TWBlocks.com
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other master agreement between Sylora, Inc. (“Sylora” or “Processor”) and the customer (the healthcare provider entity using Sylora's services, referred to as “Customer” or “Controller” and, under HIPAA, as the “Covered Entity”). This DPA is effective as of the Customer's acceptance of the Terms of Service or execution of an Order Form with Sylora, and is intended to ensure compliance with applicable data protection laws, including HIPAA and relevant U.S. privacy laws. Insofar as Sylora will be processing protected health information or other personal data on behalf of Customer, the parties agree to the following terms:
– has the same meaning as in 45 C.F.R. § 160.103, limited to the information Sylora receives, creates, maintains, or transmits on behalf of Customer through the Service. PHI generally includes individually identifiable health information that is transmitted or maintained in any form or medium, but for the purposes of this DPA, it refers to such information that is electronically maintained or transmitted (ePHI) unless otherwise specified.
– has the meaning given to it under HIPAA (45 C.F.R. § 160.103). In this DPA, Sylora is the Business Associate to Customer (who is a Covered Entity) when processing PHI on Customer's behalf.
– has the meaning given at 45 C.F.R. § 160.103. For this DPA, Customer is the Covered Entity (e.g., a healthcare provider or clinic) that has engaged Sylora to perform services involving PHI.
– refers to the Health Insurance Portability and Accountability Act of 1996, and the regulations promulgated thereunder, including the Privacy Rule, Security Rule, Breach Notification Rule, and the HITECH Act amendments, as each may be amended from time to time.
– means any information that identifies, relates to, describes, or is reasonably capable of being associated with an individual person or household, and is subject to protection under applicable privacy or data protection laws. This includes, but is not limited to, “personal information” as defined under the California Consumer Privacy Act (CCPA) and its amendments, to the extent applicable. For clarity, Personal Data includes PHI where PHI is concerned, but also covers other personal information Customer may provide (e.g., contact details of Customer's staff).
– means the voice-first AI scribing platform and any related services provided by Sylora to Customer, as described in the Agreement. In the context of this DPA, it is the service during which Sylora might process Personal Data or PHI on behalf of Customer.
Terms like “Breach,” “Designated Record Set,” “Individual,” “Minimum Necessary,” “Required by Law,” and “Unsecured PHI” have the same meaning as in the HIPAA regulations. “Subprocessor” means any subcontractor engaged by Sylora who will have access to or process PHI or Personal Data on behalf of Sylora in providing the Services.
For purposes of data protection and privacy law, Customer is the Controller (or “Covered Entity” under HIPAA) with respect to the Personal Data and PHI that it provides to Sylora for processing. Sylora is acting as a Processor (or “Business Associate” under HIPAA) for and on behalf of Customer. Sylora shall process Personal Data and PHI only as a service provider to Customer, and only for the purposes of providing the Services in accordance with the Agreement and this DPA.
Customer remains the data controller/owner of Personal Data and PHI. As such, Customer is responsible for determining the legality of the data processing, obtaining any necessary consents or authorizations (for example, patient authorizations if required for certain uses), and ensuring that instructions given to Sylora are lawful. Customer shall not direct Sylora to process any data in a manner that would violate applicable law. Sylora will inform Customer if, in its opinion, an instruction infringes applicable data protection law, but Sylora is not responsible for performing legal research for Customer.
This DPA is intended to satisfy the requirement for a Business Associate Agreement under 45 C.F.R. § 164.502(e) and § 164.504(e), and reflects the parties' understanding of their obligations under HIPAA. In the event of any conflict between a provision of this DPA and the HIPAA regulations, the HIPAA regulations shall control. The parties agree that any PHI Sylora receives from Customer or creates or receives on behalf of Customer is being done so in the capacity of a Business Associate.
The parties also acknowledge that Sylora's handling of Personal Data may be subject to certain U.S. state privacy laws. To the extent the California Consumer Privacy Act (CCPA) and its amendments apply:
Sylora is permitted to use and disclose Personal Data and PHI solely for the purpose of providing the Services to Customer in accordance with the Agreement and Customer's instructions. This may include processing PHI to transcribe notes, generate documentation, and perform analytics as part of the Service functionality. Sylora shall not use or disclose PHI except as allowed by this DPA or as Required by Law.
Sylora will not use or disclose PHI in a manner that would violate the HIPAA Privacy Rule if done by Customer (Covered Entity). In particular, Sylora will not:
Notwithstanding the foregoing, Sylora is permitted to use and disclose PHI for its proper management and administration or to fulfill any of its legal responsibilities, provided that: (a) any disclosure for such purposes is Required by Law, or (b) Sylora obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially and used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person, and that the person will notify Sylora of any instances of which it is aware in which the confidentiality of the PHI has been breached (per 45 C.F.R. § 164.504(e)(4)).
