• Controller — the customer that determines the purpose and means of processing personal data.
• Processor — Vailar AI, processing personal data on the Controller's behalf.
• Personal Data — any information relating to an identified or identifiable natural person.
• Subprocessor — third-party service engaged by Vailar AI to support the platform.

This DPA applies whenever the customer (acting as Controller) uses Vailar AI to process Personal Data of patients, clinic staff or end users.

Vailar AI processes Personal Data only on documented instructions from the Controller, including to provide, secure and improve the platform.

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

• Encryption in transit and at rest
• Logical access controls and least-privilege principles
• Hardened cloud infrastructure with continuous monitoring
• Vulnerability management and dependency scanning
• Documented incident response procedures

The Controller authorizes Vailar AI to engage qualified subprocessors, subject to written terms that impose data protection obligations no less protective than this DPA. A current list is available on request, and material changes are communicated in advance to allow reasonable objection.

Where Personal Data is transferred outside the EEA, UK or Switzerland, Vailar AI relies on appropriate safeguards including the European Commission's Standard Contractual Clauses and equivalent UK and Swiss addenda.

Vailar AI provides reasonable assistance to the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability and objection.

Personal Data is retained only for as long as necessary to provide the platform or as required by applicable law. On termination, Personal Data is deleted or returned to the Controller within a commercially reasonable period, subject to backup retention cycles.

Vailar AI makes available reasonable information necessary to demonstrate compliance with this DPA. Enterprise customers may request audit reports under confidentiality.

Vailar AI notifies the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's data, including known facts and remediation steps.