Data Processing Addendum

Customer acts as the controller (or business) and MyOrbitHealth acts as the processor (or service provider) with respect to personal data processed through the platform. This DPA applies to all such processing for the duration of the underlying agreement.

MyOrbitHealth processes personal data only on Customer's documented instructions, including those set out in the agreement, the platform configuration, and any written directions issued by Customer. We will notify Customer if an instruction appears to violate applicable law.

Personnel authorized to process personal data are bound by written confidentiality obligations and receive privacy and security training appropriate to their role.

We maintain technical and organizational measures designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, least-privilege provisioning, audit logging, vulnerability management, and a documented incident response program.

Customer authorizes MyOrbitHealth to engage subprocessors for hosting, observability, communications, and payments. Each subprocessor is bound by written terms providing materially equivalent protection. A current list is available on request, and we will give Customer notice of intended changes with an opportunity to object.

Personal data is primarily stored in US-region infrastructure. Where a transfer occurs from a jurisdiction with cross-border restrictions, the parties rely on an approved transfer mechanism (e.g. Standard Contractual Clauses, UK IDTA, or an applicable adequacy decision).

MyOrbitHealth will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to data subject requests (access, rectification, erasure, restriction, portability, and objection).

We will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's data, with the information reasonably available to support Customer's own notification obligations. PHI breach notification is governed by the BAA and HIPAA's Breach Notification Rule.

MyOrbitHealth makes available information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. SOC 2) under NDA. On-site audits may be conducted by Customer or its mandated auditor subject to reasonable scope, frequency, and confidentiality safeguards.

Where personal data constitutes Protected Health Information (PHI) under HIPAA, the executed Business Associate Agreement governs and, to the extent of any conflict with this DPA, the BAA controls for that PHI.

On termination or expiry, MyOrbitHealth will, at Customer's election, return or delete personal data within the timelines set out in the agreement, subject to legal retention requirements and routine backup cycles.

This DPA supplements the Terms of Service and Privacy Policy. In case of conflict regarding the processing of personal data, this DPA controls; for PHI, the BAA controls.

DPA requests and questions: privacy@myorbithealth.com.