This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

• Data Controller: The Customer (the clinic, business, or individual using the Borradh platform)
• Data Processor: Borradh Technologies Limited, 72 Mount Prospect Avenue, Clontarf, Dublin 3, D03 XV79, Ireland

Contact: privacy@borradh.io

This DPA sets out the terms under which the Processor processes Personal Data on behalf of the Controller in connection with the Services, and reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Laws.

In this DPA, the following terms have the meanings set out below:

• Controller — the entity that determines the purposes and means of processing Personal Data (the Customer)
• Processor — the entity that processes Personal Data on behalf of the Controller (Borradh)
• Personal Data — any information relating to an identified or identifiable natural person
• Data Subject — the identified or identifiable natural person to whom Personal Data relates
• Processing — any operation performed on Personal Data, whether by automated means or not
• Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
• Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller
• Supervisory Authority — an independent public authority responsible for monitoring the application of Data Protection Laws
• Standard Contractual Clauses (SCCs) — the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries
• Data Protection Laws — the EU General Data Protection Regulation (GDPR), the UK GDPR, the ePrivacy Directive, and any applicable national implementing legislation

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process Personal Data have committed to confidentiality
• Implement appropriate technical and organisational security measures
• Not engage sub-processors without prior written authorisation from the Controller
• Assist the Controller in responding to Data Subject rights requests
• Assist the Controller with data protection impact assessments where required
• Notify the Controller of any Personal Data Breach without undue delay
• Delete or return all Personal Data on termination of the service agreement, at the Controller's choice
• Make available all information necessary to demonstrate compliance with this DPA
• Not sell, share, or otherwise make available Personal Data for purposes other than providing the Services

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

• Encryption in transit: TLS/HTTPS for all data transmission
• Encryption at rest: AWS RDS storage encryption, AWS Secrets Manager for credential storage
• Access control: Role-based access control with authentication guards and scope-based permissions
• Data isolation: Row-Level Security (RLS) at the PostgreSQL database level, ensuring tenant data separation
• Authentication: Session-based authentication with HttpOnly, Secure, SameSite cookies; API key authentication with rate limiting and scope-based access
• Credential security: All third-party OAuth tokens encrypted with AES encryption before database storage
• Network isolation: VPC with private subnets; security groups restricting database access to the application layer only
• Monitoring: Structured logging, error tracking, and product analytics
• Backup: Automated database backups with 7-day retention

The Controller provides general written authorisation for the Processor to engage the following sub-processors:

Personal Data is stored in AWS eu-west-1 (Ireland) where possible. Transfers to US-based sub-processors are covered by:

• EU Standard Contractual Clauses (Module 2: Controller to Processor)
• UK International Data Transfer Addendum

This DPA is governed by the laws of Ireland. The courts of Ireland shall have exclusive jurisdiction in relation to any disputes arising under this DPA. The competent supervisory authority is the Irish Data Protection Commission.

The Processor shall notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a Personal Data Breach. The notification shall include:

• The nature of the Personal Data Breach
• The categories and approximate number of Data Subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach, including measures to mitigate its adverse effects

The Processor shall cooperate with the Controller in the investigation and remediation of any Personal Data Breach.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request except on the Controller's documented instructions.

Personal Data is processed for the duration of the service agreement. On termination, the Controller may request the return or deletion of all Personal Data.

• Deletion of active data completed within 30 days of request
• Backup data purged within 90 days
• Limited data may be retained where required by law (e.g., billing records for tax compliance)

The Controller may audit the Processor's compliance with this DPA. The Processor shall make available all information reasonably necessary to demonstrate compliance and shall allow for and contribute to audits and inspections.

Audits shall be conducted at the Controller's cost, unless the audit reveals material non-compliance by the Processor.

The platform provides the following consent management capabilities to support the Controller's compliance obligations:

• Per-lead consent tracking for email, SMS, and voice communications
• Consent source recorded (e.g., meta form, manual entry, CSV import)
• Consent timestamp recorded for each channel
• Automated sequences respect consent flags before executing communications

The Processor shall be liable for damages caused by processing that does not comply with this DPA or with the obligations of Data Protection Laws directed specifically to the Processor.

Each party shall indemnify the other against all claims, actions, third-party proceedings, costs, awards, and expenses arising from or in connection with any breach of this DPA by the indemnifying party.

This DPA is effective from the date the Customer accepts the Terms of Service and shall remain in effect for the duration of the service agreement.

This DPA terminates automatically upon termination of the service agreement. The data processing obligations set out in this DPA shall survive termination until all Personal Data has been deleted or returned in accordance with the Data Retention & Deletion section above.

For questions about this Data Processing Agreement, please contact:

• Borradh Technologies Limited
• 72 Mount Prospect Avenue, Clontarf, Dublin 3, D03 XV79, Ireland
• Email: privacy@borradh.io

See also our Privacy Policy and Data Deletion Policy.