Data Processing Agreement
This Agreement outlines the legal framework for how we process personal data on behalf of our professional partners and customers.
Last Updated
December 15, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Dermitri Labs Inc. ("Processor") and the entity or individual subscribing to our services ("Controller").
This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws, including the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" means any operation or set of operations performed on Personal Data.
- "Sub-processor" means any third-party processor engaged by Dermitri Labs to assist in fulfilling its obligations.
3. Details of Processing
Subject Matter
Processing of skin analysis data, images, and user profile information necessary to provide the Service.
Duration
For the term of the Agreement plus the period required for data deletion or return.
Nature & Purpose
Computer vision analysis, storage, retrieval, and reporting of dermatological data points.
Categories of Data Subjects
Users of the mobile application, clinic patients, and clinic staff.
4. Roles & Responsibilities
The Controller determines the purposes and means of processing Personal Data. The Controller warrants that it has a valid legal basis (e.g., consent) for processing.
The Processor (Dermitri Labs) shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. We will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
5. Authorized Sub-processors
The Controller authorizes the Processor to engage the following Sub-processors to carry out specific processing activities:
Google AI Gemini
Location: USA
AI Inference & Image Analysis
Clerk.com
Location: USA
Identity & Authentication
Vercel Inc.
Location: USA / Global Edge
Hosting & Serverless Compute
Cloudflare
Location: Global
Security, DNS & DDoS Protection
6. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature of processing, Dermitri Labs shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS 1.3) and at rest (AES-256).
- Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
- Regular testing, assessing, and evaluating the effectiveness of technical measures (Penetration Testing).
- Strict access controls based on the Principle of Least Privilege.
7. Data Breach Notification
In the event of a Personal Data Breach affecting Controller data, Dermitri Labs shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. The notification will provide sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects.
8. International Transfers
If Personal Data originating in the EEA, UK, or Switzerland is transferred to countries without an adequacy decision (such as the United States), the parties agree to abide by the Standard Contractual Clauses (SCCs) pre-approved by the European Commission, or rely on other valid transfer mechanisms such as the Data Privacy Framework.
Execute this DPA
If you require a signed copy of this DPA for your compliance records, please contact our legal team.
Request Signed DPA