Skip to content

BAA/DPA Templates

TEMPLATES — Review Needed

Template 3 (OSCAR Bridge DPA) is for the deprecated REST bridge path. A SOAP Adapter DPA is needed for the production EMR path. Sub-processor list needs updating (missing ElevenLabs, Deepgram, AssemblyAI, Azure).

Business Associate Agreements (BAAs) and Data Processing Agreements (DPAs) for VitaraVox's third-party integrations. These templates should be reviewed by legal counsel before execution.

1. Vapi.ai Data Processing Agreement

Parties

  • Data Controller: [Clinic Name] (the "Clinic"), operating through VitaraVox platform
  • Data Processor: Vapi Inc. ("Vapi"), provider of voice AI infrastructure

Definitions

  • Personal Health Information (PHI): Any information about an identifiable individual relating to their physical or mental health, health care history, or health care payment, as defined under PIPEDA and PIPA
  • Processing: Any operation performed on PHI, including collection, recording, storage, retrieval, transmission, and deletion
  • Sub-processor: Any third party engaged by Vapi to process PHI (e.g., Telnyx for telephony, OpenAI for LLM inference)

Data Types Processed

Data Type Purpose Retention
Voice recordings Real-time transcription and intent detection Per Vapi retention policy (request deletion)
Call transcripts Appointment scheduling, patient identification Controlled by VitaraVox (default 90 days)
Caller phone numbers Patient identification, callback Duration of call + metadata retention
Patient names Spoken during call for identification Embedded in transcript, subject to retention policy
Appointment details Scheduling operations Embedded in transcript and call logs

Processor Obligations

  1. Purpose Limitation: Process PHI only for the purpose of providing voice AI services as instructed by the Controller
  2. Security Measures: Implement appropriate technical and organizational measures including:
    • Encryption in transit (TLS 1.2+)
    • Encryption at rest for stored recordings and transcripts
    • Access controls limiting personnel access to PHI
    • Regular security assessments
  3. Sub-processor Management:
    • Maintain and disclose list of sub-processors
    • Ensure sub-processors are bound by equivalent data protection obligations
    • Notify Controller of any new sub-processors with 30 days notice
  4. Data Residency: Process and store data within [Canada / North America] unless otherwise agreed
  5. Breach Notification: Notify Controller within 24 hours of discovering a data breach involving PHI
  6. Data Deletion: Upon termination or request, delete all PHI within 30 days and provide written confirmation
  7. Audit Rights: Allow Controller or its designated auditor to conduct compliance audits with reasonable notice

Controller Obligations

  1. Ensure lawful basis for processing (caller consent via recorded greeting)
  2. Provide clear instructions to Processor regarding data handling
  3. Notify Processor of any data subject requests (access, deletion)

Term and Termination

  • Agreement effective for duration of service subscription
  • Either party may terminate with 90 days written notice
  • Processor must delete all PHI within 30 days of termination
  • Survival: Confidentiality and data protection obligations survive termination

2. Hosting Provider DPA (Oracle Cloud Infrastructure — OCI Toronto)

Parties

  • Data Controller: VitaraVox Inc. (the "Company")
  • Data Processor: Oracle Corporation ("Oracle"), provider of cloud infrastructure

Definitions

Same as Section 1, with additions:

  • Infrastructure Services: Compute, storage, networking, and database services provided by Oracle
  • Customer Data: All data uploaded, stored, or processed on Oracle infrastructure by the Company

Data Types Processed

Data Type Purpose Storage Location
PostgreSQL database Clinic configs, call logs, user accounts OCI Toronto (ca-toronto-1)
Application logs Debugging, audit trail OCI Toronto (ca-toronto-1)
Database backups Disaster recovery OCI Toronto (ca-toronto-1)
TLS certificates Transport encryption OCI Toronto (ca-toronto-1)

Processor Obligations

  1. Data Residency: All Customer Data remains within OCI Toronto region (ca-toronto-1) unless explicitly requested
  2. Physical Security: Maintain SOC 2 Type II certified data centers with:
    • 24/7 physical access controls
    • Environmental controls (fire suppression, climate control)
    • Redundant power and networking
  3. Logical Security:
    • Network isolation (VCN, security lists, NSGs)
    • Encryption at rest (AES-256) for all block and object storage
    • Encryption in transit for all inter-service communication
  4. Access Controls:
    • No Oracle personnel access to Customer Data without explicit authorization
    • Privileged access management for infrastructure operations
  5. Breach Notification: Notify Company within 24 hours of confirmed security incident
  6. Compliance: Maintain SOC 2 Type II, ISO 27001, and CSA STAR certifications
  7. Data Deletion: Upon service termination, securely erase Customer Data within 90 days

Controller Obligations

  1. Configure appropriate security groups and access policies
  2. Manage encryption keys (OCI Vault recommended)
  3. Monitor and respond to security alerts

Term and Termination

  • Coterminous with OCI service agreement
  • Data export available via standard OCI tools during termination period
  • Oracle deletes Customer Data 90 days after termination

3. OSCAR Bridge DPA (Internal Service Agreement)

Parties

  • Data Controller: VitaraVox Inc. (the "Company")
  • Data Processor: VitaraVox Inc. — OSCAR REST Bridge Service (internal)

Purpose

This is a simplified internal agreement documenting data handling practices for the OSCAR REST Bridge, which operates as an internal microservice within the same infrastructure.

Data Types Processed

Data Type Purpose Retention
Patient demographics Search, registration, retrieval Pass-through only (not stored)
Appointment data Booking, rescheduling, cancellation Pass-through only (not stored)
Provider information Availability lookup, provider listing Pass-through only (not stored)
API request logs Debugging, audit 14 days (structured logs)

Security Controls

  1. Network Isolation: Bridge runs in Docker container on same host, accessible only via internal Docker network
  2. Authentication: X-API-Key header required for all requests (256-bit CSPRNG key)
  3. No Data Storage: Bridge is stateless — all PHI passes through to OSCAR and is not persisted
  4. Transport Security: Internal Docker network (no external exposure); external access via reverse proxy with TLS
  5. Rate Limiting: 100 requests/minute per IP
  6. Input Validation: All inputs validated before forwarding to OSCAR

Logging Policy

  • Request metadata logged (timestamp, method, path, response code, latency)
  • Request/response bodies NOT logged in production
  • Patient identifiers NOT logged (demographic IDs redacted)
  • Logs retained for 14 days, then automatically rotated

Incident Response

  • Same as Company breach notification plan
  • Bridge errors escalated to platform operations team
  • OSCAR connectivity issues trigger circuit breaker (automatic recovery)

Template Usage Notes

Legal Review Required

These templates are starting points and must be reviewed by qualified legal counsel before execution. Privacy law requirements vary by jurisdiction and may change.

Execution Checklist

  1. Review templates with legal counsel
  2. Customize for specific clinic and jurisdiction
  3. Send to counterparty for negotiation
  4. Execute signed copies
  5. Update ClinicConfig BAA tracking fields in admin dashboard
  6. Store signed copies securely (encrypted storage)
  7. Set calendar reminder for annual review