Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Nyvion LLC (“Processor,” “we,” “us,” or “our”) and the customer entity identified in the Agreement (“Controller,” “Customer,” or “you”).

This DPA applies whenever Processor processes Personal Data on behalf of Controller in the course of providing the GMC Medic service (“Service”), and is intended to comply with applicable data protection law, including the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the Swiss Federal Act on Data Protection (“FADP”).

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

Capitalized terms not defined here have the meanings given in the GDPR. For convenience:

• •“Controller” means the entity that determines the purposes and means of the processing of Personal Data. For most processing under this DPA, the Customer is the Controller.
• •“Processor” means the entity that processes Personal Data on behalf of the Controller. For most processing under this DPA, Nyvion LLC is the Processor.
• •“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• •“Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, disclosure, or deletion.
• •“Sub-processor” means a third party engaged by Processor to process Personal Data on behalf of Controller.
• •“Data Subject” means the natural person to whom Personal Data relates.
• •“SCCs” means the Standard Contractual Clauses approved by the European Commission for transfers of Personal Data to third countries (Commission Implementing Decision (EU) 2021/914), in the form of Module Two (Controller to Processor) and Module Three (Processor to Processor) as applicable.

2.1 Roles

Within the scope of the Agreement, Controller acts as the data controller and Processor acts as the data processor for the Personal Data of Data Subjects whose data is uploaded to, scanned through, or otherwise processed by the Service on Controller's behalf.

This typically includes Personal Data of:

• •Controller’s customers (where reflected in product listings or store content scanned by the Service).
• •Controller’s employees or representatives (where reflected in business profile information, About pages, or contact information).

2.2 Independent Controller Activities

For certain other processing — including processing necessary to provide, secure, and improve the Service itself — Processor acts as an independent data controller (not a processor). This includes processing of:

• •Controller’s account holder contact details (account email, billing email, business address).
• •Service usage telemetry and logs.
• •Aggregated and de-identified analytics.

For those activities, Processor's own Privacy Policy governs.

4.1 Categories of Data Subjects

• •Customers of Controller (where their data appears in Controller’s storefront, product listings, or business profile).
• •Employees, contractors, founders, or representatives of Controller (where their data appears in business identity information).

4.2 Categories of Personal Data

• •Business identity data: business name, business address, business phone, business email, founder/contact name.
• •Storefront content: product titles, descriptions, prices, policy page text, About page text, contact page text.
• •Domain identity data: WHOIS registrant name, organization, country (where publicly available).
• •Customer reviews or testimonials displayed on the storefront (if scanned).

4.3 Sensitive Data

The Service is not intended to process sensitive or special-category Personal Data (as defined in Article 9 GDPR — including health data, biometric data, data revealing racial or ethnic origin, etc.). Controller agrees not to use the Service to process sensitive data. If Controller becomes aware that sensitive data has been inadvertently processed, Controller will notify Processor and the parties will work together to delete it.

Processor agrees to:

5.1 Documented Instructions

Process Personal Data only on Controller's documented instructions, as set out in this DPA, the Agreement, and Controller's configuration of the Service. If Processor reasonably believes an instruction violates applicable data protection law, Processor will inform Controller without undue delay and may suspend the relevant processing until the instruction is clarified.

5.2 Confidentiality

Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

5.3 Security

Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. A summary of current security measures is set out in Annex A.

5.4 Sub-Processors

Engage sub-processors only in accordance with Section 7 of this DPA.

5.5 Assistance with Data Subject Rights

Provide reasonable assistance to Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection), taking into account the nature of the processing.

5.6 Assistance with DPIA and Consultation

Provide reasonable assistance to Controller in carrying out Data Protection Impact Assessments and consulting with supervisory authorities, where required under Articles 35 and 36 GDPR.

5.7 Personal Data Breach Notification

Notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will include, to the extent then known:

• •The nature of the breach, including categories and approximate number of Data Subjects and records affected.
• •The likely consequences of the breach.
• •Measures taken or proposed to address the breach.
• •Contact information for further inquiries.

5.8 Return or Deletion on Termination

Upon termination of the Agreement, at Controller's choice, either return or delete all Personal Data processed under this DPA, and delete existing copies, except where retention is required by applicable law. Standard deletion occurs within 30 days of account closure.

5.9 Audits

Make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Controller or an independent auditor mandated by Controller. Audits are limited to once per 12-month period, conducted with reasonable notice, during normal business hours, and subject to confidentiality obligations, except in cases of suspected breach.

Controller represents and warrants that:

• •Controller has obtained all necessary consents and provided all necessary notices to enable the lawful transfer of Personal Data to Processor for processing under the Agreement.
• •Controller’s instructions to Processor comply with applicable data protection law.
• •Controller will not knowingly use the Service to process sensitive or special-category Personal Data.

Controller is solely responsible for the lawfulness, accuracy, and integrity of the Personal Data it provides to or routes through the Service.

7.1 General Authorization

Controller provides general written authorization for Processor to engage sub-processors, subject to the conditions in this Section 7.

