AITACS CRM — Legal Documentation

Data Processing Agreement

Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679

Effective Date: February 20, 2026 · Version: 1.0

HIPAA Safe Harbor Israeli PIPA

1. Parties

Data Controller

The User

A licensed psychotherapist, psychologist, coach, or counselor who subscribes to the AITACS CRM Service.

The Controller determines the purposes and means of processing End Client personal data.

Data Processor

Artem Chukov / AITACS CRM

Sole proprietor, registered in the State of Israel (עוסק פטור 345086623).

The Processor processes personal data solely on behalf of and under the documented instructions of the Controller.

This Data Processing Agreement ("DPA") forms part of and supplements the Terms of Service between the Controller and the Processor (together, the "Parties").

2. Scope and Purpose of Processing

2.1. The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the AITACS CRM Service, including data storage, synchronization, and AI-assisted clinical analysis.

2.2. The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject (Art. 28(3)(a) GDPR).

2.3. This DPA applies for the duration of the Controller's active subscription to the Service and for 90 days following termination (the data retention period).

3. Details of Processing (Annex I)

Annex I — Description of Processing

Subject matter: Provision of CRM and AI-assisted practice management for mental health professionals.

Duration: For the term of the Controller's subscription + 90 days retention period.

Nature of processing: Collection, storage, retrieval, synchronization, pseudonymization, de-identification, AI-assisted analysis, erasure.

Purpose: Enabling the Controller to manage client records, schedule sessions, record clinical notes, and obtain AI-generated insights.

Categories of data subjects: End Clients of the Controller (patients, therapy clients, coaching clients).

Categories of personal data: Pseudonyms, demographic data (age, gender, marital status, profession), clinical data (presenting complaints, psychiatric history, session notes, therapeutic goals, assessment results). See Privacy Policy §2 for full data flow table.

Special categories (Art. 9): Health data (clinical records, psychiatric history, therapy notes). Processing is based on the End Client's explicit consent obtained by the Controller.

4. Obligations of the Processor

In accordance with Article 28(3) of the GDPR, the Processor shall:

Process personal data only on documented instructions from the Controller, unless required by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including: encryption of data in transit (TLS 1.2+), dual-layer de-identification before AI transmission, Firebase-based authentication with UID isolation, regular database backups, and server access controls.

Not engage another processor (subprocessor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller the opportunity to object (Art. 28(2) GDPR). Current subprocessors are listed in the Subprocessor List.

Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) by implementing appropriate technical and organizational measures (Art. 28(3)(e) GDPR). Response time: within 15 business days of receiving the Controller's request.

Assist the Controller in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to the Processor.

Notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach (Art. 33 GDPR). The notification shall include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage (Art. 28(3)(g) GDPR). The Processor shall provide data export in JSON format upon request.

Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR). Audits shall be conducted with reasonable advance notice (minimum 14 days) and during normal business hours.

5. Obligations of the Controller

5.1. The Controller shall ensure that there is a lawful basis for all processing of personal data that it instructs the Processor to carry out, including obtaining explicit consent from End Clients for the processing of special category data (health data) pursuant to Article 9(2)(a) of the GDPR.

5.2. The Controller shall provide End Clients with an informed consent form prior to entering their data into the Platform. A template is provided at Informed Consent Template.

5.3. The Controller shall use pseudonyms (nicknames) exclusively when entering client data into AI-enabled sections of the Platform, as indicated by the application interface.

5.4. The Controller shall comply with the minimum security requirements set forth in the User Security Requirements document.

5.5. The Controller shall notify the Processor without undue delay if it becomes aware of any data breach involving data processed through the Platform.

6. Subprocessors

6.1. The Controller provides general written authorization for the Processor to engage the subprocessors listed in the Subprocessor List as of the effective date of this DPA.

6.2. The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of subprocessors, providing the Controller with the opportunity to object.

6.3. If the Controller objects to a new subprocessor on reasonable data protection grounds and the Processor cannot accommodate the objection, the Controller may terminate the affected service component without penalty.

6.4. The Processor shall impose the same data protection obligations as set out in this DPA on each subprocessor by way of a contract (Art. 28(4) GDPR). The Processor remains fully liable for the performance of each subprocessor's obligations.

