Data Processing Agreement (DPA)

Last Updated: May 10, 2026

This Data Processing Agreement (“DPA”) forms part of the Master Service Agreement or Terms of Service (the “Agreement”) between Psynth, Inc. (“Psynth”, “Processor”) and the customer entity signatory to the Agreement (“Customer”, “Data Controller”).

1. Scope, Roles, and Shared Responsibility

  • 1.1 Roles. Customer acts as a Data Controller. Psynth acts as a Data Processor regarding Patient Data.
  • 1.2 Shared Responsibility Model. Psynth is responsible for the security and integrity of the Platform infrastructure and the managed services it provides. Customer is responsible for its secure use of the Platform, including the protection of account credentials (e.g., strong passwords), the lawful basis for data collection, and the configuration of any Customer-controlled settings.
  • 1.3 Bifurcation of Data. Psynth acts as a Processor for Patient PII/PHI. Psynth acts as a Controller for Psychologist PII used for account management and marketing.

2. Processing and Instructions

  • 2.1 Documented Instructions. Psynth shall process Regulated Data only on documented instructions from Customer.
  • 2.2 Infringing Instructions. Psynth shall immediately notify Customer if an instruction, in its opinion, infringes the GDPR, UK GDPR, or other applicable Union or Member State data protection provisions.
  • 2.3 Purpose Limitation and Restriction on Secondary Use:
    • (a) Primary Purpose. Psynth shall process, store, use, and disclose Customer Regulated Data solely for the purpose of providing the Services to Customer under the Agreement, including any necessary technical operations to support, secure, and maintain the Services.
    • (b) No Secondary Use. Psynth shall not use Customer Regulated Data, whether identified or de-identified, for any secondary purpose, including without limitation: (i) training, fine-tuning, or improving any artificial intelligence, machine learning, or large language model owned or operated by Psynth or any third party; (ii) creating aggregate datasets, benchmarks, or derivative products for use beyond the provision of Services to Customer; or (iii) any commercial purpose external to Customer's use of the Services. This restriction applies notwithstanding any contrary provision in the Master Services Agreement, the Terms of Service, or Psynth's Privacy Policy.
    • (c) Prior Written Authorization Required. Any proposed use of Customer Regulated Data outside the scope of Section 2.3(a) requires Customer's prior written authorization. Customer may grant, withhold, condition, or revoke such authorization in its sole discretion. Silence does not constitute authorization.
    • (d) Sub-processor AI Confirmation. Psynth confirms that no sub-processor processing Regulated Data uses such data to train, fine-tune, or improve any model, dataset, or commercial product. All AI sub-processor relationships operate under zero-retention configurations and executed Business Associate Agreements as set forth in Annex II and Section 5. For the avoidance of doubt, this restriction expressly applies to audio data, transcripts, and any derivative outputs generated through the Ambient Listening feature, all of which constitute Regulated Data subject to this Section.
    • (e) Permitted Operational Use. Nothing in this Section restricts Psynth's ability to perform technical operations necessary to deliver, secure, support, troubleshoot, or maintain the Services, including: monitoring for abuse or security threats; routing and load balancing; backup and disaster recovery; aggregated, non-identifying operational metrics (e.g., system uptime, error rates, latency) that do not contain or derive from Regulated Data content; and lawful compliance with regulatory or legal obligations.

3. Security and Breach Notification

  • 3.1 Technical Measures. Psynth implements measures including AES-256 encryption at rest, TLS 1.3 in transit, and enforced Multi-Factor Authentication (MFA).
  • 3.2 Compliance. Psynth maintains an information security program consistent with SOC 2 Type 1 and ISO 27001 Stage 1 standards.
  • 3.3 Breach Notification. Psynth shall notify Customer of any Regulated Data Breach or DPA Security Incident within 72 hours of discovery.
  • 3.4 Ambient Listening Processing. Where Customer enables the Ambient Listening feature:
    • (a) Audio Processing in Transit. Audio is transmitted via TLS 1.3 to a zero-retention endpoint operated by Psynth's authorized transcription sub-processor (as identified in Annex II), transcribed in real time, and discarded at the sub-processor without persistent storage. Psynth does not retain audio recordings at rest in its infrastructure.
    • (b) Transcript Storage. Transcripts and any AI-generated summaries derived from Ambient Listening are stored at rest within the Customer's regional cluster in accordance with Section 10 (Data Residency), encrypted with AES-256, and subject to the deletion provisions in Section 8.
    • (c) Access Restrictions. Access to transcripts and Ambient Listening derivatives is limited to:
      • (i) the Customer users authorized by Customer's account administrators; and
      • (ii) Psynth personnel performing narrowly defined incident response, security investigation, or technical support functions, in accordance with Psynth's documented access control policies.