Sylora may de-identify PHI in accordance with 45 C.F.R. § 164.514. De-identified data is not considered PHI or Personal Data under this DPA, and Sylora may use it for any lawful purpose (such as analytics, research, or product development), provided that the de-identification is performed in compliance with HIPAA standards. Sylora will not attempt to re-identify any de-identified data without Customer's express written permission.
Sylora is permitted to use PHI to perform data aggregation services as defined by HIPAA (45 C.F.R. § 164.504(e)(2)(i)(B)), meaning combining PHI with other data it holds in its capacity as a Business Associate of Customer to permit data analyses that relate to the healthcare operations of Customer. Any aggregated data that does not identify Customer or any individual may be used by Sylora for lawful purposes, provided it meets any necessary de-identification standards or otherwise is permissible under HIPAA.
Sylora will handle Personal Data in accordance with the commitments in its Privacy Policy insofar as they provide additional protections. However, if this DPA or the BAA terms impose stricter obligations than Sylora's general privacy policy, Sylora will adhere to this DPA and BAA for Customer's data.
Sylora shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of ePHI as required by the HIPAA Security Rule. Specifically, Sylora will:
Sylora will not divulge, copy, transfer, or allow access to the Personal Data or PHI to any third party (except as expressly permitted by this DPA or instructed by Customer). All employees, agents, and subprocessors of Sylora with access to PHI are subject to binding confidentiality obligations and have been trained on handling PHI securely.
Sylora may engage subcontractors to assist in providing the Services. Sylora shall ensure that any Subprocessor that accesses or handles PHI or Personal Data is bound by a written agreement that imposes the same obligations on the Subprocessor as are imposed on Sylora under this DPA. Sylora will restrict Subprocessor access to only what is necessary for them to perform their function. Sylora remains fully liable to Customer for the performance of Subprocessors with respect to their handling of PHI or Personal Data.
Customer hereby approves Sylora's use of the Subprocessors listed here as of the DPA effective date:
Sylora affirms that each of the above subprocessors that handle PHI has signed a Business Associate Agreement (where applicable) or equivalent contractual clauses with Sylora.
Sylora will notify Customer of any intended addition or replacement of subprocessors that will handle PHI or Personal Data, at least 30 days in advance (via email or posting to a Customer-accessible website). If Customer has a reasonable objection to the new subprocessor on data protection grounds, Customer may notify Sylora of its objection. The parties will then discuss a resolution in good faith (for example, whether an alternative subprocessor can be used or if additional safeguards can be put in place). If an agreement cannot be reached, Customer may have the right to terminate the portion of Services that involve that subprocessor, without penalty, by providing written notice within a reasonable period.
All Personal Data and PHI processed under this DPA will be stored and processed solely within the United States, unless Customer explicitly agrees otherwise in writing. Sylora will not transfer or permit access to PHI outside of the U.S. (either directly or via remote access) without Customer's prior written consent. This ensures compliance with any regulations or preferences for U.S.-only data residency.
Sylora will ensure that only those workforce members who have a legitimate need to perform Services have access to PHI. Sylora will follow the “minimum necessary” rule in 45 C.F.R. § 164.514(d) – only the minimum PHI necessary for a given task will be accessed or used. Sylora has implemented policies to limit access accordingly and conducts periodic access reviews to adjust permissions.
Sylora will identify and respond to suspected or known security incidents. It will mitigate, to the extent practicable, harmful effects that are known to Sylora of a security incident. Further details on breach notification are in Section 6 below.
Sylora will not materially alter or destroy any Personal Data or PHI except as instructed by Customer or as provided for in the Agreement (for example, deletion after a retention period or upon termination). If PHI in Sylora's possession is requested to be amended or corrected, Sylora will assist as per Section 5.2 below.
Should Customer need to provide individuals with access to their PHI or an accounting of disclosures (as per 45 C.F.R. § 164.524 and § 164.528), Sylora will reasonably cooperate. Specifically:
For Personal Data not governed by HIPAA (for instance, personal information of Customer's personnel or other data subjects under state laws), Sylora shall assist Customer in responding to verifiable requests from individuals to exercise their rights (such as access, deletion, etc.) under applicable privacy laws. For example, if a California resident submits a valid deletion request to Customer and it pertains to data stored on Sylora's systems, Sylora will, upon Customer's instruction, delete the relevant data and confirm to Customer. Sylora will also, upon request, provide reasonable information about the categories of data it processes for Customer if needed for Customer's consumer disclosures.