6.5. Current subprocessors and their data protection status:

Subprocessor	Country	Function	Data Received	Safeguard
OpenAI, LLC	USA	AI processing	Pseudonym + de-identified clinical context only. No PHI per Safe Harbor.	OpenAI Data Processing Addendum (incorporates EU SCCs); zero-retention policy (0 days); data not used for model training; de-identified per 45 CFR §164.514(b)
Hetzner Online GmbH	Germany	MySQL database	All CRM data (encrypted in transit)	Hetzner Online GmbH DPA (incorporates EU SCCs); TLS 1.2+; server access controls
Google Firebase	USA	Authentication	Email, UID	Google DPA included; SCCs

7. International Data Transfers

7.1. The Processor may transfer personal data to subprocessors located outside the EU/EEA (currently: United States) only where appropriate safeguards are in place in accordance with Chapter V of the GDPR.

7.2. The primary safeguard mechanism is Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914), incorporated via each subprocessor's own Data Processing Agreement: OpenAI — OpenAI Data Processing Addendum (incorporates EU SCCs); Google Firebase — Google Cloud Data Processing Terms (incorporates EU SCCs); Hetzner Online GmbH — Hetzner Online GmbH Data Processing Agreement (incorporates EU SCCs).

7.3. For data transmitted to OpenAI specifically: this data is de-identified per HIPAA Safe Harbor (45 CFR §164.514(b)) before transmission. De-identified data does not constitute personal data under GDPR Article 4(1) where no reasonable means exist to re-identify the individual, providing an additional layer of transfer risk mitigation.

Transfer Risk Assessment Summary

OpenAI: Low risk — data is de-identified before transfer; OpenAI DPA with SCCs in place; zero-retention policy; API data not used for training.
Hosting: Medium risk — mitigated by TLS encryption, access controls, and Hetzner Online GmbH DPA with SCCs.
Firebase: Low risk — limited to email and UID; Google Cloud DPA with SCCs in place.

8. Technical and Organizational Measures (Annex II)

Annex II — Security Measures

Encryption in transit: TLS 1.2+ for all communications between client, server, and third-party APIs.

Encryption at rest: AES-256 recommended for local storage (desktop). Server-side encryption per hosting provider standards.

De-identification: Dual-layer (client-side + server-side) HIPAA Safe Harbor compliant de-identification. All 18 identifier categories removed. Pattern scrubbing for residual PII. Audit markers on each processed object.

Authentication: Firebase Authentication with unique UID per user. 2FA recommended.

Access control: Data isolation by Firebase UID. No cross-user data access. Server API requires valid authentication token.

Backup: Regular encrypted database backups. Retention: 30 days. Backup deletion follows primary data deletion.

Breach detection: Server log monitoring. Anomalous access alerting. See Incident Response Policy.

Personnel: Sole proprietor operation. No third-party personnel have access to production data.

9. Data Breach Notification

9.1. The Processor shall notify the Controller of any confirmed or suspected personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.

9.2. The notification shall include:

a) A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned;

b) The name and contact details of the Processor's contact point;

c) A description of the likely consequences of the breach;

d) A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

9.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

9.4. For the parallel HIPAA breach notification obligation (60-day window per 45 CFR §164.410), see the Business Associate Agreement.

10. Data Protection Impact Assessment

10.1. Where the Controller is required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR, the Processor shall provide reasonable assistance, taking into account the nature of processing and the information available to the Processor.

10.2. Given that the Platform processes special category data (health data) using automated means (AI analysis), the Controller is advised to conduct a DPIA before commencing use of the Platform in jurisdictions where this is required.

11. Term and Termination

11.1. This DPA shall remain in effect for the duration of the Controller's subscription to the Service and for as long as the Processor processes personal data on behalf of the Controller.

11.2. Upon termination of the Service, the Processor shall, at the Controller's choice:

a) Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON export); or

b) Delete all personal data and certify such deletion in writing.

11.3. If the Controller makes no election within the 90-day retention period, the Processor shall permanently delete all personal data.

11.4. The obligations of this DPA that by their nature should survive termination (including confidentiality, data deletion, and cooperation with audits relating to the processing period) shall survive termination.

12. Liability

12.1. Each Party shall be liable for damage caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR.

12.2. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller (Art. 82(2) GDPR).

12.3. The Processor's aggregate liability under this DPA shall not exceed the amounts set forth in Section 7 of the Terms of Service.

13. Governing Law

13.1. This DPA shall be governed by and construed in accordance with the laws of the State of Israel, without prejudice to the mandatory provisions of the GDPR applicable to the Controller.

13.2. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution mechanism set forth in the Terms of Service.

14. Contact

For DPA-related inquiries, data subject right requests, or breach reports:

Artem Chukov — Data Processor
Email: aitacs@skillbuilder.club
Web: skillbuilder.club