Data Processing Agreement
Data Processing Agreement
VithoulkasBrain Platform
Version 1.0 | Last updated: July 2026 | Accepted electronically upon registration (click-wrap)
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Terms of Services governing use of the VithoulkasBrain platform (the “Platform”). It is accepted electronically by the Professional User upon registration and governs the processing of Patient Data (as defined below) that the Professional User enters into the Platform.
Parties
(1) The Professional User — a homeopath or other healthcare professional, or an International Academy of Classical Homeopathy (IACH) student, or a homeopathy student authorised to use the Platform, who registers for and uses the Platform (the “Controller”); and
(2) VITHOULKAS INTELLIGENCE SINGLE MEMBER P.C., distinctive title “VITHOULKAS BRAIN”, a single-member private company (Ι.Κ.Ε.) incorporated in Greece, General Commercial Registry (Γ.Ε.ΜΗ.) No. 194103107000, VAT No. 803299861, EUID ELGEMI.194103107000, registered office at 19 Persefonis Street, Elefsina 19200, Attica, Greece, legally represented by its Director Maria Chorianopoulou, operator of the Platform (“VithoulkasBrain” or the “Processor”).
each a “Party” and together the “Parties”.
Recitals
(A) VithoulkasBrain operates a B2B software platform that assists trained homeopaths in identifying the appropriate homeopathic remedy on the basis of patient history and symptoms (“cases”). The Platform is operated by VITHOULKAS INTELLIGENCE a single member private company (Ι.Κ.Ε.) under a license granted by CENTRE OF HOMEOPATHIC MEDICINE S.A. (International Academy of Classical Homeopathy), which owns the underlying intellectual property; that licensor is not a party to this DPA and does not receive Patient Data.
(B) In using the Platform, the Controller may enter data relating to the Controller’s patients, including data concerning health, which constitute special categories of personal data within the meaning of Article 9(1) GDPR (“Patient Data”).
(C) With respect to Patient Data, the Controller acts as controller and VithoulkasBrain acts as processor within the meaning of Article 4(7) and 4(8) GDPR. This DPA sets out the terms required by Article 28(3) GDPR.
(D) The Platform is designed on a privacy-by-design basis and applies strict data minimisation: it does not store direct patient identifiers (no name, e-mail or telephone number) — only a case title, the patient’s age and gender are recorded alongside the clinical case content — and Patient Data is stored in encrypted form. VithoulkasBrain does not access Patient Data in the ordinary course of operation; access by technical personnel is possible only upon the Controller’s documented support request and is logged, as further described in Clause 6.
(E) Separately, VithoulkasBrain acts as controller in respect of the Professional User’s own account, billing and usage data; that processing is governed by the Privacy Policy and not by this DPA.
1. Definitions
1.1 The terms “personal data”, “special categories of personal data”, “processing”, “controller”, “processor”, “sub-processor”, “data subject”, “personal data breach” and “supervisory authority” have the meanings given to them in the GDPR.
1.2 “GDPR” means Regulation (EU) 2016/679 and, where applicable, Greek Law 4624/2019.
1.3 “Patient Data” means personal data relating to the Controller’s patients that the Controller enters into or generates through the Platform, including data concerning health (Article 9 GDPR).
1.4 “Applicable Data Protection Law” means the GDPR and all other data protection and privacy laws applicable to the processing of Patient Data.
1.5 Capitalised terms not defined in this DPA have the meaning given to them in the Terms of Services.
2. Roles of the Parties
2.1 The Controller determines the purposes and means of the processing of Patient Data. The Controller is solely responsible for: (a) establishing a valid legal basis for processing Patient Data, including, where applicable, Article 9(2)(h) GDPR (provision of health care by a professional subject to professional secrecy under Article 9(3) GDPR) or the patient’s explicit consent under Article 9(2)(a) GDPR; (b) providing patients with all information required under Articles 13 and 14 GDPR; (c) responding to data subjects’ requests in respect of Patient Data; and (d) determining applicable retention periods.
2.2 VithoulkasBrain processes Patient Data only as a processor, on behalf of and on the documented instructions of the Controller, solely in order to provide the Platform.
2.3 The Controller warrants that: (a) it is a duly qualified homeopath or other healthcare professional, or an IACH student or a homeopathy student authorised to process Patient Data under the supervision of such a professional; (b) it is bound by an obligation of professional secrecy; and (c) its instructions and use of the Platform comply with Applicable Data Protection Law.
