Skip to content

Legal

Data Processing Agreement

Template effective 2026-05-01.

This document is a template for review by your legal team. It is not a binding agreement. It has not been reviewed by legal counsel and does not constitute legal advice. Do not rely on this template without independent legal review specific to your jurisdiction and use case.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between the Controller (the organization or individual using VitalCV services) and VitalCV, Inc. (“Processor”). The Controller and Processor are each a “Party” and together the “Parties.”

2. Subject Matter and Duration

The Processor provides credentialing workflow software services as described in the applicable Service Agreement. Processing is performed for the duration of the Service Agreement, unless otherwise agreed in writing.

3. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller to provide healthcare credentialing workflow features, including primary source verification coordination, credential tracking, and audit trail generation. The Processor does not process personal data for its own independent purposes.

4. Categories of Data Subjects and Personal Data

Data subjects may include clinicians, trainees, and other healthcare personnel whose credentials are being verified. Personal data processed may include names, National Provider Identifiers (NPIs), license numbers, employment history, education history, and other credentialing information provided by the Controller or the data subject.

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational measures to protect data.
  • Assist the Controller in responding to data subject rights requests.
  • Delete or return all personal data upon termination of the Service Agreement.
  • Provide information necessary to demonstrate compliance with applicable law.

6. Sub-processors

The Processor may engage sub-processors to assist in providing the services. Current sub-processors include infrastructure providers (cloud hosting, databases), authentication services, and error monitoring services. The Processor will notify the Controller of any intended changes to sub-processors.

7. Data Security

The Processor implements technical and organizational measures appropriate to the risk of processing, including encryption in transit and at rest, access controls, and audit logging. The Processor does not guarantee any specific security standard or certification through this template.

8. International Transfers

Where personal data is transferred outside the jurisdiction of the Controller, the Parties will implement appropriate transfer mechanisms as required by applicable law. This template does not itself constitute a valid transfer mechanism.

9. Limitation

This template does not constitute legal, compliance, or regulatory advice. It does not make any representation that use of VitalCV services satisfies any regulatory requirement. Compliance determinations are the responsibility of the Controller and its legal counsel.

10. Contact

Questions about data processing practices: privacy@vitalcv.com

This page was last updated 2026-05-01. It is a template document only and does not constitute a binding Data Processing Agreement without separate execution by authorized representatives of both parties.