Data Processing Addendum (DPA)
Last updated: July 13, 2026
This Data Processing Addendum ("DPA") supplements the Terms and Conditions or other principal agreement ("Agreement") between ARCA VISION LABS LLC, located in Austin, Texas 78748 ("Processor") and the healthcare clinic, provider, or entity executing this DPA ("Controller").
1. Definitions
- "Applicable Data Protection Law":
- means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and any applicable national implementing legislation.
- "Personal Data":
- means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller through the Oye Scribe application.
- "Special Category Data":
- means personal data revealing health, medical conditions, or clinical treatments as defined under Article 9 of the GDPR.
- "Data Subject":
- means the individual to whom the Personal Data relates (e.g., patients of the Controller).
2. Scope and Details of Processing
- Subject Matter:
- The provision of the Oye Scribe ambient clinical documentation tool.
- Duration:
- The duration of the Agreement plus the period until all Personal Data — whether processed locally on Controller-managed devices or held off-device by Processor — is deleted or returned to Controller.
- Nature and Purpose:
- To process ambient audio locally on Controller-managed devices and generate automated text transcripts and clinical summaries to assist Controller in maintaining electronic health records.
- Categories of Data Subjects:
- Patients, clinicians, and clinic staff members.
- Categories of Personal Data:
- Administrative user details, clinical audio recordings (processed locally on-device), text transcripts, and medical summaries (Special Category Data).
3. Obligations of the Processor
Processor agrees to:
- Instructions:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA or UK, unless required to do so by applicable statutory law.
- Confidentiality:
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security Measures:
- Implement technical and organizational measures to ensure a level of security appropriate to the risk, compliant with Article 32 of the GDPR, including encryption at rest and in transit.
- Subprocessors:
- Not engage another processor (Subprocessor) without prior specific or general written authorization of the Controller. Processor remains fully liable to Controller for the performance of Subprocessors' obligations.
- Data Subject Rights:
- Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subjects' rights.
- Personal Data Breach:
- Notify the Controller without undue delay (and in no event later than 48 hours) after becoming aware of a personal data breach affecting data processed via Processor's infrastructure.
4. Offline-First Architecture & Shared Accountability
- Local Controls:
- Controller acknowledges that Oye Scribe operates primarily as an offline-first application. Primary processing, storage of active session records, and audio encoding occur locally on hardware managed by Controller.
- Controller Retention Responsibility:
- Deletion, export, and secure purge cycles executed locally on individual devices are the sole operational responsibility of Controller. Processor is not responsible for securing data stored unencrypted on hardware lost or compromised due to Controller's negligence.
5. International Data Transfers
Given Oye Scribe's offline-first design, transfers of Personal Data to Processor are limited. To the extent that processing involves a transfer of Personal Data from the EEA or UK to countries outside those areas that do not ensure an adequate level of data protection, the parties agree to rely on standard contractual clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office, which are hereby incorporated by reference into this DPA.
6. Return and Deletion of Data
Because Personal Data (including PHI) is processed and stored locally on Controller-managed devices, Processor does not maintain a cloud repository of such data to return or delete on Controller's behalf; deletion of on-device data is performed by Controller. To the extent Processor holds any Personal Data off-device (for example, account data or de-identified text transmitted for optional processing), Processor shall, upon termination of the Agreement or upon Controller's explicit request, and at the choice of the Controller, securely delete or return that Personal Data, unless applicable statutory law requires its retention.