Sylora will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining Customer's or Sylora's compliance with HIPAA (per 45 C.F.R. § 164.504(e)(2)(ii)(I)). Sylora shall promptly inform Customer if such a request is made, unless legally prohibited.
Customer (or an independent auditor acting on Customer's behalf, not a competitor of Sylora) has the right to conduct a reasonable audit or inspection of Sylora's facilities, systems, and documentation directly relevant to the processing of PHI or Personal Data for Customer, in order to assess compliance with this DPA. The following conditions apply:
In the event Sylora receives a subpoena, court order, or other request from a law enforcement or governmental authority (including civil or criminal enforcement demands) for disclosure of Personal Data or PHI that belongs to Customer, Sylora will, unless prohibited by law, promptly notify Customer and cooperate with Customer's efforts to limit or contest the disclosure. Sylora will only disclose the information strictly required by the valid legal demand. This aligns with Sylora's obligations under HIPAA to ensure any such disclosures are permissible and that Customer is informed.
Sylora will report to Customer any use or disclosure of PHI not permitted by this DPA, or any Security Incident that results in unauthorized access, acquisition, use, or disclosure of PHI, of which Sylora becomes aware. In the event Sylora discovers a Breach of Unsecured PHI (as defined in 45 C.F.R. § 164.402) occurring at Sylora or a Subprocessor, Sylora will notify Customer without unreasonable delay and no later than 60 calendar days after discovery of the Breach. It is understood that Customer, as the Covered Entity, will be responsible for determining whether to notify affected individuals, regulators (like HHS), or the media, as required by the HIPAA Breach Notification Rule, but Sylora will assist Customer in doing so.
Sylora's Breach notice to Customer will include, to the extent known at the time:
If any information is not yet available (e.g., we are still determining the full scope of affected data), Sylora may provide an initial notice with known facts and follow up with supplemental information as it becomes available.
Sylora will immediately take steps to contain and mitigate the effects of any Breach. This may include isolating affected systems, changing access credentials, applying fixes, and recovering data. Sylora will also take corrective action to prevent a recurrence, such as additional training, discipline for responsible personnel (if applicable), or enhancing security controls.
Sylora will also report to Customer any Security Incident (as defined by HIPAA – attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations) affecting ePHI, of which Sylora becomes aware. However, Customer acknowledges and shall be deemed notified by this section that routine, unsuccessful incidents (like pings, port scans, blocked malware, or unsuccessful login attempts) that do not result in unauthorized access to PHI are not required to be reported, given that they occur frequently and are managed by Sylora's security measures. Sylora will document these non-material incidents and make such documentation available to Customer upon request. Any incident that materially lowers the protection of PHI or potentially compromises it will be treated as a Breach or potential Breach and reported as above.
In the event of a Breach, Sylora will cooperate with Customer's investigation and risk assessment. Sylora will provide any available information Customer needs to evaluate the likelihood of harm and to fulfill any reporting obligations. Sylora will also assist in preparing any required notifications to individuals or regulators if requested (though the responsibility for such notifications remains with Customer unless otherwise agreed).
Sylora shall maintain documentation of all reported Breaches and Security Incidents, including their results and Sylora's response. This documentation will be retained for at least six years (HIPAA requirement) and provided to Customer or regulators upon request, as needed for compliance verification.
This DPA is effective as of the effective date of the Agreement (or as of the date PHI is first provided to Sylora, if later) and shall continue until Sylora no longer processes any Personal Data or PHI on behalf of Customer (for example, until the Agreement is terminated or expires and all data is returned or deleted).
If Customer becomes aware of a material breach of this DPA by Sylora, Customer may provide written notice to Sylora describing the breach and afford Sylora an opportunity to cure the breach within 30 days. If Sylora does not cure the breach within the cure period, Customer may terminate the Agreement and this DPA. Under HIPAA, if Customer reasonably determines that Sylora has violated a material term of this BAA and cure is not possible, Customer may terminate this DPA and the underlying Services. Conversely, if Sylora determines that Customer has breached its obligations under HIPAA or this DPA (for instance, by misusing the Service in a way that causes Sylora to violate HIPAA), Sylora will notify Customer and provide an opportunity to cure. If Customer fails to cure, Sylora may terminate the Agreement insofar as it relates to processing of PHI (and possibly cease the Services), consistent with 45 C.F.R. § 164.504(e)(2)(iii).