7.2 Current Sub-Processors

A current list of sub-processors is published at getgmcmedic.com/subprocessors. By executing the Agreement, Controller approves the sub-processors listed at the effective date of the Agreement.

7.3 Notice of New Sub-Processors

Processor will notify Controller at least 30 days in advance of engaging a new sub-processor or making material changes to its sub-processor list, via email to the account email on file and/or publication on the sub-processor list page. Controller may object to a new sub-processor on reasonable grounds related to data protection within 30 days of notice. If Controller's objection cannot be resolved, Controller may terminate the Agreement with respect to services affected by the new sub-processor.

7.4 Sub-Processor Obligations

Processor will enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA. Processor remains liable for the acts and omissions of its sub-processors with respect to Personal Data processed under this DPA.

8.1 General

Processor and its sub-processors may transfer Personal Data outside the European Economic Area, the United Kingdom, and Switzerland, including to the United States, in connection with providing the Service.

8.2 Standard Contractual Clauses

Where Personal Data of EEA, UK, or Swiss Data Subjects is transferred to a country not deemed adequate by the European Commission (or UK / Swiss equivalent), the parties incorporate by reference the Standard Contractual Clauses (SCCs) approved by Commission Implementing Decision (EU) 2021/914:

• •Module Two (Controller to Processor) applies between Controller and Processor.
• •Module Three (Processor to Processor) applies between Processor and any onward sub-processor located in a non-adequate country.

The SCCs are deemed completed as follows:

• •Clause 7 (Docking): Optional clause does not apply.
• •Clause 9(a) (Sub-processors): Option 2 (General Written Authorization) with a 30-day notice period applies.
• •Clause 11 (Redress): Optional language regarding independent dispute resolution does not apply.
• •Clause 17 (Governing law): Irish law applies.
• •Clause 18 (Forum and Jurisdiction): Disputes will be resolved before the courts of Ireland.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office, in effect from 21 March 2022, with the SCCs as the underlying transfer mechanism.

For Swiss transfers, references to the GDPR in the SCCs are construed to include the FADP, and references to EU supervisory authorities include the Swiss Federal Data Protection and Information Commissioner.

8.3 Supplementary Measures

Processor implements supplementary measures including encryption in transit and at rest, access controls, audit logging, and contractual sub-processor obligations to ensure that Personal Data transferred internationally is afforded a level of protection essentially equivalent to that guaranteed in the EEA.

The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement. For the avoidance of doubt, nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable data protection law, including for material or non-material damage suffered by a Data Subject under Article 82 GDPR.

This DPA is governed by the laws of the State of Missouri, United States, except where the SCCs apply (in which case Irish law governs the SCC clauses), or where mandatory data protection law of another jurisdiction applies.

In the event of any conflict or inconsistency:

1. The SCCs (where applicable) prevail over this DPA.
2. This DPA prevails over the Agreement (with respect to processing of Personal Data).
3. The Agreement prevails over any other communication between the parties.

Processor may update this DPA from time to time to reflect changes in applicable law, sub-processors, or industry practice. Material updates will be notified at least 30 days in advance via email or via publication on the GMC Medic website.

For questions about this DPA or to invoke a Data Subject rights request on behalf of an EU Data Subject:

Email: support@getgmcmedic.com (Subject line: “DPA Inquiry” or “DSAR”)
Mailing address: Nyvion LLC, Attn: Privacy, 2150 Renault Dr, Saint Louis, MO 63146

Processor implements the following technical and organizational measures to protect Personal Data:

A.1 Access Control

• •Multi-factor authentication required for all administrative access.
• •Role-based access control with principle of least privilege.
• •Row-level security ("RLS") at the database layer to ensure each account can access only its own data.
• •Quarterly review of access permissions; immediate revocation on personnel changes.

A.2 Encryption

• •All data in transit encrypted using TLS 1.2 or higher.
• •All data at rest encrypted using AES-256 (managed by our database provider, Supabase).
• •API keys and secrets stored as encrypted environment variables; never committed to source code.

A.3 Network Security

• •Hosted on Vercel, which provides DDoS protection, WAF, and isolation at the platform level.
• •No direct database access from the public internet; all database traffic routed through application servers with restricted IP allowlisting.

A.4 Logging and Monitoring

• •Authentication events, administrative actions, and security-relevant events logged.
• •Server logs retained for 30 days and reviewed in response to security incidents.

A.5 Backups and Disaster Recovery

• •Database backed up daily by Supabase.
• •Backup retention and recovery options consistent with our database provider’s plan.

A.6 Vendor Management

• •Sub-processors selected based on security posture; each is bound by a written agreement imposing data protection obligations equivalent to those in this DPA.

A.7 Personnel

• •All personnel with access to Personal Data are bound by written confidentiality obligations.
• •Security awareness training provided on engagement and refreshed annually.

A.8 Incident Response

• •Documented incident response procedure.
• •72-hour breach notification commitment to Controller under Section 5.7 above.

A.9 Data Minimization

• •The Service is designed to process only the categories of data necessary to perform compliance scanning.
• •Aggregated and de-identified data is preferred for analytics and Service improvement.