4. Government Request Transparency (Schrems II)

  • 4.1 Redirection. If Psynth receives a legally binding request from a public authority (e.g., law enforcement or government agency) for access to Customer Data, Psynth will attempt to redirect the authority to the Customer.
  • 4.2 Notification. Unless legally prohibited, Psynth will notify Customer of any such demand to allow Customer to seek a protective order.
  • 4.3 Challenging Requests. Psynth agrees to review and challenge any demand for Customer Data that is over-broad or unlawful under applicable law, particularly where such a demand conflicts with EU or UK data protection obligations.

5. Sub-processors

  • 5.1 Authorization. Customer grants general authorization for the sub-processors listed in Annex II.
  • 5.2 Notice & Objection. Psynth shall provide 30 days’ notice of any change to sub-processors. Customer has 15 days to object via support@psynth.ai. If an objection cannot be resolved, Customer may terminate the Agreement.
  • 5.3 Sub-processor Obligations. Psynth shall not engage any sub-processor (including, for clarity, any provider of artificial intelligence, machine learning, or large language model services) for the processing of Regulated Data unless that sub-processor has entered into a written agreement with Psynth containing data protection, security, and confidentiality obligations no less protective than those Psynth has undertaken to Customer under this DPA, the Master Services Agreement, and any executed Business Associate Agreement. Psynth confirms that, as of the Effective Date, all sub-processors processing Regulated Data have executed such agreements, including a Business Associate Agreement where the sub-processor processes Protected Health Information. Psynth shall remain liable to Customer for the acts and omissions of its sub-processors to the same extent as if performed by Psynth.

6. International Transfers

  • 6.1 Data Residency. See Section 10 below.
  • 6.2 Transfer Mechanism. For any cross-border transfers, the EU Standard Contractual Clauses (Module 2) and the UK IDTA Addendum are incorporated herein by reference.

7. Audits and Compliance Assistance

  • 7.1 Audit Reports. Customer's right to audit is primarily satisfied by Psynth providing its Security Packet, which includes Psynth's most recent SOC 2 report, ISO 27001 audit results, and supporting compliance documentation as available. The composition of the Security Packet may evolve as additional certifications are completed.
  • 7.2 Audits. If the Security Packet is insufficient to demonstrate compliance, Customer may conduct a focused audit. Such audits must be:
    • (i) requested with reasonable notice;
    • (ii) conducted during business hours;
    • (iii) subject to a strict Non-Disclosure Agreement (NDA); and
    • (iv) performed at the Customer's sole expense.

8. Deletion and Return

  • 8.1 Post-Termination Deletion. Psynth shall automatically and permanently delete all Patient Data (PII/PHI) within 90 days of contract termination, unless retention is required by law. Patient Data subject to this Section includes transcripts and AI-generated derivatives produced through the Ambient Listening feature. Audio recordings are not retained by Psynth and therefore are not subject to a post-termination deletion period.
  • 8.2 Verification. Written certification of deletion is available to the Customer upon request.

9. Liability and Governing Law

  • 9.1 Liability Cap. Each party's total aggregate liability arising out of or related to this DPA shall be subject to, and counted toward, the limitations of liability set forth in the Master Services Agreement, including the 2x super cap for data breach claims set forth therein. The carve-outs in Section 9.2 below apply notwithstanding any such cap.
  • 9.2 Carve-outs. Notwithstanding Section 9.1, nothing in this DPA limits or excludes either party's liability for:
    • (a) fraud or fraudulent misrepresentation;
    • (b) willful misconduct or gross negligence;
    • (c) liability that cannot be limited or excluded under applicable law, including under the GDPR, UK GDPR, or other applicable data protection laws; or
    • (d) a party's indemnification obligations under the Master Services Agreement.
  • 9.3 Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the laws specified below, based on the Customer's place of establishment, and the parties submit to the exclusive jurisdiction of the corresponding courts:
Customer Establishment Governing Law Exclusive Jurisdiction
European Union / EEA Laws of Ireland Courts of Dublin, Ireland
United Kingdom Laws of England and Wales Courts of London, England
Canada Laws of the Province of Ontario and the federal laws of Canada applicable therein Courts of Toronto, Ontario
Australia Laws of New South Wales Courts of New South Wales
All other jurisdictions Laws of the State of Oklahoma State and federal courts located in Tulsa County, Oklahoma, United States
  • 9.4 Conflict with Governing Agreement. In the event of any conflict or inconsistency between this Section 9 and the liability or governing law provisions of the Master Services Agreement:
    • (a) the liability carve-outs set forth in Section 9.2 shall apply notwithstanding any limitation or cap on liability in the Master Services Agreement, including the 2x super cap for data breach claims; and
    • (b) the governing law and jurisdiction provisions set forth in Section 9.3 shall control with respect to any dispute arising out of or related to this DPA, the processing of Regulated Data, or the obligations of either party under Applicable Privacy Laws.

