DATA PROCESSING AGREEMENT

Data Processing Agreement (DPA)

Between Company and MediReady (Processor)

Between:

Company (as defined in the Principal Agreement)

and

MediReady (Processor)

Effective Date: [DATE]

1. Definitions

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” —: this Data Processing Agreement and all Annexes.
1.1.2 “Company Personal Data” —: any Personal Data Processed by Processor on behalf of Company pursuant to or in connection with the Principal Agreement.
1.1.3 “Contracted Processor” —: a Subprocessor.
1.1.4 “Data Protection Laws” —: EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including Sweden's supplementary national provisions.
1.1.5 “EEA” —: the European Economic Area.
1.1.6 “EU Data Protection Laws” —: EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” —: EU General Data Protection Regulation 2016/679.
1.1.8 “Services” —: the compliance documentation and audit analysis platform provided by MediReady.
1.1.9 “Subprocessor” —: any person appointed by or on behalf of Processor to process Personal Data on behalf of Company.

1.2 The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the Company's documented instructions.

2.2 The Company instructs Processor to Process Company Personal Data for the sole purpose of providing the Services as defined in the Principal Agreement.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement. All such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Processor shall implement the following technical and organizational measures to secure Company Personal Data, taking into account the administrative nature of the Processing and the absence of sensitive patient data:

4.1.1 Technical Measures

All data transmission occurs over TLS 1.2 or higher encryption
HSTS (HTTP Strict Transport Security) enforced on all endpoints
No mixed content (HTTP/HTTPS) allowed
No cookies, trackers, or background data collection
No storage of Company Personal Data on Processor systems after audit completion

4.1.2 Organizational Measures

Stateless processing architecture: inputs are processed in memory only
Inputs are deleted immediately upon audit completion, no retention
Access to processing systems restricted to Processor personnel with documented need-to-know
All personnel subject to confidentiality obligations (see §3)
Audit logging of all processing activities for compliance verification
No use of Company Personal Data for model training, improvement, or any purpose outside the documented audit instructions

4.1.3 Subprocessor Security

Inference engine operates under signed Business Associate Agreement (BAA) with no training use of input data
All Subprocessors maintain equivalent security controls as described in this section

4.2 Processor acknowledges that the stateless, non-retention design significantly reduces data protection risk and is a central feature of this Security architecture.

5. Subprocessing

5.1 Processor shall not appoint or disclose any Company Personal Data to any Subprocessor unless required or authorized by the Company in writing.

5.2 Authorized Subprocessors

The following subprocessors are pre-authorized to process Company Personal Data on behalf of Processor in connection with the Services:

Subprocessor	Function	Location	BAA/DPA	Data Retention
Mistral AI (mistral.ai)	LLM inference for audit analysis	EU	Signed BAA, no training use	None (stateless)

5.3 No Other Subprocessors

Processor uses no other subprocessors. There are no hosting providers, CDNs, analytics services, or any other third-party systems that receive Company Personal Data. All processing occurs within Processor's controlled environment.

5.4 Notification of New Subprocessors

Processor may add new subprocessors only with prior written consent from Company. Processor shall notify Company at least 30 days before any new subprocessor begins processing Company Personal Data, providing:

Name and location of the subprocessor
Description of processing activities
Data protection safeguards (BAA, DPA, or equivalent)
Data retention period

5.5 Objection Rights

If Company objects to the appointment of a new subprocessor on reasonable data protection grounds, Company may:

Terminate the affected Services without penalty
Request an alternative subprocessor

5.6 Subprocessor Liability

Processor remains fully liable to Company for the performance of any Subprocessor's obligations under this Agreement.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws.

7. Personal Data Breach

7.1 Breach Notification Timeline

Processor shall notify Company of any suspected or confirmed Personal Data Breach affecting Company Personal Data within 24 hours of discovery, and in no case later than by end of business on the next calendar day. Notification shall be provided to Company's designated security contact via email.

