Data Processing Agreement

This DPA applies where BioRegenEx processes Personal Data on Customer’s behalf in connection with the Service. With respect to such Personal Data, Customer is the Controller and BioRegenEx is the Processor (as those terms are used in applicable data protection laws, including the GDPR and equivalent U.S. state laws).

Subject matter: processing of Personal Data necessary to provide the Service.

Duration: for the term of the underlying subscription, plus any retention period required by law or set out in the Privacy Policy.

Nature and purpose: hosting, storage, transmission, regulatory analysis, and delivery of analytical output as instructed by Customer through ordinary use of the Service.

Data subjects: Customer’s personnel (admins, end users), and individuals identifiable in content Customer submits to the Service.

Categories of Personal Data: contact details (name, email, organization, role), authentication identifiers, billing information processed by Stripe, IP and device information, content submitted by Customer for analysis, and resulting analytical output.

Customer agrees not to submit special categories of Personal Data (such as health information identifying specific patients, or government-issued identifiers) to the Service unless expressly agreed in a separate Business Associate Agreement or written addendum.

BioRegenEx will: (a) process Personal Data only on Customer’s documented instructions, including as set out in the Service’s normal operation; (b) ensure persons authorized to process Personal Data are subject to confidentiality obligations; (c) implement appropriate technical and organizational security measures (Section 6); (d) assist Customer with data subject requests where reasonable; (e) make available information necessary to demonstrate compliance with this DPA; and (f) notify Customer without undue delay of any Personal Data Breach (Section 7).

Customer authorizes BioRegenEx to engage the following subprocessors to provide the Service:

• Stripe, Inc. — payment and subscription processing.
• Supabase, Inc. — database, authentication, and file storage.
• Vercel Inc. — web hosting, edge functions, analytics.
• Resend, Inc. — transactional email delivery.
• AI model providers (Anthropic and others) — analytical processing of content submitted to the scanner and Claim Clearance features.

BioRegenEx imposes data protection obligations on each subprocessor that are no less protective than this DPA. BioRegenEx will give Customer reasonable advance notice of any new subprocessor; Customer may object on reasonable data-protection grounds.

BioRegenEx maintains a security program that includes: (a) encryption in transit (TLS 1.2+); (b) encryption at rest for stored Personal Data; (c) role-based access controls and least-privilege principles; (d) audit logging of administrative actions; (e) regular review of subprocessors’ security postures; (f) workforce confidentiality and security training; (g) incident response procedures; and (h) timely application of security patches and updates.

BioRegenEx will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will include the information reasonably available about the nature and scope of the Breach and the steps BioRegenEx is taking in response.

The Service is hosted in the United States. Where BioRegenEx transfers Personal Data subject to GDPR or equivalent laws outside the EEA, UK, or Switzerland, the parties rely on the Standard Contractual Clauses (Module Two: Controller to Processor) or an equivalent lawful transfer mechanism, which are incorporated by reference.

BioRegenEx will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer’s obligation to respond to data subject requests under applicable law.

BioRegenEx will make available to Customer information necessary to demonstrate compliance with this DPA. Where Customer reasonably requires further information, the parties will discuss appropriate audit arrangements (typically: a written questionnaire, an existing third-party audit report, or a mutually scheduled audit subject to confidentiality).

On termination of the underlying subscription, BioRegenEx will, at Customer’s choice, delete or return all Personal Data processed on Customer’s behalf, except where retention is required by applicable law. Backups containing residual data are deleted in accordance with our standard backup rotation.

The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.

In the event of a conflict between this DPA and the Terms of Service with respect to Personal Data processing, this DPA controls.

To request a counter-signed DPA, raise a data protection question, or report a security concern, email info@biointelscan.com.

BioRegenEx Medical Technology · Texas, USA