10. Data Residency

  • 10.1 Storage Location. Psynth attests that Customer Regulated Information and Protected Health Information ("Regulated Data") is stored at rest within the Customer's local jurisdiction, as follows:
    • (i) Canadian customers, within Canada (AWS ca-central-1, Montreal);
    • (ii) Australian customers, within Australia (AWS ap-southeast-2, Sydney);
    • (iii) European Union / EEA customers, within the European Union (AWS eu-west-1, Ireland); and
    • (iv) United Kingdom customers, within the United Kingdom (AWS eu-west-2, London). Until the United Kingdom region is operational, UK Customer Regulated Data is stored within the European Union (AWS eu-west-1, Ireland) under the United Kingdom's adequacy decision for the European Union.
    Psynth maintains regionally segregated production environments and provisions each Customer's tenant into the cluster corresponding to the jurisdiction selected at sign-up.
  • 10.2 Customer Responsibility and Changes. Customer is solely responsible for the accuracy of its jurisdiction designation at sign-up. Any change to a Customer's jurisdiction, or request relating to data residency, must be submitted to support@psynth.ai. Psynth will complete tenant migration to the new jurisdiction's regional cluster, including deletion of Regulated Data from the prior region and corresponding updates to backups, audit logs, and supporting systems, within thirty (30) days of receipt of a complete request. Psynth's residency commitment under this Section is conditional upon the accuracy of the Customer's jurisdiction designation.
  • 10.3 Scope. This attestation applies to Regulated Data at rest. Ancillary processing necessary to operate the Service, including transient processing by zero-retention sub-processors operating under executed Business Associate Agreements and Data Processing Addenda, is governed by the Data Processing Agreement.

11. Patient Consent for Ambient Listening

  • 11.1 Customer Responsibility. Customer represents and warrants that, prior to enabling the Ambient Listening feature for any patient session, Customer has obtained all necessary consents from the data subject (patient, or the patient's authorized representative in the case of minors or incapacitated individuals) for the recording, transcription, and processing of session audio under all applicable laws, including but not limited to: the Health Insurance Portability and Accountability Act (HIPAA); applicable U.S. state laws governing recording and consent, including two-party consent jurisdictions; the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health privacy laws; and the General Data Protection Regulation (GDPR) and UK GDPR.
  • 11.2 Documentation. Customer is solely responsible for obtaining, documenting, and maintaining records of patient consent. Psynth's in-product confirmation mechanisms (including any pre-session consent acknowledgment) are operational tools provided for Customer's convenience and do not transfer the underlying legal obligation from Customer to Psynth.
  • 11.3 Indemnification. Customer shall indemnify Psynth against any claims, damages, or regulatory actions arising from Customer's failure to obtain valid patient consent for Ambient Listening, except to the extent such claims arise from Psynth's breach of this DPA or the Master Services Agreement.
  • 11.4 Suspension Right. Psynth reserves the right to suspend or restrict Customer's, or any specific user's, access to the Ambient Listening feature if Psynth has a reasonable basis to believe Customer is using the feature in violation of applicable consent requirements. Psynth will provide written notice and, where feasible, an opportunity to cure prior to suspension.

Annex I: Details of Processing

  • Subject Matter. SaaS psychological reporting platform.
  • Data Subjects. Licensed psychologists and their patients (including minors).
  • Data Categories. Special category health data, assessment results, clinical notes, identifying PII, and, where Customer enables the Ambient Listening feature, transcripts of patient sessions and any AI-generated summaries or clinical observations derived from such transcripts. Audio recordings processed through Ambient Listening are transcribed in transit and discarded; Psynth does not retain audio at rest.

Annex II: Authorized Sub-processors

Service Provider Legal Entity Function
Cloud Hosting Amazon Web Services EMEA SARL Primary Hosting (EU Region)
Database MongoDB, Inc. Managed Database Services
AI Synthesis Anthropic, PBC / OpenAI, L.L.C. / Google LLC / Assembly AI AI Model Processing
Analytics PostHog, Inc. Product Usage Analytics
Error Tracking Functional Software, Inc. (Sentry) Stability Monitoring
Payments Processing Stripe, LLC Subscription & Usage Payments
Audio Transcription Assembly AI, Inc. Speech AI / Speech-to-Text API

Privacy Contact: Stephen Stearman, CEO
Email: support@psynth.ai

Psynth, Inc.
301 E. Archer St.
Tulsa, OK 74120
support@psynth.ai
Menu
CareersTrust CenterGlossary
LegalPrivacy PolicyBusiness Associate AgreementData Processing AgreementCookie PolicySubprocessorsTerms of Service