Back to Afilo

Data Processing Agreement

Last updated: January 30, 2025

Effective Date: January 30, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between TechSci, Inc. (operating the Afilo platform) ("Data Processor" or "we") and you ("Data Controller" or "Customer") for the provision of Afilo enterprise software services.

This DPA governs the processing of personal data by TechSci, Inc. (operating the Afilo platform) on behalf of Customer and reflects our commitment to data protection, security, and compliance with HIPAA, SOC 2 Type II, and ISO 27001 standards.

1. Definitions

"Personal Data": Any information relating to an identified or identifiable natural person that is processed by Afilo on behalf of Customer.

"Data Controller": Customer (you), who determines the purposes and means of processing Personal Data.

"Data Processor": TechSci, Inc. (operating the Afilo platform), who processes Personal Data on behalf of Customer.

"Sub-Processor": Any third-party service provider engaged by Afilo to process Personal Data.

"Protected Health Information (PHI)": Health information defined under HIPAA (45 CFR § 160.103).

"Processing": Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Data Subject": The individual to whom Personal Data relates.

2. Scope of Data Processing

Subject Matter:

Provision of Afilo enterprise software platform and related services as described in the Terms of Service.

Duration of Processing:

From the date of account activation until 90 days after subscription termination, at which point all Customer data is permanently deleted unless otherwise required by law.

Nature and Purpose of Processing:

  • Provide platform functionality and features to Customer
  • Store and manage Customer account data and user information
  • Process transactions and billing
  • Provide customer support and troubleshooting
  • Ensure security, prevent fraud, and maintain service integrity
  • Comply with legal obligations and regulatory requirements

Types of Personal Data Processed:

  • Account Information: Name, email, company name, job title, phone number
  • Authentication Data: Hashed passwords, OAuth tokens, session identifiers
  • Usage Data: IP addresses, device information, activity logs, API calls
  • Billing Data: Payment information (processed by Stripe), billing address, tax ID
  • Support Data: Support tickets, chat logs, email communications
  • PHI (if applicable): Health information for HIPAA-covered customers with executed BAA

Categories of Data Subjects:

  • Customer's employees, contractors, and authorized users
  • Customer's clients and end users (if applicable)
  • Customer's patients or healthcare recipients (if HIPAA BAA in effect)

3. Data Processor Obligations

Afilo commits to:

  • Process only on instructions: Process Personal Data only as instructed by Customer or as required by applicable law
  • Confidentiality: Ensure personnel processing data are bound by confidentiality obligations
  • Security measures: Implement and maintain administrative, physical, and technical safeguards to protect Personal Data
  • Sub-processor management: Ensure Sub-Processors are contractually bound by equivalent data protection obligations
  • Assist with data subject rights: Provide reasonable assistance to Customer in responding to data subject requests
  • Data breach notification: Notify Customer of Personal Data breaches without undue delay
  • Deletion/return of data: Delete or return all Personal Data upon termination (subject to legal retention requirements)
  • Audit cooperation: Make available information necessary to demonstrate compliance and permit audits

Technical and Organizational Security Measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA)
  • Audit Logging: Comprehensive audit trails for all data access and modifications
  • Network Security: Firewall protection, intrusion detection systems (IDS), DDoS mitigation
  • Vulnerability Management: Regular security assessments, penetration testing, patch management
  • Incident Response: 24/7 security monitoring, defined incident response procedures
  • Data Backup: Encrypted daily backups with 30-day retention, disaster recovery plan
  • Physical Security: SOC 2 certified data centers with restricted access, surveillance, environmental controls

4. Sub-Processors

Customer authorizes Afilo to engage the following Sub-Processors for processing Personal Data:

Sub-ProcessorPurposeLocation
Vercel Inc.Application hosting and deploymentUnited States
Amazon Web Services (AWS)Cloud infrastructure and storageUnited States
Stripe, Inc.Payment processing (PCI DSS Level 1)United States
Neon Inc.Database services (PostgreSQL)United States
Clerk.comAuthentication servicesUnited States
Resend Inc.Transactional email deliveryUnited States
Neon DatabaseDatabase management (PostgreSQL)United States
Upstash Inc.Rate limiting and caching (Redis)United States

Sub-Processor Changes:

Afilo will provide 30 days' prior notice before engaging new Sub-Processors or replacing existing ones. Customer may object to new Sub-Processors within 14 days of notification. If Customer objects, Customer may terminate the subscription without penalty.

