Data Processing Agreement

Parties

This Data Processing Agreement ("DPA") forms part of the agreement between:

• Controller: the clinic, laboratory, or healthcare organisation registering for Vita Wallet (the "Business")
• Processor: Vita Wallet, the operator of vitawallet.eu

This DPA applies where the Business uses Vita's platform to upload and send patient documents via secure links to patients.

1. Definitions

Applicable Data Protection Law means Regulation (EU) 2016/679 (GDPR), Cyprus Law 125(I)/2018, and any other applicable Cyprus or EU data protection laws.

Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach, and Supervisory Authority have the meanings given in the GDPR.

Services means Vita's secure health-result delivery platform.

2. Scope and Role Allocation

The Business appoints Vita as Processor to process Personal Data solely for the purpose of providing the Services.

The Business determines the purposes of processing patient documents and recipient details for the delivery flow.

Vita shall process Personal Data only on documented instructions from the Business, unless required otherwise by applicable law.

This DPA applies to the business delivery workflow only. It does not govern Vita's separate patient wallet relationship.

3. Subject Matter, Duration, and Purpose

Subject matter: secure intake, storage, transmission, controlled access, and audit logging of patient documents uploaded by the Business.

Duration: from account creation until termination of the Services, plus any limited post-termination retention period required by law or agreed deletion procedures.

Purpose: enabling the Business to deliver medical documents to its patients using Vita's platform.

4. Categories of Data and Data Subjects

Data Subjects: patients and authorised staff users of the Business.

Personal Data may include: patient name and patient email address (held only during transmission — deleted after successful delivery; a one-way hash of the email is retained for lookup), document metadata (test type, test date, doctor name), medical documents (lab results, radiology reports, prescriptions), access log data (timestamp, hashed IP, user-agent), and business user account data.

Special categories: health data under GDPR Article 9.

5. Business Obligations

The Business shall:

• ensure it has a valid legal basis for processing and transmitting patient data to Vita
• provide any legally required notices to patients regarding use of Vita where applicable
• ensure Personal Data uploaded to Vita is accurate and limited to what is necessary
• communicate any retention rules that differ from Vita's standard retention schedule
• respond to data subject requests where the Business is legally responsible

6. Vita's Obligations as Processor

Vita shall:

• process Personal Data only on documented instructions from the Business
• ensure persons authorised to process Personal Data are bound by confidentiality
• implement appropriate technical and organisational security measures under GDPR Article 32
• assist the Business with data subject requests and breach notification obligations
• notify the Business without undue delay after becoming aware of a Personal Data Breach affecting Business data
• delete or return Personal Data at end of service, unless retention is required by law

7. Security Measures

Vita maintains security measures appropriate to the risk, including:

• private file storage buckets — documents are never publicly accessible
• short-lived signed URLs for document access (5-minute TTL)
• encryption in transit (TLS) and at rest
• row-level security and role-based access controls
• opaque token URLs — nothing in the URL reveals patient identity or document type
• IP addresses hashed (SHA-256) before storage — never stored in raw form
• patient name and email deleted from delivery records immediately after successful send — only a one-way cryptographic hash is retained
• access and security event logging

8. Sub-Processors

The Business authorises Vita to use the following sub-processors:

Vita will notify the Business of intended additions or replacements of sub-processors through the service terms or customer notice.

9. International Transfers

Vita shall not transfer Personal Data outside the EEA except where permitted under Applicable Data Protection Law and an appropriate transfer mechanism is in place (adequacy decision, valid certification framework, or Standard Contractual Clauses).

10. Data Subject Requests

Where Vita receives a request from a data subject relating to Business data, Vita shall promptly notify the Business and shall not respond directly except on the Business's documented instructions or where required by law. Vita shall provide reasonable assistance to help the Business meet its obligations under Articles 12 to 23 GDPR.

11. Personal Data Breach

Vita shall notify the Business without undue delay after becoming aware of a Personal Data Breach affecting Business data, including: nature of the incident, categories of data affected, likely consequences, and measures taken or proposed.

The Business remains responsible for deciding whether notification to the Cyprus Commissioner or affected data subjects is required.

12. Deletion and Return

Upon termination of the Services, Vita shall, at the Business's choice and subject to applicable law, delete or return Business Personal Data and delete existing copies. Vita may retain limited data where required by law, for security investigations, billing disputes, or legal claims.

13. Governing Law

This DPA shall be governed by EU data protection law and the laws of Cyprus, subject to mandatory provisions of GDPR and Cyprus Law 125(I)/2018.