Art. 9(1), Law 25 art. 12).
  • Purposes: §3.
  • Duration: Services Agreement term + §13 / D18 tail.
  • Frequency: continuous.

Annex II — Technical and Organisational Measures; Incorporated SCCs

Technical and organisational measures

Measures are summarised at §§5.3, 6.3, 7.4, 9, 13, and detailed in D17/D19. Vendor diversification: persisted face-geometry paths excluded from US vendors; patient photographs are on Supabase (US) and processed by Universkin (FR) under D15. Phiusion will not route Personal Data to a US Sub-processor under this DPA until the corresponding BAA (where applicable) and Art. 28 DPA are signed; Annex III [date] placeholders fill at signature.

Incorporated SCCs

The Parties incorporate by reference the Standard Contractual Clauses adopted in Commission Implementing Decision (EU) 2021/914 in their entirety, in the Module(s) identified in §7.3, with Annexes I–III populated by this DPA. Modules 1, 2, and 3 are each incorporated to the extent §7.3 invokes them (Module 2 on a stand-by basis per §7.3). Where this DPA and the SCCs conflict on the protection of data subjects, the SCCs prevail (Clause 5). The competent supervisory authority for Clause 13 is the authority competent for the Controller's establishment; for Quebec controllers, the Commission d'accès à l'information du Québec is the parallel oversight body under Law 25.

Annex III — Sub-processors

From content/legal/sub-processors.ts. Sub-processors with health or photos scope:

Sub-processorServiceStorageTransferArt. 28 DPAHIPAA BAA
Universkin SASAI skin assessment; platform operationsEU (FR)EU controllers: EU-internal. Quebec controllers: Canada → France.1Via D15Via D15
Supabase, Inc.Database, auth, object storageUSSCC Module 3 (Phiusion → US)[date][date] — Team + HIPAA add-on
Vercel, Inc.Hosting, edge runtimeUS (global edge)SCC Module 3[date][date] — Pro + HIPAA add-on
Anthropic, PBCLLM, text-only skin-overview regenerationUSSCC Module 3[date][date]. Scope: /v1/messages. ZDR.
Sentry (Functional Software, Inc.)Post-scrub error monitoringUS (EU optional)SCC Module 3[date][date] — Business tier, BAA v1.0.1

Architecturally excluded Sub-processors are at §6.3. Procurement: content/legal/internal/sub-processor-baa-verification.md. "[date]" placeholders fill at signature.2

Contact: Phiusion Privacy Officer, privacy@phiusionlabs.app. Universkin EU sub-processor role: DPO Maître Eric ELABD, dpo@universkin.com, +33 (4) 93.00.11.96.

Footnotes

  1. Quebec → France basis: PIPEDA Sched 1 §4.1.3 + Law 25 art. 17 EFVP.

  2. Dates fill at signature; placeholder stands in until the signed counterpart is filed.