ElderWatch AIBack to home

Data Processing Agreement

ElderWatch AI — Data Processing Agreement (DPA)

Version 1.0.0 — Effective Date: [INSERT DATE]

This DPA is intended for GDPR Article 28 compliance and similar requirements under POPIA, Kenya DPA 2019, and other data protection regimes. Must be reviewed by qualified counsel.

1. Parties

This DPA forms part of the agreement between [INSERT COMPANY LEGAL NAME] ("Processor") and the Family Caregiver or organizational customer ("Controller") who determines the purposes of monitoring an Elder User.

2. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the duration of the Controller's active subscription, plus the retention period defined in the Privacy Policy.

3. Nature and Purpose of Processing

Processing consists of: collection, storage, AI-based pattern analysis, and alert generation related to behavioral data described in the Privacy Policy, for the purpose of elderly behavioral anomaly detection and family notification.

4. Categories of Data Subjects

  • Elder Users (the monitored individuals)
  • Family Caregivers (account holders)

5. Categories of Personal Data

Device usage metadata, movement data, communication frequency metadata, location clusters, account identifiers, payment metadata.

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

| Sub-processor | Purpose | Location | |---|---|---| | Google Firebase / Google Cloud | Hosting, database, authentication | US / EU regions | | Paystack | Payment processing | Nigeria / South Africa | | Twilio | SMS and voice call escalation | US |

The Processor will notify the Controller of any new sub-processor and provide an opportunity to object.

7. Security Measures

Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, audit logging, regular vulnerability scanning, and incident response procedures as described in our Security Policy.

8. Data Subject Rights Assistance

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability) within a reasonable timeframe, not to exceed 30 days.

9. Breach Notification

The Processor will notify the Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting the Controller's data.

10. International Transfers

Where data is transferred outside the EEA/UK, the Processor relies on Standard Contractual Clauses (SCCs) or an adequacy decision, as applicable.

11. Audit Rights

The Controller may request evidence of compliance (e.g., SOC 2 report, penetration test summary) once annually, subject to confidentiality terms.

12. Deletion or Return of Data

Upon termination of the agreement, the Processor will delete or return all personal data within 90 days, except where retention is required by law.

[INSERT COMPANY LEGAL NAME] — Signature blocks and execution details to be added during legal finalization.