Data Processing Agreement (DPA)

Last Updated: January 4, 2026

This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement or Terms of Service (the “Agreement”) between Psynth, Inc. (“Psynth”, “Processor”) and the customer entity signatory to the Agreement (“Customer”, “Controller”).

1. Scope, Roles, and Shared Responsibility

  • 1.1 Roles: Customer acts as a Data Controller. Psynth acts as a Data Processor regarding Patient Data and as a Business Associate under HIPAA.
  • 1.2 Shared Responsibility Model: Psynth is responsible for the security and integrity of the Platform infrastructure and the managed services it provides. Customer is responsible for its secure use of the Platform, including the protection of account credentials (e.g., strong passwords), the lawful basis for data collection, and the configuration of any Customer-controlled settings.
  • 1.3 Bifurcation of Data: Psynth acts as a Processor for Patient PII/PHI. Psynth acts as a Controller for Psychologist PII used for account management and marketing.

2. Processing and Instructions

  • 2.1 Documented Instructions: Psynth shall process Personal Data only on documented instructions from Customer.
  • 2.2 Infringing Instructions: Psynth shall immediately notify Customer if an instruction, in its opinion, infringes the GDPR, UK GDPR, or other applicable Union or Member State data protection provisions.

3. Security and Breach Notification

  • 3.1 Technical Measures: Psynth implements measures including AES-256 encryption at rest, TLS 1.3 in transit, and enforced Multi-Factor Authentication (MFA).
  • 3.2 Compliance: Psynth maintains an information security program consistent with SOC 2 Type 2 and ISO 27001 standards.
  • 3.3 Breach Notification: Psynth shall notify Customer of any Personal Data Breach or HIPAA Security Incident within 72 hours of discovery.

4. Government Request Transparency (Schrems II)

  • 4.1 Redirection: If Psynth receives a legally binding request from a public authority (e.g., law enforcement or government agency) for access to Customer Data, Psynth will attempt to redirect the authority to the Customer.
  • 4.2 Notification: Unless legally prohibited, Psynth will notify Customer of any such demand to allow Customer to seek a protective order.
  • 4.3 Challenging Requests: Psynth agrees to review and challenge any demand for Customer Data that is over-broad or unlawful under applicable law, particularly where such a demand conflicts with EU or UK data protection obligations.

5. Sub-processors

  • 5.1 Authorization: Customer grants general authorization for the sub-processors listed in Annex II.
  • 5.2 Notice and Objection: Psynth shall provide 30 days’ notice of any change to sub-processors. Customer has 15 days to object via support@psynth.ai. If an objection cannot be resolved, Customer may terminate the Agreement.

6. International Transfers

  • 6.1 Data Residency: All Patient Data originating from the EEA or UK is stored on infrastructure located within the European Union (AWS EU Regions).
  • 6.2 Transfer Mechanism: For any cross-border transfers, the EU Standard Contractual Clauses (Module 2) and the UK IDTA Addendum are incorporated herein by reference.

7. Audits and Compliance Assistance

  • 7.1 Audit Reports: Customer’s right to audit is primarily satisfied by Psynth providing its Security Packet, consisting of its most recent SOC 2 Type 2 and ISO 27001 audit reports.
  • 7.2 On-Site Audits: If the Security Packet is insufficient to demonstrate compliance, Customer may conduct a focused audit. Such audits must be:
  • requested with reasonable notice;
  • conducted during business hours;
  • subject to a strict Non-Disclosure Agreement (NDA); and
  • performed at the Customer’s sole expense.

8. Deletion and Return

  • 8.1 Post-Termination Deletion: Psynth shall automatically and permanently delete all Patient Data (PII/PHI) within 90 days of contract termination, unless retention is required by law.
  • 8.2 Verification: Written certification of deletion is available to the Customer upon request.

9. Liability and Law

  • 9.1 Liability Cap: Total liability under this DPA is limited to 12 months of fees paid, subject to the limitations in the governing agreement.
  • 9.2 Governing Law: This DPA is governed by the laws of Ireland.

Annex I: Details of Processing

  • Subject Matter: SaaS psychological reporting platform.
  • Data Subjects: Licensed psychologists and their patients (including minors).
  • Data Categories: Special category health data, assessment results, clinical notes, and identifying PII.

Annex II: Authorized Sub-processors

Service Provider Legal Entity Function
Cloud Hosting Amazon Web Services EMEA SARL Primary Hosting (EU Region)
Database MongoDB, Inc. Managed Database Services
AI Synthesis Anthropic, PBC / OpenAI, L.L.C. AI Model Processing
Analytics PostHog, Inc. Product Usage Analytics
Error Tracking Functional Software, Inc. (Sentry) Stability Monitoring

Privacy Contact: Stephen Stearman, CEO
Email: support@psynth.ai

Psynth, Inc.
301 E. Archer St.
Tulsa, OK 74120
support@psynth.ai
Menu
CareersGlossary
LegalPrivacy PolicyBusiness Associate AgreementData Processing AgreementCookie PolicySubprocessorsTerms of Service