Data Processing Addendum

Clinelix Analytics Inc. ("Processor") processes Personal Information ("PI") on behalf of the contracting clinic ("Controller") for the purpose of providing the Clinelix Financial Health platform. PHI is explicitly out of scope: Clinelix does not ingest, store, or process patient health information.

Personal Information is processed solely to: (a) operate the Clinelix platform on behalf of the Controller, (b) provide analytics, anomaly detection, AI assistance, and financing facilitation, and (c) meet statutory record-keeping obligations. Processing for any other purpose requires the Controller's prior written consent.

A current list of sub-processors is maintained at clinelix.com/subprocessors. Material changes are notified at least 30 days in advance. Controllers may object in writing within that window.

Clinelix maintains organizational, technical, and physical safeguards designed to protect PI against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Controls include encryption in transit (TLS 1.2+) and at rest, role-based access, least-privilege provisioning, immutable audit logs, MFA on all production access, quarterly access reviews, and annual penetration testing.

Production data is hosted in Canadian regions (Toronto / Montreal) operated by Clinelix's primary infrastructure provider. See data residency for details.

Clinelix will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Information breach. Notification will include the nature, scope, and remediation steps taken.

Once per twelve (12) month period, with at least 30 days' written notice, the Controller may audit Clinelix's compliance with this DPA. Clinelix shall make available all information reasonably necessary to demonstrate compliance, including SOC 2 Type II reports, security questionnaires (CAIQ), and the latest penetration-test summary.

On termination, Clinelix will, at the Controller's option, return or delete all PI within thirty (30) days. Backups are purged on normal retention cycles (≤ 90 days).

Where transfers outside of Canada are unavoidable for limited sub-processing functions, Clinelix relies on contractual safeguards equivalent to the EU Standard Contractual Clauses and notifies the Controller in advance.