[Therapist - Name inserted at signup] [Address inserted at signup] - hereinafter "Controller" or "Client" -
and
Intermac systems Sendnicher Str. 58a 56072 Koblenz Germany Email: nd@intermac.de - hereinafter "Processor" or "Service Provider" -
Preamble
The Controller is a psychotherapist/psychologist using the Processor's therapy documentation and AI assistance platform for managing therapy sessions, creating reports and applications.
The Controller is solely responsible for compliance with data protection regulations towards their patients, particularly for obtaining required consents.
The Processor processes personal data exclusively on behalf of and according to the instructions of the Controller.
§ 1 Subject Matter and Duration
(1) Subject Matter
The Processor provides a web-based platform for:
Transcription of therapy sessions
Storage of session notes and patient data
AI-assisted creation of therapy reports
AI-assisted creation of reimbursement applications
Management of patient data
(2) Duration
This DPA applies for the duration of the Controller's use of the platform.
§ 2 Nature and Purpose of Data Processing
(1) Processing Purpose
Processing serves exclusively to provide the platform functions for therapy documentation.
(2) Types of Data
Patient data (name, first name, optionally additional data entered by the Controller)
Therapy session notes and transcriptions
Diagnoses and treatment contents
AI-generated reports and applications
Therapist data (account management)
(3) Categories of Data Subjects
Patients of the Controller
The Controller themselves (as user)
§ 3 Controller's Right to Issue Instructions
(1) The Processor processes personal data exclusively according to documented instructions from the Controller, unless required by EU or German law to process.
(2) Instructions are issued through:
This agreement
Use of platform functions by the Controller
Written or electronic individual instructions
(3) If the Processor considers an instruction to be unlawful, they will inform the Controller immediately.
§ 4 Controller's Responsibilities
(1) Patient Consent
The Controller warrants that they have obtained the necessary consents from their patients for data processing according to Art. 6, 9 GDPR.
(2) Lawfulness
The Controller is solely responsible for:
The lawfulness of data collection
Compliance with therapeutic confidentiality obligations
Informing patients about data processing
Fulfilling data subject rights (access, deletion, etc.)
(3) Data Accuracy
The Controller is responsible for the accuracy and currency of entered data.
§ 5 Processor's Obligations
(1) Confidentiality
The Processor commits all persons involved in processing to confidentiality.
(2) Technical and Organizational Measures
The Processor implements appropriate technical and organizational measures according to Art. 32 GDPR, in particular:
AES-256 encryption of all sensitive data (at rest)
Per-user encryption keys
TLS/SSL encryption for data transmission
IP-restricted server access with 2FA
Regular security updates
Audit logging of all accesses
Firewall-protected servers in German data centers
A detailed description of TOMs is provided in Annex 1.
(3) Data Breaches
The Processor reports data breaches immediately (within 24h at the latest) to the Controller with all relevant information according to Art. 33 GDPR.
§ 6 Sub-processors
(1) Approved Sub-processors
The Controller hereby consents to the engagement of the following sub-processors:
Sub-processor
Service
Location
Note
Hetzner Online GmbH
Server hosting, data center
Germany (EU)
DPA in place
OpenAI LLC
AI text processing for reports
EU servers
Business Associate Agreement (BAA) in place
(2) Changes
When planning to add or change sub-processors, the Processor will inform the Controller at least 14 days in advance via email. The Controller may object within 14 days for data protection reasons.
(3) Sub-processor Obligations
The Processor obligates sub-processors to the same data protection obligations as themselves.
§ 7 Data Subject Rights
(1) Support
The Processor appropriately supports the Controller in fulfilling data subject rights (access, rectification, deletion, etc.).
(2) Direct Requests
If a data subject contacts the Processor directly, they will be referred to the Controller without delay.
(3) Technical Support
The platform offers the following functions to fulfill data subject rights:
Data export (Art. 20 GDPR - Data portability)
Data deletion (Art. 17 GDPR - Right to erasure)
§ 8 Data Deletion and Return
(1) Upon Contract Termination
After termination of use, the Processor deletes all personal data of the Controller within 30 days, unless legal retention obligations exist.
(2) Data Export
The Controller can download all data via the export function before contract termination.
(3) Backups
Data in encrypted backups will be deleted after the regular backup cycle (max. 90 days).
§ 9 Audit and Inspection Rights
(1) Evidence
The Processor provides the Controller with information demonstrating compliance with obligations upon request:
Current TOMs (technical and organizational measures)
Copies of sub-processor DPAs
Security certificates (if available)
(2) Audits
The Controller has the right to conduct an audit once a year or have it conducted by an independent third party bound to confidentiality. Costs are borne by the Controller.
(3) Event-driven Audits
Additional audits are permissible in case of concrete suspicion of data protection violations.
§ 10 Liability and Damages
(1) Liability is governed by the statutory provisions of the GDPR, in particular Art. 82 GDPR.
(2) The Processor is only liable for damages arising from breach of their obligations under this DPA.
(3) The Controller is liable for all damages arising from unlawful instructions or lack of patient consent.
§ 11 Confidentiality
Both parties commit to treating all information obtained in the course of this agreement as confidential.
§ 12 Final Provisions
(1) Amendments
Amendments and supplements to this agreement require written form (electronic form also permissible).
(2) Severability Clause
Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.
(3) Applicable Law
German law applies.
(4) Jurisdiction
Place of jurisdiction is Koblenz, Germany.
Consent
☐
I have read the Data Processing Agreement and accept the terms.
☐
I confirm that I have obtained or will obtain the necessary consents from my patients for data processing according to GDPR.
☐
I understand that I am responsible as Controller within the meaning of the GDPR for the lawfulness of data processing.
Date: [Automatic at signup]
Therapist: [Name at signup]
Accepted by: Electronic consent at account creation
ANNEX 1: Technical and Organizational Measures (TOMs)
1. Confidentiality (Art. 32(1)(b) GDPR)
Physical Access Control:
Hetzner data center: High-security fence, video surveillance, access control system
2FA for administrative server access
IP whitelist for administrators
System Access Control:
Password requirement with minimum standards (min. 8 characters, upper/lowercase, numbers)
Optional: 2FA for therapist accounts
Automatic session timeout after 30 minutes of inactivity
Data Access Control:
Role-based permissions
Per-user data separation (a therapist only sees their own data)
Audit logging of all data accesses
2. Integrity (Art. 32(1)(b) GDPR)
Transfer Control:
TLS 1.3 encryption for all data transmissions
No automatic data forwarding to third parties
Sub-processors only via encrypted connections
Input Control:
Logging of all data changes with timestamp and user ID
Versioning for important documents
Logging of deletion and modification operations
3. Availability and Resilience (Art. 32(1)(b) GDPR)