Data Processing Agreement

This Data Processing Agreement (“DPA”) applies when attest processes personal data on behalf of a customer in connection with the attest website, applications, APIs, and clinical AI services. The customer is the controller or business, and attest is the processor or service provider, except where attest independently determines the purposes and means of processing for account administration, security, billing, and compliance.

attest processes personal data only to provide, secure, maintain, support, and improve the Service; to comply with law; and as otherwise documented in the customer's order form, Terms of Service, Privacy Policy, or written instructions. attest will promptly inform the customer if an instruction appears unlawful or materially conflicts with the Service's security obligations.

• User account data, including name, email address, role, organization, specialty, authentication records, and settings.
• Usage and device data, including log events, feature usage, approximate location from IP address, browser metadata, and security telemetry.
• Customer content, including uploaded files, prompts, messages, transcripts, generated notes, and other content submitted to the Service.
• Patient or clinical data only where submitted by authorized users and governed by the applicable BAA or customer agreement.

attest restricts personnel access to personal data to authorized team members and service providers who need it to operate, secure, or support the Service. Personnel with access are bound by confidentiality obligations and, where applicable, healthcare privacy and security training.

• Encryption in transit using TLS and encryption at rest for production data stores.
• Role-based access controls, least-privilege internal access, and row-level database access controls.
• Audit logging for sensitive administrative and PHI-related events.
• Secure development practices, dependency review, vulnerability monitoring, and incident-response procedures.
• Logical separation of customer data and backups with defined retention and disposal procedures.

attest uses subprocessors for hosting, database operations, authentication, email, billing, analytics, security, and support operations. Subprocessors are required to protect personal data under written obligations at least as protective as this DPA. A current list is available by request at contact@attest.health.

attest primarily processes and stores Service data in the United States. Where international transfer safeguards are required, attest will use appropriate transfer mechanisms, such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism approved for the relevant jurisdiction.

attest will reasonably assist customers in responding to data-subject requests, security questionnaires, audits, impact assessments, and regulatory inquiries related to the Service. Patients whose PHI is processed through a covered entity should direct HIPAA access, amendment, or disclosure-accounting requests to that covered entity.

attest will notify affected customers without undue delay after confirming a security incident involving personal data processed on their behalf. Notices will describe the nature of the incident, categories of data affected, likely consequences where known, mitigation steps, and customer actions reasonably recommended by attest.

Upon termination or verified deletion request, attest will delete or return customer personal data according to the customer agreement, except where retention is required by law, security obligations, audit logs, backups, or legitimate dispute-resolution needs. Backup deletion follows attest's normal backup lifecycle.

Questions about this DPA, BAA requests, and privacy documentation should be sent to contact@attest.health.