7.2 Breach Notification Content

Notification shall include:

Nature and scope of the breach
Categories of Company Personal Data affected
Likely consequences for the data subject(s)
Measures taken or proposed to address the breach and mitigate harm
Processor's point of contact for further information
Estimated timeline for full investigation report

This information shall be sufficient to enable Company to:

Assess risk and determine whether notification to data subjects is required
Notify the Swedish Data Protection Authority (IMY) within the GDPR Article 33 timeline (72 hours from discovery)
Satisfy any regulatory or legal reporting obligations

7.3 Cooperation and Remediation

Processor shall:

Immediately suspend processing until the breach is contained
Conduct a forensic investigation and provide a detailed written report within 5 business days
Implement corrective actions to prevent recurrence
Cooperate fully with Company's incident response, including provision of logs, forensic data, and witness statements
Reimburse Company for reasonable costs of breach investigation and remediation
Maintain documentation of the breach, investigation, and remediation for at least 3 years

7.4 Breach Prevention

In light of the stateless architecture, Company acknowledges that Processor's default position is zero retention of Company Personal Data post-audit, which substantially mitigates breach risk.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Company Personal Data by Processor.

9. Deletion or Return of Company Personal Data

9.1 Deletion on Service Cessation

Upon written termination notice from Company or upon cessation of Services, Processor shall execute the following deletion protocol:

9.1.1 Immediate Actions (within 24 hours)

Cease all processing of Company Personal Data
Delete all audit run data, inputs, and outputs from active production systems
Disable all access to Company Personal Data by Processor personnel

9.1.2 Backup and Archive Purge (within 10 business days)

Purge all backups containing Company Personal Data from all systems
Delete all archived logs and audit trails containing references to Company Personal Data
Certify completion in writing to Company

9.1.3 Subprocessor Coordination (within 10 business days)

Instruct all Subprocessors (including Mistral AI) to delete Company Personal Data
Obtain written confirmation of deletion from each Subprocessor
Provide evidence of deletion to Company

9.2 Deletion on Request

Company may request deletion of Company Personal Data at any time during the Services. Processor shall comply with the deletion protocol in §9.1 within 5 business days of such request.

9.3 Certification of Deletion

Within 15 business days of the Cessation Date or upon Company's deletion request, Processor shall provide Company with:

Written certification that all Company Personal Data has been deleted
List of all systems from which data was deleted
Confirmation of Subprocessor deletion
Any exceptions (e.g., legally required retention documented)

9A. AI Processing and Transparency

9A.1 AI Model Disclosure

Processor uses the following Large Language Model (LLM) for inference and audit analysis:

Model: Mistral Large (latest version at time of audit)
Provider: Mistral AI (mistral.ai)
Jurisdiction: EU
Purpose: Analysis of Company Personal Data for compliance findings and audit recommendations only

Processor shall notify Company of any material change to the AI model (e.g., model upgrade, provider change) at least 30 days before implementation.

9A.2 No Training Use

Processor warrants that:

Company Personal Data is not used to train, fine-tune, or improve the AI model
Company Personal Data is not used for model evaluation or benchmarking
Company Personal Data is not aggregated, anonymized, or used for any secondary purpose
All inferences are performed under a signed Business Associate Agreement (BAA) with Mistral AI that explicitly prohibits training use

9A.3 Human Oversight

Processor maintains the following human oversight controls:

All findings flagged as “CRITICAL” are reviewed by a qualified human auditor before delivery to Company
High-confidence findings (“HIGH”) are reviewed by automated quality checks before delivery
All audit reports include metadata identifying which findings received human review
Company may request human review of any specific finding

9A.4 Output Accuracy and Limitations

Processor acknowledges that AI-generated audit findings may contain errors, false positives, or incomplete analysis. Processor therefore:

Labels all findings with confidence levels (CRITICAL, HIGH, MEDIUM, LOW, INFO)
Provides source citations for each finding
Disclaims any warranty that findings are 100% accurate or complete
Recommends that Company apply independent professional judgment before acting on findings
Does not substitute for professional legal or compliance counsel

9A.5 Bias and Fairness

Processor acknowledges potential for AI model bias and commits to:

Monitoring for systematic bias in audit findings
Disclosing known biases or limitations upon request
Accepting feedback from Company regarding suspected bias and incorporating findings into model performance tracking
Maintaining an audit log of all bias reports and remediation actions

9A.6 Transparency and Documentation

Upon request, Processor shall provide Company with:

Documentation of the Mistral Large model's training data, architecture, and known limitations
Copy of the signed BAA with Mistral AI confirming no training use
Audit logs showing which specific Company Personal Data was processed and when
Explanation of how specific findings were derived

9A.7 Alignment with IMY Guidance

Processor confirms that its use of AI aligns with the Swedish Data Protection Authority (IMY) guidance on AI and GDPR, including:

Transparency about AI use in processing personal data
Human oversight of consequential decisions
Documented risk assessments and mitigation measures
Regular audits of AI system performance and fairness

Processor maintains documentation demonstrating compliance with these principles and provides such documentation to Company or IMY upon request.