3. Subject Matter and Instructions
3.1 The subject matter, duration, nature and purpose of the processing, the types of Patient Data and the categories of data subjects are set out in Annex 1.
3.2 The Controller’s complete documented instructions are constituted by the Terms of Services, this DPA, the configuration options made available within the Platform, and any further written instructions agreed between the Parties. Any processing outside these instructions requires the Parties’ prior written agreement.
3.3 VithoulkasBrain shall inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law; VithoulkasBrain is, however, under no obligation to carry out a legal review of the lawfulness of the Controller’s instructions.
4. Obligations of VithoulkasBrain (Article 28(3) GDPR)
4.1 Instructions. Process Patient Data only on the Controller’s documented instructions, including with regard to transfers to third countries, unless required to do so by Union or Member State law (in which case VithoulkasBrain shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest).
4.2 Confidentiality. Ensure that persons authorised to process Patient Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security. Implement the technical and organisational measures set out in Annex 3, taking into account Article 32 GDPR. The Parties acknowledge that encryption of Patient Data, strict data minimisation, and the limitation and logging of access under Clause 6 are principal safeguards for the purposes of this DPA.
4.4 Sub-processors. The Controller grants VithoulkasBrain a general written authorisation to engage the sub-processors listed in Annex 2. VithoulkasBrain shall (a) impose on each sub-processor, by contract, data protection obligations no less protective than those set out in this DPA, and (b) remain fully liable to the Controller for the performance of each sub-processor’s obligations. VithoulkasBrain shall give the Controller at least thirty (30) days’ prior notice (including by updating Annex 2 or by notice within the Platform) of any intended addition or replacement of a sub-processor, during which the Controller may object on reasonable data-protection grounds; if such objection cannot be resolved, the Controller may terminate by ceasing to use the Platform.
4.5 Assistance with data subject rights. Taking into account the nature of the processing and the information available to VithoulkasBrain, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to data subjects’ requests. The Controller may exercise such rights primarily through the self-service functions of the Platform (including deletion of case data and export to PDF); where a request is received by VithoulkasBrain directly, it shall refer it to the Controller without undue delay.
4.6 Assistance with Articles 32–36. Assist the Controller, taking into account the nature of processing and the information available to VithoulkasBrain, in ensuring compliance with its obligations relating to security of processing, notification of personal data breaches, data protection impact assessments and prior consultation.
4.7 Deletion or return. At the choice of the Controller, delete or return all Patient Data after the end of the provision of services, and delete existing copies, unless storage is required by Union or Member State law. The standard data export and deletion process is described in Annex 1 and in the Terms of Service.
4.8 Records and audits. Make available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, subject to: reasonable prior written notice; obligations of confidentiality; conduct during business hours and in a manner that does not disrupt operations; and, save where the audit reveals material non-compliance, the Controller bearing its own and VithoulkasBrain’s reasonable costs. VithoulkasBrain may satisfy an audit request by providing relevant third-party certifications or reports where available.
5. Special Categories of Data
5.1 The Controller acknowledges that Patient Data includes special categories of personal data (data concerning health) and that the Controller bears sole responsibility for ensuring an appropriate legal basis under Article 9 GDPR. VithoulkasBrain does not establish, and is not required to establish, an independent Article 9 basis, acting solely under the responsibility and the professional secrecy of the Controller.
6. Encryption, Minimisation and Access
6.1 Patient Data is stored in encrypted form and protected by access credentials. The Platform applies data minimisation: it does not store direct patient identifiers (such as name, e-mail or telephone number); only a case title, the patient’s age and gender are recorded alongside the clinical case content. In the ordinary course of operation, VithoulkasBrain does not access Patient Data in intelligible form.
6.2 Authorised technical personnel may access Patient Data only: (a) upon the Controller’s documented support request for the purpose of diagnosing or resolving a technical issue affecting the Controller’s account; (b) to the minimum extent strictly necessary for that purpose; and (c) subject to confidentiality. Any such access is logged and auditable.
6.3 The encryption keys are held by the Platform and not by the Controller. Accordingly, the safeguards on which the Parties rely are encryption at rest, credential-based access control, strict data minimisation, and the limitation and logging of access under Clause 6.2, rather than a zero-knowledge architecture.
7. Personal Data Breach
7.1 VithoulkasBrain shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Patient Data, and shall provide the Controller with the information reasonably available to it to enable the Controller to meet its obligations under Articles 33 and 34 GDPR. Notification of, or any response to, a personal data breach shall not be construed as an acknowledgement of fault or liability.
