Data Processing Agreement

1. Parties

Controller: The organization subscribing to HealthWatch Global services (hereinafter "Controller").

Processor: HealthWatch Global, operated by David Deheunynck, sole trader (France) (hereinafter "Processor"). This DPA forms part of the Terms of Service and governs all processing of personal data by the Processor on behalf of the Controller.

2. Subject Matter and Purpose

The Processor provides the Controller's authorized users with access to HealthWatch Global, a real-time epidemic surveillance dashboard. In doing so, the Processor processes personal data on behalf of the Controller as set out in this DPA.

3. Categories of Personal Data

4. Processor Obligations (GDPR Art. 28)

• a) Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries;
• b) Ensure that persons authorized to process the personal data have committed themselves to confidentiality;
• c) Implement all measures required pursuant to Article 32 GDPR;
• d) Respect the conditions for engaging sub-processors set out in Article 28(2)-(4) GDPR;
• e) Assist the Controller in fulfilling its obligations to respond to data subject rights requests;
• f) Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, breach notification, DPIA, prior consultation);
• g) At the Controller's choice, delete or return all personal data after the end of services, and delete existing copies unless required by law;
• h) Make available to the Controller all information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

The Controller grants general authorization to engage the following sub-processors. The Processor will notify the Controller of any intended changes, giving the Controller the opportunity to object.

6. Security Measures (GDPR Art. 32)

• Encryption in transit: HTTPS/TLS 1.2+ for all communications
• Encryption at rest: AES-256 (Supabase managed encryption)
• Access control: role-based access, least privilege principle
• Authentication: Supabase Auth with secure session management
• Monitoring: uptime monitoring, error logging (Sentry)
• Backups: automated daily backups (Supabase)
• Availability: 99.9% uptime target (Vercel + Supabase infrastructure)

7. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, not later than 24 hours after becoming aware. The notification shall include all information required under Article 33(3) GDPR.

8. Duration and Deletion

This DPA is effective for the duration of the HealthWatch Global subscription. Upon termination, the Processor shall delete or return all personal data within 30 days, provide a CSV export upon request before deletion, and delete all existing copies unless retention is required by applicable law.

9. Governing Law

This DPA is governed by French law and Regulation (EU) 2016/679 (GDPR). Any dispute shall be subject to the exclusive jurisdiction of the courts of Paris, France.