10. Audit Rights

10.1 Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company.

10.2 Information and audit rights of the Company only arise to the extent that this Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1 Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company.

11.2 All processing occurs within the European Economic Area (EEA). Mistral AI performs inference within the EU.

11.3 If any future data transfer occurs outside the EEA, EU Standard Contractual Clauses (SCCs) shall apply per GDPR Article 46.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law
(b) the relevant information is already in the public domain

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement.

13. Governing Law & Jurisdiction

13.1 This Agreement is governed by the laws of Sweden.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Sweden, subject to possible appeal to the Swedish Federal Supreme Court in Stockholm.

Annex 1 — Technical Specifications and Subprocessors

Part A: Processing Details

Element	Specification
Defined Purpose	Compliance documentation and administrative workflow audit
Type of Processing	Automated analysis of administrative documents, policies, procedures, and process workflows
Scope of Data	Administrative records only; no patient data (PHI), no medical decision-making data
Categories of Data Subjects	Healthcare administrators, quality managers, compliance officers, operations staff (not patients)
Duration of Processing	Real-time; inputs processed and deleted immediately upon audit completion (typically <2 minutes)
Data Retention	None; stateless architecture means no data persisted post-audit
Frequency	On-demand per Company instructions; no background or continuous processing

Part B: Security and Data Protection Measures

Measure	Details
Encryption in Transit	TLS 1.2 or higher on all endpoints; HSTS enforced
Encryption at Rest	N/A — no data stored at rest; stateless processing only
Data Storage	Inputs stored in memory during processing only; deleted upon completion
Access Control	Least-privilege access; personnel confidentiality obligations
Audit Logging	All processing activities logged for compliance verification
Subprocessor Security	All subprocessors maintain equivalent or higher security controls
Backup & Disaster Recovery	No backups of Company Personal Data retained; audit outputs (if stored by Company) are Company's responsibility
Incident Response	24-hour breach notification; forensic investigation within 5 business days

Part C: Authorized Subprocessors

Subprocessor	Function	Location	Data Protection	No-Training Commitment
Mistral AI (mistral.ai)	LLM inference for audit analysis	EU	GDPR + AI safeguards (§9A)	Yes — signed BAA

Note: Processor uses no other subprocessors. There are no hosting providers, CDNs, analytics services, or any other third-party systems that receive Company Personal Data.

Part D: Data Transfer Restrictions

Aspect	Commitment
Geographic Scope	All processing occurs within the European Economic Area (EEA)
Subprocessor Location	Mistral AI performs inference within EU; no non-EEA data transfer
Standard Clauses	If any future data transfer occurs outside EEA, EU Standard Contractual Clauses (SCCs) shall apply per GDPR Article 46
Company Consent	Company consent required in writing before any non-EEA transfer (§11)

Part E: Retention and Deletion Schedule

Phase	Timeline	Action
Active Processing	<2 minutes typical	Inputs held in memory; audit analysis performed
Audit Completion	Upon run completion	Inputs deleted from memory; audit report generated
Audit Report	Per Company request	Audit report retained in Company's control only (not Processor's)
Service Termination	Within 24 hours	All active systems purged
Backup Purge	Within 10 business days	All backup copies deleted
Subprocessor Deletion	Within 10 business days	Confirmation obtained from Mistral AI

Part F: Company Responsibilities

Responsibility	Details
Data Subject Notification	Company is responsible for notifying data subjects of any breach (Processor assists per §7)
Lawful Basis	Company warrants it has lawful basis under GDPR Articles 6 and/or 9 for providing data to Processor
Prior Consent	Company warrants it has obtained necessary consent from data subjects or that processing is otherwise lawful
Audit Report Storage	Company is responsible for securing and managing audit reports after export; Processor's stateless architecture does not retain copies
Policy Compliance	Company warrants that use of MediReady Services complies with Company's own data protection policies and notices

Part G: Contact Information for Data Protection Matters

Role	Contact	Availability
Processor's Data Protection Contact	[DPO NAME] / [EMAIL ADDRESS]	[RESPONSE TIMEFRAME, e.g., “Within 2 business days”]
Security Incident Reporting	[SECURITY EMAIL]	24/7 for breach notifications

— End of Agreement —