PoliciesData Processing

Data Processing Agreement (DPA)

Last Updated: November 25, 2024

Purpose

This Data Processing Agreement (DPA) governs the processing of personal and sensitive data on behalf of the Client (Data Controller) by Plavo LLC (Data Processor) as part of the Service.

Definitions

  • Personal Data: Any information related to an identifiable individual.
  • Processing: Any operation performed on data, including storage, retrieval, or deletion.
  • Subprocessors: Third parties engaged by the Processor to assist in providing the Service.

Roles and Responsibilities

  • Data Controller: The Client determines the purpose and means of processing data.
  • Data Processor: The Company processes data solely as instructed by the Client.

Data Processing

  • Data is processed to deliver the agreed-upon Service, including storage, organization, and secure sharing of documents.
  • All data is encrypted both in transit and at rest.

HIPAA-Specific Clauses

  • Business Associate Agreement (BAA) Requirements:
    Plavo LLC ensures compliance with HIPAA obligations, including the implementation of administrative, physical, and technical safeguards to protect Protected Health Information (PHI).

  • Encryption Standards:
    PHI is encrypted in transit and at rest using AES-256 encryption protocols to prevent unauthorized access or disclosure.

Subprocessor Management

  • Subprocessor Transparency:
    Plavo LLC utilizes subprocessors, including DigitalOcean and Stripe, for data storage and payment processing.
    • Clients are notified of subprocessor updates via email or website announcements.

Security Measures

The Processor will implement:

  • Encryption: Data encrypted at rest and in transit.
  • Access Controls: Secure, role-based access to sensitive data.
  • Regular Security Audits: Continuous monitoring and periodic audits to ensure system integrity.

Breach Notification

In the event of a data breach:

  • Plavo LLC will notify clients within 30 calendar days.
  • Notifications will include details of the breach, impacted data, and mitigation steps.
  • Communication will be made via the platform and email.

Data Retention and Deletion

  • Retention Policy: Client data will be deleted within 30 days of contract termination.
  • Deletion Requests: The Client may request specific data deletions during the contract period.

Compliance

  • The Processor ensures compliance with HIPAA, FIPA, and other applicable laws.
  • The Client is responsible for fulfilling its obligations as a Data Controller.

Liabilities

  • The Processor is liable for breaches caused by negligence or non-compliance.
  • The Client indemnifies the Processor for claims arising from misuse of the Service.

Governing Law

This agreement is governed by the laws of the State of Florida.

Termination

This agreement terminates upon the termination of the primary service contract.

Data PrivacyTerms & Conditions