To receive Sub-Processor change notifications, subscribe at: dpo@techsci.io

5. Assistance with Data Subject Rights

Afilo will provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws.

Data Subject Rights Include:

  • Right of Access: Obtain confirmation of data processing and access to Personal Data
  • Right to Rectification: Correct inaccurate or incomplete Personal Data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of Personal Data (subject to legal retention requirements)
  • Right to Restrict Processing: Limit processing under certain circumstances
  • Right to Data Portability: Receive Personal Data in structured, commonly used, machine-readable format
  • Right to Object: Object to processing based on legitimate interests or for direct marketing

Afilo's Assistance:

Upon Customer request, Afilo will within 10 business days:

  • Provide export of Customer data in JSON or CSV format
  • Assist in correcting, deleting, or restricting data
  • Provide audit logs related to data subject's Personal Data
  • Cooperate with Customer's legal obligations under applicable privacy laws

Important: Customer is responsible for verifying data subject identity and determining the validity of requests. Afilo will not respond directly to data subject requests unless legally required.

6. Data Breach Notification

Afilo will notify Customer of any Personal Data breach without undue delay and in compliance with applicable law.

Notification Timeline:

  • General Data Breaches: Within 72 hours of discovery
  • HIPAA Breaches (PHI): Within 60 days as required by HIPAA Breach Notification Rule (45 CFR § 164.410)
  • Critical/High-Risk Breaches: Within 24 hours (immediate notification)

Breach Notification Contents:

Afilo will provide Customer with the following information (to the extent known):

  • Nature of the breach (description of what happened)
  • Categories and approximate number of affected Data Subjects
  • Categories and approximate number of Personal Data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact information for further inquiries (security@techsci.io)

Afilo's Response Actions:

  • Immediate containment and mitigation of the breach
  • Investigation to determine cause, scope, and impact
  • Implementation of remediation measures to prevent recurrence
  • Cooperation with Customer's breach notification obligations to data subjects and regulators
  • Forensic analysis and incident report documentation

Security Incident Contact:

Email: security@techsci.io
Phone: +1 302 415 3171 (24/7 Security Hotline)
Encrypted Communication: Available upon request (PGP key)

7. Security Audits and Certifications

Current Certifications:

  • SOC 2 Type II: Annual audit by independent third-party (most recent: 2024)
  • ISO 27001:2022: Information Security Management System certification
  • HIPAA Compliance: Administrative, physical, and technical safeguards implemented
  • PCI DSS: Payment Card Industry compliance via Stripe (Level 1 Service Provider)

Customer Audit Rights:

Customer may audit Afilo's compliance with this DPA once per year, subject to the following conditions:

  • Notice: Provide 30 days' advance written notice
  • Scope: Limited to data processing activities relevant to Customer
  • Non-Disruption: Conducted during business hours without disrupting operations
  • Confidentiality: Auditor must execute NDA before accessing systems
  • Cost: Customer bears all audit costs unless non-compliance found

Audit Alternatives:

In lieu of on-site audits, Customer may request:

  • Copy of most recent SOC 2 Type II report
  • ISO 27001 certificate and Statement of Applicability (SoA)
  • Completed security questionnaire (annually)
  • Third-party penetration test results summary

To request audit documentation, contact: compliance@techsci.io

8. Data Retention and Deletion

Retention Period:

Afilo retains Customer Personal Data for the duration of the subscription plus 90 days after termination.

