Data Processing Addendum (DPA)
Early access · updated June 27, 2026
This DPA supplements the Terms of Service and applies when Illumate processes personal data on behalf of a customer (controller). This is a draft template; the final version requires legal review.
Subject matter, duration, nature, and purpose
Subject matter: processing of personal data to provide the Service. Duration: for the term of the Terms and an agreed deletion/return period. Nature and purpose: hosting and storage, transcription, AI inference and embeddings, support and maintenance.
Categories of data subjects: the customer’s patients/clients, the customer’s personnel. Categories of personal data: account and identity data; session content (text, audio where used, transcripts, notes, AI outputs, patient identifiers or pseudonyms); technical data and logs. Special categories: health data and therapy-related information.
Roles and scope
The Customer acts as controller and Illumate as processor. Illumate processes personal data only for the purposes described in this DPA and the Terms, and in accordance with the Customer’s documented instructions.
Customer instructions
Documented instructions are the Terms, this DPA, and the Customer’s use of Service features. If we believe an instruction infringes applicable data protection law, we will inform the Customer.
Confidentiality
Persons authorised to process personal data are bound by confidentiality obligations and process data only on the Customer’s instructions.
Subprocessors
The Customer provides a general authorisation to engage subprocessors. A list of categories is on the Subprocessors page (/subprocessors), with the named list available on request. We give prior notice of additions or replacements and a right to reasonably object.
We enter into agreements with subprocessors imposing data protection obligations no less protective than those in this DPA.
International transfers
Where personal data is transferred outside the EEA/UK to countries without an adequacy decision, we use appropriate mechanisms such as Standard Contractual Clauses (SCCs) and supplementary measures as needed.
Technical and organisational measures (TOMs)
Measures include encryption in transit and for sensitive fields at rest, tenant isolation and authorisation checks, access management, logging, and monitoring. For more on these measures, see the Security page (/security).
Data subject requests
Taking into account the nature of processing, we assist the Customer by appropriate technical and organisational measures in responding to data subject requests.
DPIA assistance
We provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of processing and information available to us.
Breach notification
We notify the Customer of a confirmed personal data breach without undue delay, within the timeframes required by applicable law (typically within 72 hours after confirmation), and provide reasonable assistance with the Customer’s obligations.
Deletion and return
On termination or Customer request, we delete or return personal data within a reasonable period, except where retention is required by law.
Audit
We make available information necessary to demonstrate compliance and allow for audits on reasonable notice, subject to confidentiality and security safeguards.
Liability
Liability under this DPA is subject to the limitations set out in the Terms, to the extent permitted by applicable law.
Term
This DPA remains in effect for as long as Illumate processes personal data on behalf of the Customer and terminates together with the Terms.
Illumate is in early access, so these documents may be updated as the service evolves. The provider and contact details are set out in the sections above.