1. Definitions

“Controller” — the Customer who determines the purposes and means of processing Personal Data.

“Processor” — Ruana LLC, which processes Personal Data on behalf of the Controller.

“Personal Data” — any information relating to an identified or identifiable natural person under GDPR Article 4(1).

“Patient Data” — Personal Data of patients including health questionnaires, clinical notes, SOAP notes, and appointment records.

“GDPR” — Regulation (EU) 2016/679 and any applicable national implementing legislation.

“PHI” — Protected Health Information as defined under HIPAA (45 C.F.R. § 160.103).

“SCCs” — the Standard Contractual Clauses adopted by the European Commission in Implementing Decision 2021/914.

“Sub-processor” — any third party engaged by Ruana to process Personal Data in connection with the Services.

“Security Documentation” — the Ruana Security Overview at getruana.com/legal/security.

2. Scope and Purpose

This DPA applies to all Personal Data processed by Ruana on behalf of the Controller in connection with the Services. Ruana processes Personal Data only to the extent necessary to provide the Services and the Controller’s documented instructions.

3. Processor Obligations

3.1 Instructions

Ruana shall process Personal Data only on documented instructions from the Controller unless required by applicable law.

3.2 Confidentiality

Ruana shall ensure all personnel authorized to process Personal Data are subject to binding confidentiality obligations and have received appropriate data protection training.

3.3 Security

Ruana shall implement and maintain appropriate technical and organizational measures as described in the Security Documentation, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore access to Personal Data following an incident
• Role-based access controls and multi-factor authentication
• Audit logging of all system access and security events

3.4 Sub-processors

Ruana may engage Sub-processors. All Sub-processors are bound by obligations at least as stringent as this DPA. Ruana shall notify the Controller at least 30 days in advance of Sub-processor changes via email to the Controller’s registered account address or via in-platform notification. The current Sub-processor list is in Annex 2.

If the Controller objects to a new Sub-processor, the Controller may terminate the affected Services with written notice, and Ruana will refund any prepaid fees for the remaining term.

3.5 Data Subject Rights

Ruana shall assist the Controller in fulfilling obligations to respond to Data Subject requests and will notify the Controller promptly of any Data Subject request received directly by Ruana.

3.6 Data Protection Impact Assessments

Ruana shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) where required by applicable data protection law.

3.7 Audit Rights

Ruana shall make available information necessary to demonstrate compliance and allow for audits on at least 30 days written notice, during business hours, at the Controller’s expense.

3.8 Records

Ruana shall maintain records of processing activities as required by GDPR Article 30(2).

4. Controller Obligations

The Controller shall comply with all applicable data protection laws, including:

• Obtaining all necessary consents from Data Subjects before entering their Personal Data into Ruana
• Ensuring instructions to Ruana comply with applicable law
• Implementing appropriate technical and organizational measures
• Being solely responsible for compliance with HIPAA, GDPR, or other applicable laws

5. International Data Transfers

Ruana’s primary infrastructure is located in the United States. For Personal Data of individuals in the EEA, UK, or Switzerland, transfer to the US is governed by the SCCs adopted in Implementing Decision 2021/914, incorporated into this DPA by reference and set out in Annex 3. The parties agree the SCCs are deemed executed and form part of this DPA without further signature.

Module 2 (Controller to Processor) applies where the Controller is a data controller. Module 3 (Processor to Processor) applies where the Controller acts as processor on behalf of a third-party controller.

6. HIPAA Business Associate Obligations

For Controllers who are Covered Entities or Business Associates under HIPAA, a separate Business Associate Agreement (BAA) is required before any PHI may be processed. PHI may only be processed after the BAA has been executed or electronically accepted.

• Using and disclosing PHI only as permitted by the BAA and applicable law
• Implementing appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Reporting any Security Incident or Breach involving PHI as required by HIPAA

7. Data Breach Notification

• Notify the Controller without undue delay and within 72 hours where required by GDPR Article 33
• Provide all available information about the breach
• Take all commercially reasonable steps to contain and mitigate the breach
• Cooperate fully with the Controller in meeting notification obligations

8. Data Retention and Deletion

• Controller may request a data export within 90 days of termination
• After 90 days, Ruana will permanently delete Personal Data from live systems
• Backup copies may persist for up to 35 additional days before permanent deletion
• Ruana may retain data where required by applicable law

9. Liability

The limitations on liability in the Terms of Service apply to all claims under this DPA. Ruana shall be liable for breaches caused by its own acts or omissions and for acts of Sub-processors to the same extent as if Ruana had performed the processing directly.

10. Term and Termination

This DPA commences on the date the Controller accepts the Terms of Service and terminates automatically upon termination of the Terms of Service.

11. General

This DPA constitutes the entire agreement on processing of Personal Data. In the event of conflict between this DPA and the Terms of Service on data protection matters, this DPA shall prevail.

12. Contact

support@getruana.com
Ruana LLC | 548 Market St #228047 | San Francisco, CA 94104 | USA