Data Privacy Agreement

Effective Date: July 21, 2025

DATA PROCESSING AGREEMENT (DPA)


Parties:
  • Well App, Inc., 1111B S Governors Ave STE 29109, Dover, DE 19904 ("Processor" or “Well”)
  • The entity identified in the applicable Order Form or Subscription Agreement with Well ("Controller" or “Customer”)
This DPA forms part of the agreement between Well and Customer regarding the provision of Services where Well processes Personal Data on behalf of Customer.

1. DEFINITIONS

TermDefinitionPersonal DataAny information relating to an identified or identifiable natural person that is processed by Well on behalf of Customer.ProcessingAny operation performed on Personal Data (e.g., storage, access, transmission).Data SubjectThe individual whose personal data is being processed.Applicable LawIncludes the GDPR, UK GDPR, CCPA, and any other privacy laws relevant to Customer’s use of the Services.Sub-processorAny third party engaged by Well to process Personal Data on behalf of Customer.Standard Contractual Clauses (SCCs)The 2021 EU model clauses (Module 2: Controller to Processor), as approved by the European Commission.

2. SCOPE AND ROLES

  • Well acts as a Processor of Personal Data on behalf of the Customer, the Controller.
  • The nature and purpose of processing is limited to providing the Well platform, including data extraction, integration, transformation, and routing.
  • The duration is the term of the agreement between the parties unless otherwise required by law.

3. CUSTOMER OBLIGATIONS

Customer, as Controller, agrees to:
  • Ensure lawful basis for all processing of Personal Data via the Services.
  • Not instruct Well to process data in a way that violates any Applicable Law.
  • Provide privacy notices to Data Subjects as required.
  • Be solely responsible for determining if the Services meet their data processing needs.

4. WELL’S OBLIGATIONS

Well agrees to:
  • Process Personal Data only on documented instructions from Customer unless required by law.
  • Not retain, use, or disclose Personal Data for any purpose other than providing the Services.
  • Maintain confidentiality and ensure its personnel are bound by appropriate obligations.
  • Implement appropriate technical and organizational measures to protect Personal Data.

5. SECURITY MEASURES

Well maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the Personal Data, including:
  • Access controls and authentication
  • Encryption in transit and at rest
  • Role-based access limitations
  • Incident detection and response
  • Data backup and disaster recovery
Details may be documented in a Security Addendum or available upon request.

6. EEA / UK / SWISS USERS – GDPR COMPLIANCE

Well ensure data processed on behalf of EEA customers is processed and stored under European contracts.
We ensure appropriate safeguards through standard contractual clauses and other legal mechanisms.
If you are in the EEA, UK, or Switzerland, we process your data under the legal bases of:
  • Performance of a contract (e.g., providing services)
  • Legitimate interest (e.g., improving services, ensuring security)
  • Consent (e.g., marketing emails)
You may lodge a complaint with your local data protection authority if you believe we have violated your rights.

7. DATA SUBJECT REQUESTS

To the extent legally permissible, Well shall:
  • Promptly notify Customer of any Data Subject request (e.g., access, deletion, rectification)
  • Not respond directly unless authorized
  • Assist Customer in fulfilling its obligations, using appropriate technical and organizational measures

9. ASSISTANCE WITH COMPLIANCE

Well shall, at Customer’s request:
  • Provide necessary information to demonstrate compliance with Article 28 of the GDPR (or equivalent)
  • Assist with data protection impact assessments (DPIAs)
  • Cooperate with supervisory authorities if requested

10. SECURITY INCIDENT NOTIFICATION

If Well becomes aware of a Personal Data Breach, it shall:
  • Notify Customer without undue delay (within 48 hours of confirmation)
  • Provide available details including:
    • Nature of the breach
    • Categories of data affected
    • Steps taken or proposed to mitigate the breach
  • Cooperate in the investigation and remediation

11. RETURN OR DELETION OF DATA

Upon termination of Services, Well will:
  • Delete or return all Personal Data to Customer (at Customer’s option)
  • Retain no copies except as required by law
  • Certify deletion upon request
Backup archives may be retained for up to 30 days post-termination, with continued security controls in place.

12. AUDITS AND DEMONSTRATIONS

Upon written request no more than once annually, Well shall:
  • Provide Customer with relevant documentation (e.g., SOC 2, ISO 27001 reports)
  • Cooperate with audits or inspections by Customer or its auditors, provided:
    • 30 days’ advance notice is given
    • The audit does not unreasonably interfere with Well’s operations
    • Customer signs a confidentiality agreement

13. LIABILITY

Each party’s liability under this DPA is subject to the limitations of liability set forth in the main Terms of Service. No provision of this DPA shall limit Customer’s obligations under Applicable Law.

14. GOVERNING LAW AND VENUE

This DPA shall be governed by:
  • The laws of the State of Delaware, USA (for non-EU customers)
  • EU law and the relevant Member State’s jurisdiction (for GDPR-bound customers, solely for SCC purposes)

15. MODIFICATIONS

We may update this DPA to reflect changes in our Sub-processors, Services, or Applicable Law. Material changes will be notified to the Customer with a 30-day notice period, unless legally required earlier.

16. CONTACT US

Questions regarding this DPA may be directed to:
Data Protection Officer (DPO) privacy@wellapp.ai Well App, Inc. 1111B S Governors Ave STE 29109 Dover, DE 19904, USA