Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between the therapist (“Controller”) and HypnoVox (“Processor”) for the provision of the HypnoVox platform. This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

• Controller — the therapist or therapy practice that determines the purposes and means of processing personal data. Each therapist who creates an account on HypnoVox acts as an independent data controller for their clients’ data.
• Processor — HypnoVox, the entity that processes personal data on behalf of the Controller through the provision of the platform.
• Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the UK GDPR.
• Special Category Data — personal data revealing health information, as defined in Article 9 of the UK GDPR. Audio recordings of therapy sessions and associated session notes constitute health data and are treated as special category data.
• Sub-processor — any third party engaged by the Processor to process personal data on behalf of the Controller.
• Data Subject — the client whose personal data is processed through the platform.

2. Scope and Purpose of Processing

The Processor provides the HypnoVox platform, which enables therapists to record, store, manage, and securely share audio recordings of therapy sessions with their clients. The purpose of processing is solely to provide the platform’s functionality as instructed by the Controller.

The Processor shall process personal data only to the extent necessary to deliver the services described in the main agreement and this DPA. Processing shall continue for the duration of the Controller’s use of the platform.

3. Categories of Data Processed

4. Controller’s Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection provisions.

The Controller’s instructions are documented in this DPA and the main service agreement. Use of the platform’s features (e.g. creating clients, recording sessions, sharing recordings) constitutes documented instructions.

5. Confidentiality

The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA.

The Processor shall not disclose personal data to any third party except as permitted by this DPA, the main agreement, or as required by law. Where disclosure is required by law, the Processor shall notify the Controller in advance where legally permitted to do so.

6. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR. These measures include:

• Encryption in transit — all data transmitted between the client browser, the platform, and storage infrastructure is encrypted using TLS 1.2 or higher.
• Encryption at rest — all personal data and audio recordings stored in the database and file storage are encrypted at rest using AES-256 encryption.
• Row-Level Security (RLS) — database-level access controls ensure that each therapist can only access their own clients’ data. No therapist can view, modify, or delete another therapist’s data.
• Access controls — authentication is required for all platform access. Shared recordings are protected by time-limited, unique, unguessable tokens.
• Audit logging — the platform maintains logs of data access and processing activities.
• Regular testing — the Processor shall regularly test, assess, and evaluate the effectiveness of the technical and organisational measures.

7. Sub-processor Management

The Controller provides general written authorisation for the Processor to engage sub-processors. The current list of sub-processors is maintained at hypnovox.app/subprocessors.

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds, the parties shall discuss the concern in good faith with a view to achieving a commercially reasonable resolution.

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring in particular that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.

The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.

8. Data Subject Rights Assistance

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The platform provides the Controller with self-service tools to access, export, and delete client data and recordings. Where additional assistance is required, the Controller may contact the Processor at privacy@hypnovox.app.

If a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the relevant Controller.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay and in any event within 24 hours after becoming aware of a personal data breach. The notification shall include:

• A description of the nature of the breach
• The categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Controller is responsible for notifying the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach, where required under Article 33 of the UK GDPR. The Controller is also responsible for notifying affected data subjects where required under Article 34.

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach.

10. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with the ICO or other supervisory authority, as required under Articles 35 and 36 of the UK GDPR, taking into account the nature of the processing and the information available to the Processor.

Given that the platform processes special category data (health data in the form of therapy session recordings), the Controller should consider whether a DPIA is required for their use of the platform.

11. Data Deletion and Return

Upon termination of the service agreement, or at the Controller’s request at any time, the Processor shall at the choice of the Controller:

• Return all personal data to the Controller in a commonly used, machine-readable format; and/or
• Delete all personal data and existing copies, unless applicable law requires retention.

The Processor shall complete deletion within 30 days of the request or termination, and shall provide written confirmation of deletion upon request. This includes deletion from active systems, backups, and sub-processor systems.

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller shall give the Processor reasonable notice of any audit (not less than 30 days) and shall ensure that audits are conducted during normal business hours, with minimal disruption to the Processor’s operations. Audits shall be limited to once per year unless a data breach has occurred or a supervisory authority requires additional audits.

13. Liability

Each party shall be liable for damage caused by processing that infringes the UK GDPR in accordance with Articles 82 and 83. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under the UK GDPR or where it has acted outside or contrary to the lawful instructions of the Controller.

Nothing in this DPA limits or excludes either party’s liability for fraud, death or personal injury caused by negligence, or any liability that cannot be limited or excluded by law.

14. Term and Termination

This DPA shall come into effect upon the Controller’s registration for the HypnoVox platform and shall remain in force for as long as the Processor processes personal data on behalf of the Controller.

The obligations of the Processor under this DPA with respect to confidentiality, data deletion, and cooperation with the Controller shall survive termination of this DPA.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.