Data TypeRetention Period
Account & User Data90 days post-cancellation
Usage Logs & Analytics90 days post-cancellation
PHI (if HIPAA BAA)90 days post-cancellation (unless longer retention required by law)
Billing Records7 years (tax/legal compliance)
Backups30 days rolling (deleted after 30 days)
Security Logs1 year (security/compliance)

Deletion Process:

Upon subscription termination or Customer request, Afilo will:

  1. Immediate: Revoke Customer access to the platform
  2. Within 7 days: Provide option to export all Customer data (JSON/CSV format)
  3. Within 90 days: Permanently delete all Customer data from production systems
  4. Within 120 days: Delete all data from backups and archives (as backups expire)
  5. Certification: Provide written confirmation of deletion upon request

Legal Retention Exceptions:

Afilo may retain certain data beyond the 90-day period if required by law (e.g., billing records for tax compliance, security logs for regulatory requirements). Such retention will be limited to the minimum required by law.

9. International Data Transfers

Afilo operates exclusively in the United States and approved international markets. We do NOT process data from individuals located in the European Union (EU) or European Economic Area (EEA).

Data Storage Locations:

  • Primary: United States (AWS US-East-1, Vercel US regions)
  • Backup: United States (geographically redundant US data centers)
  • Sub-Processors: Primarily US-based (see Section 4 for complete list)

Approved Regions for Customer Data:

Customer data may be processed for customers located in:

  • United States (primary market)
  • Canada (PIPEDA compliance)
  • United Kingdom (UK GDPR and Data Protection Act 2018)
  • Australia (Privacy Act 1988)
  • New Zealand
  • Singapore
  • Japan

EU/EEA Exclusion:

Afilo does NOT offer services to customers in the EU/EEA. By using our services, Customer represents that it is not located in the EU/EEA and will not process Personal Data of EU/EEA residents using our platform. See our Privacy Policy Section 2 for the complete list of excluded countries.

10. Return and Deletion of Customer Data

Upon termination or expiration of the subscription, Customer may choose to:

Option 1: Data Export

  • Format: JSON, CSV, or API export
  • Timeline: Available for 90 days after cancellation
  • Process: Self-service export from dashboard or request via support@techsci.io
  • Cost: No additional charge for standard exports (large data sets may incur fees)

Option 2: Immediate Deletion

  • Request: Email dpo@techsci.io with deletion request
  • Timeline: Deletion within 30 days of request
  • Certification: Written confirmation of deletion provided upon request
  • Irreversible: Once deleted, data cannot be recovered

Deletion Exclusions:

The following data may be retained beyond deletion request for legal compliance:

  • Billing records and invoices (7 years for tax compliance)
  • Security logs (1 year for incident investigation)
  • Aggregated/anonymized analytics (no Personal Data)
  • Data required by court order, subpoena, or legal hold

11. Liability and Indemnification

Limitation of Liability:

To the maximum extent permitted by law, Afilo's total liability arising out of or related to this DPA (whether in contract, tort, or otherwise) shall not exceed the fees paid by Customer in the 12 months prior to the event giving rise to liability.

Indemnification by Afilo:

Afilo will indemnify, defend, and hold harmless Customer from third-party claims arising from:

  • Afilo's breach of this DPA
  • Afilo's violation of applicable data protection laws
  • Unauthorized disclosure of Customer data by Afilo
  • Afilo's gross negligence or willful misconduct

Indemnification by Customer:

Customer will indemnify Afilo from third-party claims arising from:

  • Customer's breach of this DPA or Terms of Service
  • Customer's violation of applicable laws (including privacy laws)
  • Customer's unauthorized instructions to process data
  • Customer content or data that violates third-party rights

Insurance:

Afilo maintains cyber liability insurance with coverage of at least $5,000,000 per incident. Certificate of insurance available upon request.