8. International Transfers
8.1 Patient Data is hosted within the EU/EEA (see Annex 2) and is not transferred outside the EU/EEA except on the Controller’s instructions or where required by law, and in either case subject to an appropriate transfer mechanism under Chapter V GDPR.
8.2 Certain static front-end resources (e.g., style sheets and script libraries) are loaded from third-party content delivery networks (such as Cloudflare cdnjs and the jQuery CDN); these providers receive users’ IP addresses solely to deliver the requested files and do not receive Patient Data.
9. Liability
9.1 Each Party is liable in accordance with Article 82 GDPR. As between the Parties, the Controller is responsible for the lawfulness of the Patient Data and of the instructions it gives.
9.2 The Controller shall indemnify and hold VithoulkasBrain harmless against claims, administrative fines and losses arising from: (a) the Controller’s breach of its warranties or obligations under Clauses 2 and 5; (b) the absence of a valid legal basis for the Patient Data; or (c) instructions that infringe Applicable Data Protection Law.
9.3 Subject to mandatory law, VithoulkasBrain’s aggregate liability under this DPA is limited as set out in the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.
10. Term and Termination
10.1 This DPA takes effect upon the Controller’s acceptance and remains in force for as long as VithoulkasBrain processes Patient Data on behalf of the Controller. The clauses concerning confidentiality, liability and deletion/return of data survive termination.
11. Governing Law and Jurisdiction
11.1 This DPA is governed by Greek law. The courts of Athens, Greece have exclusive jurisdiction, without prejudice to any mandatory rights of the data subject or of a consumer.
12. Order of Precedence
12.1 In the event of any conflict between this DPA and the Terms of Services in respect of the processing of Patient Data, this DPA prevails.
13. Acceptance
13.1 By ticking the box “I have read and accept the Data Processing Agreement” (or equivalent) during registration, the Controller accepts this DPA. VithoulkasBrain records the version accepted and the date and time of acceptance.Annex 1 — Details of the Processing
Subject matter: Hosting and processing of Patient Data entered by the Controller for the purpose of homeopathic case management and remedy identification through the Platform.
Duration and retention: For the duration of the Controller’s account. The Controller may delete patient case data at any time and may export it in PDF format. Upon a request to delete the account (submitted at contact@vithoulkasbrain.com ), the account is disabled and enters a read-only grace period of fourteen (14) days, after which all associated personal data is permanently deleted, unless longer retention is required by law. If, instead, the Controller’s subscription expires or is not renewed and the account is not deleted, the Patient Data is retained for twelve (12) months from the date access lapses; during that period, upon the Controller’s request, read-only access is restored for one (1) month so that the Controller may download and export the cases. At the end of the twelve-month period the Patient Data is permanently deleted, and a courtesy reminder is sent to the Controller’s registered e-mail address before such deletion.
Nature and purpose: Storage, organisation, retrieval and computational analysis of cases to assist the Controller in identifying homeopathic remedies; technical support only upon the Controller’s request.
Types of personal data: A case title, the patient’s age and gender), together with the clinical case content (symptoms, repertorisations, case notes), which constitutes data concerning health (special category, Article 9 GDPR). No direct patient identifiers (name, e-mail, telephone) are stored. The Controller controls what it enters.
Categories of data subjects: The Controller’s patients.Annex 2 — Authorised Sub-processors
Sub-processor | Purpose | Location |
Hetzner Online GmbH | Cloud hosting and storage of Platform data | EU/EEA |
Stripe Payments Europe, Ltd. | Payment processing (account/billing data — not Patient Data) | Ireland (EU); transfers under SCCs |
Note: static front-end resources are loaded from third-party content delivery networks (Cloudflare cdnjs, jQuery CDN), which receive users’ IP addresses for file delivery only and do not store Patient Data. A current list of sub-processors is made available to the Controller upon request or within the Platform.Annex 3 — Technical and Organisational Measures (Article 32 GDPR)
- Encryption of Patient Data at rest and in transit;
- Database protected by access credentials (username/password);
- Strict data minimisation — no direct patient identifiers (name, e-mail, telephone) are stored;
- Least-privilege access; each professional user can view only their own patients’ cases;
- Access to Patient Data by technical personnel only upon documented request, with logging and an audit trail;
- Regular encrypted backups stored within the EU/EEA;
- Confidentiality obligations binding all personnel who may access Patient Data.