Skip to main content
← Back to Trust Center

Bounded Health — Data Processing Addendum (Template)

Version: v1.0  |  Effective: February 7, 2026  |  Last reviewed: February 7, 2026

1. Introduction

This Data Processing Addendum ("DPA") supplements the Master Services Agreement (the "Agreement") between the customer entity identified in the applicable Order Form ("Controller") and Bounded Health, Inc. ("Processor"). It governs the processing of personal data that the Processor carries out on behalf of the Controller in connection with the contracted enterprise services.

Where there is a conflict between this DPA and the Agreement, this DPA takes precedence with respect to data protection matters.

2. Scope of Processing

The Processor will process personal data only to the extent necessary to deliver the services described in the Agreement. The categories of data and processing activities include:

CategoryExamplesProcessing Purpose
Account dataNames, email addresses, organizational rolesUser authentication, account management, billing
Operational metadataTimestamps, request logs, feature usage eventsService delivery, reliability monitoring, support
Approved health-related datasetsClaims data, biometric summaries, care engagement recordsAnalytics, reporting, and platform features as contracted

Processing is limited to the activities listed above unless the Controller provides additional documented instructions.

3. Processor Obligations

Bounded Health commits to the following obligations when processing personal data on behalf of the Controller:

  1. Documented instructions. Process personal data only in accordance with the Controller's documented instructions, unless required by applicable law to do otherwise. In such cases, the Processor will inform the Controller of the legal requirement before processing, unless prohibited by law.

  2. Confidentiality. Ensure that all personnel authorized to process personal data are subject to appropriate confidentiality obligations.

  3. Access controls. Enforce least-privilege access policies so that only personnel with a legitimate operational need can access personal data.

  4. Audit logging. Maintain immutable audit logs for high-stakes operations, including data access, modifications, and administrative actions that affect personal data.

  5. Incident notification. Notify the Controller without undue delay after becoming aware of a confirmed security incident involving personal data, in accordance with the Breach Notification Policy.

  6. End-of-contract obligations. Upon termination or expiration of the Agreement, delete or return personal data in accordance with the Controller's instructions, except where retention is required by applicable law or regulation.

4. Subprocessors

Bounded Health maintains a current list of subprocessors, available as a separate artifact in this Trust Center. The following controls apply:

  • All subprocessors are engaged under written agreements that impose data protection obligations equivalent to those in this DPA.
  • The Controller will be notified of material changes to the subprocessor list through the established procurement and contract channels.
  • The Controller may object to a new subprocessor by providing written notice within 30 days of notification. If the objection cannot be resolved, the Controller may terminate the affected services.

5. Data Subject Requests

When the Processor receives a request from a data subject (or their authorized representative) to exercise rights under applicable data protection law — including access, correction, deletion, or restriction — the Processor will:

  • Promptly notify the Controller of the request, unless the Processor is legally prohibited from doing so.
  • Provide reasonable technical and organizational assistance to help the Controller respond to the request.
  • Not independently respond to the data subject unless instructed by the Controller or required by law.

6. Security Measures

The Processor implements and maintains appropriate technical and organizational measures to protect personal data, including:

  • Encryption: AES-256 encryption at rest and TLS 1.2 or higher for data in transit.
  • Environment isolation: Logical separation of customer environments to prevent unauthorized cross-tenant access.
  • Change management: Production deployments are logged, reviewed, and subject to integrity checks.
  • Monitoring: Continuous security monitoring with automated alerting for anomalous activity.

A more detailed description of security measures is available upon request during qualified diligence.

7. Audit and Assurance

The Processor will cooperate with reasonable audit and assurance requests from the Controller, subject to the following:

  • The Controller (or its appointed auditor) may request evidence of compliance with this DPA no more than once per calendar year, unless a confirmed security incident necessitates additional review.
  • Evidence may include control summaries, architecture documentation, and third-party attestation reports as they become available.
  • Audits will be conducted during normal business hours with reasonable advance notice and will not unreasonably interfere with the Processor's operations.

8. Contact

For questions about this DPA or data protection practices, please reach out to:

This document is part of the Bounded Health Enterprise Trust Pack.