DATA PROCESSING AGREEMENT

Pain2Care Partner API — GDPR Article 28 compliant template
Version 1.0  ·  Effective date:                 

This Data Processing Agreement ("DPA") forms part of the Pain2Care Partner API Agreement between the parties identified below and governs the processing of personal data in connection with the Pain2Care Partner REST API ("API").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).

"Processing" means any operation performed on Personal Data as defined in GDPR Article 4(2).

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed — in this context, patients who have installed the Pain2Care application and granted consent to share data with the Controller.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"API" means the Pain2Care Partner REST API accessible at https://api.pain2care.com/v1.

2. Subject Matter and Purpose

The Processor provides the Controller with access to self-reported chronic pain, wellbeing, vitals, and AI-generated pattern analysis data via the API. The Controller accesses this data solely for the purposes specified below and only in respect of Data Subjects who have granted explicit OAuth consent.

Specified purposes (tick all that apply):

• ☐ Clinical care and treatment planning
• ☐ Occupational health monitoring
• ☐ Insurance claims assessment
• ☐ Medical research (requires separate ethics approval)
• ☐ Other:                                 

3. Requested API Scopes

The Controller requests access to the following data scopes. Only ticked scopes will be enabled on the issued API key. Granting of incidents:read additionally requires completion of Schedule A.

Grant	Scope	Data accessed	Note
☐	pain:read	Pain check-in entries — pain level, body areas, quality descriptors, timestamps
☐	wellbeing:read	Daily wellbeing scores — sleep, mood, energy, stress, activity
☐	vitals:read	Device vitals — heart rate, HRV, blood pressure, SpO2, sleep metrics (from Polar, Withings, Oura etc.)
☐	trends:read	Computed statistical summaries and correlations over time
☐	analysis:read	AI-generated (Claude) pain pattern analysis text — natural language summary of the patient's pain history
☐	reports:read	Clinic-ready PDF report combining pain history, wellbeing, vitals and AI analysis
☐	incidents:read	Incident reports — descriptions of traumatic events, injury details, GPS location, witness information	Schedule A required

Health data processed under all scopes constitutes special category data under GDPR Article 9. The Controller confirms it holds an appropriate legal basis for each ticked scope.

4. Categories of Data and Data Subjects

Categories of personal data processed:

• Pain check-in records (pain level, body areas, quality descriptors, timestamps)
• Daily wellbeing scores (sleep, mood, energy, stress, activity)
• Device vitals (heart rate, HRV, blood pressure, SpO2, sleep metrics)
• AI-generated pain pattern analysis text
• Incident reports (if incidents:read scope is granted — see Schedule A)

Note: The API does not return names, contact details, or other directly identifying information. Patient records are identified by an internal pseudonymous token.

Categories of data subjects:

Adult patients (18+) who have installed the Pain2Care application and explicitly consented to share their data with the Controller by entering the Controller's clinic token within the application.

5. Duration

This DPA is effective from the date of signing and remains in force for as long as the Controller holds active API credentials or until terminated in accordance with the Partner API Agreement, whichever is earlier.

6. Obligations of the Processor (Tech4Pioneers)

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
2. Ensure that persons authorised to process Personal Data have committed to confidentiality.
3. Implement appropriate technical and organisational measures as set out in Schedule B.
4. Assist the Controller in fulfilling its obligations regarding Data Subject rights (Articles 15–22 GDPR).
5. Assist the Controller with data breach notification obligations (Articles 33–34 GDPR). The Processor shall notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a Personal Data breach affecting data accessible via the API.
6. Make available all information necessary to demonstrate compliance with this DPA.
7. Delete or return all Personal Data upon termination of this DPA, at the Controller's choice, and delete existing copies unless Union or Member State law requires storage.