12. HIPAA Business Associate Addendum (If Applicable)

For Customers who are Covered Entities or Business Associates under HIPAA, the following additional terms apply:

Permitted Uses and Disclosures of PHI:

Afilo may use and disclose PHI only as permitted by this DPA, the BAA, and HIPAA (45 CFR Parts 160 and 164).

HIPAA Safeguards:

  • Administrative Safeguards: Security management process, workforce training, contingency planning
  • Physical Safeguards: Facility access controls, workstation security, device and media controls
  • Technical Safeguards: Access controls (RBAC), audit controls, integrity controls, transmission security

Breach Notification (HIPAA):

Afilo will notify Customer of any unauthorized use or disclosure of PHI within 60 days of discovery, as required by 45 CFR § 164.410 (HIPAA Breach Notification Rule).

Patient Rights Assistance:

Afilo will provide access to PHI in electronic health record format within 30 days of Customer request to enable Customer to meet HIPAA patient access requirements (45 CFR § 164.524).

Minimum Necessary:

Afilo will limit PHI use, disclosure, and requests to the minimum necessary to accomplish the intended purpose, as required by 45 CFR § 164.502(b).

Subcontractors (HIPAA):

All Sub-Processors with access to PHI will execute Business Associate Agreements with equivalent HIPAA obligations.

Request Business Associate Agreement (BAA):

To execute a HIPAA BAA, contact: hipaa@techsci.io
BAA execution typically completed within 5 business days of request.

13. Governing Law and Dispute Resolution

This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles.

Any disputes arising from this DPA will be resolved in accordance with the dispute resolution procedures outlined in our Dispute Resolution Policy, including mandatory arbitration under the American Arbitration Association (AAA) rules.

Dispute Resolution Process:

  1. Informal resolution via support@techsci.io (30 days)
  2. Formal written complaint to legal@techsci.io (60 days)
  3. Mediation (optional, non-binding)
  4. Binding arbitration (mandatory, AAA rules, Delaware venue)

14. Data Protection Contacts

Data Protection Officer (DPO):
Email: dpo@techsci.io
Phone: +1 302 415 3171
Mail: TechSci, Inc. (operating the Afilo platform), 1111B S Governors Ave STE 34002, Dover, DE 19904

Privacy Inquiries:
Email: privacy@techsci.io

Security Incidents:
Email: security@techsci.io
24/7 Hotline: +1 302 415 3171

HIPAA BAA Requests:
Email: hipaa@techsci.io

Compliance & Audit Requests:
Email: compliance@techsci.io

15. Amendment and Termination of DPA

Amendments:

Afilo may update this DPA from time to time to reflect changes in law, regulations, or business practices. Material changes will be communicated to Customer via email at least 30 days before taking effect.

Continued use of Afilo services after the effective date of changes constitutes acceptance of the updated DPA. If Customer does not agree to changes, Customer may terminate the subscription without penalty by providing written notice within 30 days of notification.

Termination:

This DPA remains in effect for the duration of the subscription and automatically terminates upon subscription cancellation, subject to data retention periods outlined in Section 8.

Survival:

The following provisions survive termination: Section 6 (Data Breach Notification), Section 8 (Data Retention and Deletion), Section 10 (Return and Deletion of Data), Section 11 (Liability and Indemnification).

16. Entire Agreement

This Data Processing Agreement, together with the Terms of Service, Privacy Policy, and any executed Business Associate Agreement (if HIPAA applicable), constitutes the entire agreement between Customer and Afilo regarding data processing and supersedes all prior or contemporaneous understandings.

In the event of conflict, the order of precedence is: (1) Business Associate Agreement (if executed), (2) Data Processing Agreement, (3) Terms of Service, (4) Privacy Policy.

Acknowledgment

By using Afilo's services, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.

For questions about this DPA or to request a signed copy, contact: dpo@techsci.io

← Back to HomepageEnterprise Portal →