illumate

Data Processing Addendum (DPA)

Early access · updated June 27, 2026

This DPA supplements the Terms of Service and applies when Illumate processes personal data on behalf of a customer (controller). This is a draft template; the final version requires legal review.

Subject matter, duration, nature, and purpose

Subject matter: processing of personal data to provide the Service. Duration: for the term of the Terms and an agreed deletion/return period. Nature and purpose: hosting and storage, transcription, AI inference and embeddings, support and maintenance.

Categories of data subjects: the customer’s patients/clients, the customer’s personnel. Categories of personal data: account and identity data; session content (text, audio where used, transcripts, notes, AI outputs, patient identifiers or pseudonyms); technical data and logs. Special categories: health data and therapy-related information.

Roles and scope

The Customer acts as controller and Illumate as processor. Illumate processes personal data only for the purposes described in this DPA and the Terms, and in accordance with the Customer’s documented instructions.

Customer instructions

Documented instructions are the Terms, this DPA, and the Customer’s use of Service features. If we believe an instruction infringes applicable data protection law, we will inform the Customer.

Confidentiality

Persons authorised to process personal data are bound by confidentiality obligations and process data only on the Customer’s instructions.

Subprocessors

The Customer provides a general authorisation to engage subprocessors. A list of categories is on the Subprocessors page (/subprocessors), with the named list available on request. We give prior notice of additions or replacements and a right to reasonably object.

We enter into agreements with subprocessors imposing data protection obligations no less protective than those in this DPA.

International transfers

Where personal data is transferred outside the EEA/UK to countries without an adequacy decision, we use appropriate mechanisms such as Standard Contractual Clauses (SCCs) and supplementary measures as needed.

Technical and organisational measures (TOMs)

Measures include encryption in transit and for sensitive fields at rest, tenant isolation and authorisation checks, access management, logging, and monitoring. For more on these measures, see the Security page (/security).

Data subject requests

Taking into account the nature of processing, we assist the Customer by appropriate technical and organisational measures in responding to data subject requests.

DPIA assistance

We provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of processing and information available to us.

Breach notification

We notify the Customer of a confirmed personal data breach without undue delay, within the timeframes required by applicable law (typically within 72 hours after confirmation), and provide reasonable assistance with the Customer’s obligations.

Deletion and return

On termination or Customer request, we delete or return personal data within a reasonable period, except where retention is required by law.

Audit

We make available information necessary to demonstrate compliance and allow for audits on reasonable notice, subject to confidentiality and security safeguards.

Liability

Liability under this DPA is subject to the limitations set out in the Terms, to the extent permitted by applicable law.

Term

This DPA remains in effect for as long as Illumate processes personal data on behalf of the Customer and terminates together with the Terms.

Illumate is in early access, so these documents may be updated as the service evolves. The provider and contact details are set out in the sections above.