Upon termination or expiration of the Agreement, Customer will have the opportunity to retrieve its data as per the Agreement (see Terms of Service – typically a 30-day period for data export). After such period, or upon Customer's sooner written instruction, Sylora will proceed with data deletion as described below.
Except as provided in subsection 7.5, upon termination of the Services and this DPA, Sylora will return or securely destroy all PHI and Personal Data in its possession or control that was received from Customer, or created/received on behalf of Customer. Sylora will not retain any copies of PHI, except as required for the purposes below. This requirement applies to PHI in the possession of Sylora's subcontractors as well – Sylora will ensure they likewise return or destroy PHI. If Customer opts for return of data, Sylora will provide the data in a commonly accessible format. If destruction is requested, Sylora will use industry-standard methods (such as NIST 800-88 guidelines for media sanitization) to irreversibly delete electronic data, and will shred or pulverize any physical media containing PHI.
If Sylora determines that returning or destroying certain PHI is not feasible (for instance, if it is stored in backups that are impractical to isolate, or if retention is required by law), Sylora shall notify Customer of the specific reasons. In such cases, Sylora will extend the protections of this DPA to the retained PHI and will limit further uses/disclosures of that PHI to those purposes that make the return or destruction infeasible, for as long as Sylora maintains the PHI. For example, PHI stored in encrypted backups may be retained until those backups are overwritten or become obsolete, but Sylora will not use the PHI in any live environment and will continue to safeguard it.
Upon Customer's request, Sylora will certify in writing that it has returned or destroyed all PHI as required at the conclusion of the DPA, or that return/destruction was infeasible and that extended protections are being applied (as per 45 C.F.R. § 164.504(e)(2)(ii)(J)).
All obligations in this DPA that by their nature should survive termination (including confidentiality, security, breach notification, and the requirement to protect any retained PHI) shall survive the termination of the DPA until all PHI is either returned or destroyed or protections are no longer needed.
In the event of any conflict between a provision of this DPA and a provision of the Terms of Service or other underlying agreement between the parties, the provision of this DPA shall control with regard to the parties' privacy and security obligations for Personal Data. All other provisions of the underlying agreement remain in effect and apply to the extent not inconsistent with this DPA.
This DPA may be amended only by a written instrument signed by both parties. However, the parties agree to take such action as is necessary to amend this DPA from time to time as required for compliance with HIPAA or other applicable privacy laws. For example, if there are changes to HIPAA regulations or new state laws that require certain contract terms, the parties will negotiate in good faith to incorporate those. If any aspect of this DPA is found to be not compliant with the law, the parties will amend it to ensure compliance.
[Optional provision, depending on parties' agreement: Each party shall indemnify and hold harmless the other party from and against any and all claims, liabilities, penalties, fines, costs, or expenses (including reasonable attorneys' fees) resulting from the party's breach of this DPA or its violation of HIPAA with respect to PHI handled under this DPA. For clarity, Sylora will indemnify Customer for breaches caused by Sylora's failure to comply with its obligations, and Customer will indemnify Sylora for breaches or violations caused by Customer's instructions or misuse of the Services.]
[If the main agreement includes a limitation of liability, specify how it applies: The limitation of liability provisions in the Agreement apply to this DPA. However, such limitations shall not apply to any fines or penalties imposed on either party by regulators (to the extent those cannot be limited by contract) or liabilities arising from a party's gross negligence or willful misconduct in relation to PHI.]
There are no third-party beneficiaries to this DPA. The individuals whose data is processed are not third-party beneficiaries, and this DPA does not grant them any rights or causes of action. The rights and obligations are only between Customer and Sylora.
Any ambiguity in this DPA shall be resolved in favor of a meaning that permits compliance with HIPAA and applicable privacy laws. This DPA shall be interpreted as broadly as necessary to implement and comply with those laws. The headings are for reference only and do not affect interpretation.
This DPA is governed by the same law as the underlying Agreement, except to the extent that law is preempted by federal law (such as HIPAA). The forum and venue for disputes under this DPA shall be the same as for the Agreement. However, any provision required by HIPAA or other privacy law is governed by that law.
All notices required by this DPA (such as breach notification or notices of new subprocessors) shall be given in accordance with the notice provisions of the Agreement. In addition, a copy of any data breach notification shall be sent to the Privacy or Security Officer of the other party (if designated). Notices regarding an amendment of this DPA or other legal notices should be addressed to the signatories or their successors.
By entering into the Agreement or using Sylora's Services, Customer and Sylora acknowledge and agree to this Data Processing Addendum and Business Associate Agreement. This DPA is effective and binding as of the date of the Agreement (or as of the date PHI is first provided, if later).