7. Obligations of the Controller (Partner)

The Controller shall:

1. Ensure it has a valid legal basis under GDPR for each processing purpose listed in Section 2. For health data (GDPR Article 9), this requires an explicit legal basis such as explicit consent, provision of health care, or a legitimate public interest.
2. Not use the API to access data for any Data Subject who has not granted OAuth consent through the Pain2Care application.
3. Not store Personal Data retrieved via the API for longer than necessary for the specified purposes.
4. Not share API credentials (API keys, OAuth tokens) with any third party.
5. Implement appropriate technical and organisational security measures for data received via the API, including access controls, encryption at rest, and audit logging.
6. Promptly notify the Processor if it becomes aware of a Personal Data breach involving data received via the API.
7. Honour Data Subject rights requests received directly by the Controller within the timeframes required by GDPR.
8. Immediately cease accessing a Data Subject's data upon receiving notification from the Processor that the Data Subject has revoked consent, and delete any copies of that Data Subject's data held by the Controller within 30 days of receiving such notification.
9. Not take any adverse action against a Data Subject on the grounds that they have revoked or refused consent to data sharing.

8. Sub-processors

The Controller acknowledges that the Processor uses the following sub-processors in delivering the API:

• Google Firebase / Google Cloud (EU region) — database and authentication
• Cloudflare, Inc. — API gateway and Worker runtime
• Anthropic, PBC — AI pattern analysis generation (anonymised statistical input only; no direct identifiers transmitted)

The Processor shall inform the Controller of any intended changes to sub-processors with at least 30 days notice, giving the Controller the opportunity to object.

9. International Data Transfers

Personal Data is processed within the European Economic Area (EEA) by default. Where sub-processors are located outside the EEA (e.g. Anthropic in the United States), the Processor ensures appropriate safeguards are in place pursuant to GDPR Chapter V (Standard Contractual Clauses or adequacy decision).

10. Audits and Inspections

The Controller may audit the Processor's compliance with this DPA no more than once per calendar year, upon 30 days' written notice. Audits shall be conducted during business hours, at the Controller's expense, and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy the audit obligation by providing a current third-party audit report (e.g. ISO 27001 certificate or SOC 2 report).

11. Patient Rights and Consent Withdrawal

Right to withdraw consent

Each Data Subject (patient) has the right to withdraw their consent to data sharing at any time, without giving any reason, and without detriment (GDPR Article 7(3)). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

A patient may revoke the Controller's access at any time directly within the Pain2Care application. Upon revocation:

1. The Processor will disable the patient's data from being returned by the API within 24 hours.
2. The Processor will notify the Controller of the revocation by email to the contact address on file.
3. The Controller must cease all further access to that patient's data and delete any stored copies within 30 days as set out in Section 7.

Other Data Subject rights

Data Subjects also hold the following rights under GDPR, which the Controller must be able to honour for data in its possession:

• Right of access (Art. 15) — the patient may request a copy of their data held by the Controller.
• Right to rectification (Art. 16) — corrections to inaccurate data.
• Right to erasure (Art. 17) — deletion of all data held by the Controller for that patient.
• Right to data portability (Art. 20) — data provided in a machine-readable format on request.
• Right to object (Art. 21) — the patient may object to processing at any time.

The Controller shall respond to Data Subject rights requests without undue delay and within 30 days of receipt. Where the Controller cannot fulfil a request (e.g. because the data originates in Pain2Care), it shall direct the Data Subject to privacy@pain2care.com.

Patient-facing disclosure requirement

The Controller warrants that it informs patients clearly — before or at the point of collecting their clinic token — that:

• their Pain2Care data will be shared with the Controller for the purposes stated in Section 2;
• they may withdraw this consent at any time within the Pain2Care application under Settings → Linked Organisations; and
• withdrawal will not affect their access to the Controller's services.

12. Liability

Each party shall be liable for damages caused by its own breach of this DPA in accordance with GDPR Article 82. The total aggregate liability of either party under this DPA shall not exceed the fees paid by the Controller to the Processor in the twelve (12) months preceding the event giving rise to the claim.

13. Governing Law

This DPA is governed by the laws of Finland. Any disputes shall be resolved by the District Court of Helsinki as the court of first instance.

14. Signatures