Noeta
Launch app
Legal

Data Processing Agreement

Effective May 31, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service between you (the "Controller" / "Covered Entity") and Noeta, Inc. ("Processor" / "Business Associate"). It governs processing of Personal Data under GDPR, UK GDPR, CCPA, and Protected Health Information (PHI) under HIPAA.

1. Subject matter and duration

Noeta processes Personal Data and PHI on your behalf only to provide the Noeta service, for the duration of your subscription plus the 30-day post-termination export window.

2. Nature and purpose of processing

  • Capturing and transcribing clinical visit audio.
  • Generating structured clinical notes.
  • Scheduling, messaging, billing, and related practice tools.
  • Securing, backing up, and monitoring the platform.

3. Types of data and data subjects

  • Practice staff (name, email, role, phone, NPI).
  • Patients (demographic, clinical, insurance, payment data).

4. Sub-processors

Current sub-processors:

  • Cloud hosting and database — Supabase / AWS (US)
  • Transcription and LLM inference — OpenAI, Google (US)
  • Payments — Stripe (US/EU)
  • SMS, voice, fax — Telnyx (US)
  • Email — Resend (US)

We will give 30 days' notice before adding or replacing any sub-processor. You may object on reasonable data-protection grounds.

5. Security measures (TOMs)

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access control with least-privilege defaults.
  • Mandatory MFA for all staff with PHI access.
  • Audit logs of every read/write to PHI, retained 6 years.
  • Annual SOC 2 Type II audit, HIPAA Security Rule alignment.
  • 24-hour incident response runbook with breach notification.

6. International transfers

For data originating in the EU/UK, transfers to the US are governed by the 2021 EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, both incorporated by reference.

7. Data subject rights

Noeta will assist the Controller in responding to data subject requests within 10 business days of receipt, via tooling exposed in the admin console.

8. HIPAA Business Associate provisions

Noeta agrees to: use and disclose PHI only as permitted by HIPAA; implement Security Rule safeguards; report any Breach of Unsecured PHI within 24 hours of discovery; ensure subcontractors agree to the same restrictions; return or destroy PHI on termination.

9. Audit rights

We make available all information necessary to demonstrate compliance with this DPA, including our latest SOC 2 report under NDA. On-site audits may be conducted no more than once per year with 30 days' notice and at the Controller's cost, except after a confirmed Breach.

10. Term and termination

This DPA terminates automatically with the underlying subscription. We will return or securely delete all Personal Data within 30 days of termination unless retention is required by law.

11. Signatures

A countersigned DPA / BAA is available on request — email legal@noetascribe.com with your practice name and EIN.