Data Processing Agreement
Last updated: March 2026 | Effective: March 2026
This Data Processing Agreement ("DPA") forms part of the subscription agreement between Dyagnosys Wellbeing FZCO ("Processor") and the Customer ("Controller") and governs the processing of personal data in connection with the Dyagnosys Wellbeing Service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1), LGPD Article 5(I), and UAE PDPL Federal Decree-Law No. 45 of 2021.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Special Categories of Data" means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data as defined under GDPR Article 9.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Technical and Organizational Measures" means the security measures implemented by the Processor to protect Personal Data.
2. Scope and Roles
Roles: The Customer is the Data Controller, and Dyagnosys is the Data Processor. The Processor processes Personal Data only on documented instructions from the Controller.
Subject Matter: This DPA applies to the processing of Personal Data in connection with the Customer's use of the Dyagnosys Wellbeing mental health assessment platform.
Duration: This DPA remains in effect for the duration of the Controller's subscription to the Service, plus any additional period required to fulfill obligations under applicable data protection law.
Nature and Purpose: The processing includes: (a) storage of assessment responses and scores; (b) generation of AI-powered insights; (c) progress tracking; (d) account management; and (e) service improvement.
Categories of Data Subjects: Employees, contractors, and authorized users of the Customer's organization who use the Service.
Categories of Personal Data: Account information (name, email), assessment responses, calculated scores, biometric insights, usage patterns, and device information.
3. Processing Instructions
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Immediately inform the Controller if any instruction infringes applicable data protection law
- Ensure that any person authorized to process Personal Data is bound by confidentiality obligations
- Not engage any Sub-processor without prior written authorization from the Controller
- Not transfer Personal Data outside the scope of this DPA without prior written consent
Biometric Data: All biometric analysis (facial expressions, voice tone) is performed on-device. Raw biometric data is never transmitted to Processor servers.
4. Security Measures
The Processor implements the following Technical and Organizational Measures to protect Personal Data:
Encryption
AES-256 encryption at rest; TLS 1.3 in transit
Access Control
Role-based access; multi-factor authentication; audit logging
Infrastructure
SOC 2 Type II certified cloud providers
Monitoring
24/7 security monitoring; intrusion detection
Backup & Recovery
Daily encrypted backups; disaster recovery plan
Personnel
Background checks; confidentiality agreements; training
5. Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, edge functions | United States, EU |
| Neon | PostgreSQL database hosting | United States, EU |
| Stripe, Inc. | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring (PII filtered) | United States, EU |
The Processor shall ensure all Sub-processors are bound by data protection obligations no less protective than those in this DPA. The Processor shall notify the Controller of any changes to Sub-processors at least 30 days in advance.
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access (GDPR Art. 15, LGPD Art. 18)
- Right to rectification (GDPR Art. 16, LGPD Art. 19)
- Right to erasure (GDPR Art. 17, LGPD Art. 18)
- Right to data portability (GDPR Art. 20, LGPD Art. 18)
- Right to restriction of processing (GDPR Art. 18)
- Right to object (GDPR Art. 21, LGPD Art. 19)
The Processor shall implement technical capabilities to enable Data Subjects to exercise these rights through Account Settings or by contacting the Controller.
7. Personal Data Breach
In the event of a Personal Data Breach:
- The Processor shall notify the Controller within 48 hours of becoming aware of the breach
- The notification shall include: nature of breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken
- The Processor shall cooperate with the Controller in investigating the breach
- The Processor shall take reasonable steps to contain, investigate, and mitigate the effects of the breach
Contact for breach notification: security@dyagnosys.com
8. Audit Rights
The Controller shall have the right to audit the Processor's compliance with this DPA, upon reasonable notice (at least 30 days) and during normal business hours. The Processor shall provide reasonable assistance and access to relevant documentation, systems, and personnel. Alternatively, the Processor may provide a recent third-party audit report (SOC 2 Type II or equivalent) demonstrating compliance.
9. Data Transfer
Personal Data may be transferred to countries outside the EEA, Brazil, or UAE. The Processor shall ensure appropriate safeguards are in place:
- EU/EEA Transfers: Standard Contractual Clauses (SCCs) as approved by the European Commission
- Brazil Transfers: Standard contractual clauses or other mechanisms under LGPD Art. 33
- UAE Transfers: Compliance with UAE PDPL cross-border transfer requirements
10. Return and Deletion of Data
Upon termination of the Service or upon request by the Controller:
- The Processor shall return or delete all Personal Data within 30 days
- The Processor shall provide written confirmation of deletion
- Existing backups shall be deleted within 90 days or upon the next backup rotation cycle
- Data required for legal compliance shall be retained in accordance with applicable law
Data export is available to Data Subjects through Account Settings in JSON or CSV format.
11. Liability and Indemnification
Each party shall be liable for damages caused by its breach of this DPA in accordance with applicable data protection law. The Processor's total liability shall not exceed the fees paid by the Controller in the 12 months preceding the claim. Nothing in this DPA shall limit liability for: (a) death or personal injury; (b) gross negligence or willful misconduct; or (c) liability that cannot be limited under applicable law.
12. Governing Law and Dispute Resolution
This DPA shall be governed by the laws of the United Arab Emirates. For Controllers in Brazil, Brazilian law may apply at the Controller's election.
Disputes shall be resolved through binding arbitration administered by the International Chamber of Commerce (ICC) under its Arbitration Rules, or in the courts of the applicable jurisdiction as agreed by the parties.
13. Changes to This DPA
The Processor may update this DPA to reflect changes in applicable law or processing activities. Material changes shall be communicated to the Controller at least 30 days in advance. Continued use of the Service after changes constitutes acceptance.
14. Contact Information
Data Protection Officer
Email: dpo@dyagnosys.com
Phone: +971 7 206 XXXX
Security & Breach Notification
Email: security@dyagnosys.com
Response: 24/7
Legal & Contracts
Email: legal@dyagnosys.com
Regional Offices
Brasília, Brazil
Ras Al Khaimah, UAE