Data Processing Agreement
Last Updated: June 15, 2026
This Data Processing Agreement ("DPA") forms part of the applicable agreement between CoVetAI Inc. ("CoVet") and the customer, user, clinic, practice, organization, or other entity that has accepted or entered into the Applicable Agreement ("Client"). CoVet and Client are each a "Party" and together the "Parties".
This DPA applies when CoVet Processes Personal Data on behalf of Client in connection with the Services. For self-serve accounts, this DPA is incorporated into the Applicable Agreement by reference and becomes effective when Client accepts the Applicable Agreement, accesses the Services, or continues using the Services after this DPA is posted or updated. No separate signature is required unless CoVet and Client agree otherwise in writing.
If Client has entered into a separately signed data processing agreement or business associate agreement with CoVet, that separately signed agreement controls to the extent it expressly conflicts with this DPA. This DPA does not reduce either Party's obligations under applicable Data Protection Laws.
This DPA includes Exhibit 1 (Standard Contractual Clauses), Annexes A-C (processing details, technical and organizational measures, and subprocessors), and Exhibit 2 (HIPAA Addendum). Exhibit 2 applies only where Client is a Covered Entity or Business Associate under HIPAA and CoVet creates, receives, maintains, or transmits PHI on Client's behalf.
1. Definitions
"Applicable Agreement" means the terms of service, subscription terms, order form, statement of work, master services agreement, or other agreement governing Client's access to or use of the Services.
"Authorized User" means any individual authorized by Client to access or use the Services under Client's account.
"Client Data" means data, content, audio, transcripts, files, prompts, messages, records, outputs, or other information submitted to, generated through, or otherwise Processed by the Services on behalf of Client, including Personal Data where applicable.
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" have the meanings given to equivalent terms under applicable Data Protection Laws.
"Data Protection Laws" means all privacy, data protection, data security, and breach notification laws applicable to a Party's Processing under the Applicable Agreement, including, to the extent applicable, the GDPR, UK GDPR, PIPEDA, and comparable U.S. state privacy laws.
"GDPR" means Regulation (EU) 2016/679 and any law implementing, supplementing, or replacing it. "UK GDPR" means the GDPR as incorporated into United Kingdom law.
"PHI" means Protected Health Information as defined under HIPAA. Where Exhibit 2 applies, references to Personal Data include PHI.
"Services" means CoVet's AI-powered veterinary assistant, clinical documentation, transcription, case generation, workflow, client communication, administrative, support, integration, and related services described in the Applicable Agreement or related documentation.
"Subprocessor" means any third party engaged by CoVet or another Subprocessor to Process Personal Data on behalf of Client in connection with the Services.
2. Scope and Roles
2.1 Roles. As between the Parties, Client is the Controller of Personal Data and CoVet is the Processor. Where Client acts as a Processor on behalf of a third-party Controller, Client appoints CoVet as Client's Subprocessor. Where U.S. state privacy laws apply, CoVet acts as a service provider or processor, as applicable, with respect to Personal Data Processed on behalf of Client.
2.2 Client control. Client determines the purposes and means of Processing Personal Data, including the content submitted to the Services, the lawful basis for Processing, and the instructions given to CoVet. Client retains all rights in Client Data, subject to the licenses and permissions needed for CoVet to provide the Services.
2.3 Instructions. Client instructs CoVet to Process Personal Data as needed to provide, secure, maintain, support, troubleshoot, improve, and administer the Services; comply with the Applicable Agreement; comply with Client's configuration choices and Authorized User actions; and comply with applicable law. CoVet will not Process Personal Data for any purpose other than the purposes described in this DPA, the Applicable Agreement, or Client's documented instructions unless required by law.
2.4 AI service providers and model training. CoVet will not use Client clinical data, recordings, transcripts, generated notes, or other Client Personal Data to train or fine-tune AI models, and will not permit its AI service providers to do so, except where Client has expressly authorized different Processing in a separate written agreement. CoVet may use aggregated or de-identified information to operate, secure, and improve the Services where such information does not identify Client, Authorized Users, or Data Subjects and is not Personal Data under applicable Data Protection Laws.
3. Client Obligations
Client is responsible for complying with Data Protection Laws that apply to Client's collection, use, disclosure, and transfer of Personal Data to CoVet, including providing notices, obtaining consents, and maintaining a lawful basis for Processing where required.
Client is responsible for the accuracy, quality, and legality of Client Data and for ensuring that Authorized Users submit Client Data only in accordance with the Applicable Agreement and this DPA.
Client will not submit special categories of Personal Data, PHI, or other regulated information to the Services unless such submission is permitted by the Applicable Agreement, is necessary for Client's use of the Services, and Client has satisfied all legal requirements for doing so.
Client will promptly notify CoVet of any Data Subject request, legal restriction, or instruction that affects CoVet's Processing of Personal Data.
4. CoVet Obligations
CoVet will Process Personal Data only in accordance with this DPA, the Applicable Agreement, Client's documented instructions, and applicable law.
CoVet will ensure that personnel authorized to Process Personal Data are subject to confidentiality obligations and receive appropriate privacy and security training.
CoVet will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access, or use, as further described in Annex B.
Taking into account the nature of Processing and information available to CoVet, CoVet will reasonably assist Client with Data Subject requests, data protection impact assessments, consultations with supervisory authorities, and compliance documentation required under Data Protection Laws.
CoVet will notify Client if CoVet believes that an instruction infringes applicable Data Protection Laws, unless applicable law prohibits such notice.
5. Data Security
CoVet will maintain a written information security program appropriate to the nature of the Services and the risks presented by the Processing. CoVet's program includes administrative, technical, physical, organizational, and operational safeguards designed to protect Personal Data, including access controls, encryption in transit and at rest, logging and monitoring, secure development practices, vulnerability management, incident response procedures, vendor risk management, and employee training.
Additional information about CoVet's security posture is available through CoVet's Security page and Trust Center:
6. Subprocessors
6.1 General authorization. Client gives CoVet general authorization to engage Subprocessors to Process Personal Data in connection with the Services. CoVet will enter into written agreements with Subprocessors that impose data protection obligations no less protective in all material respects than those set out in this DPA.
6.2 Current list and updates. CoVet's current Subprocessors are listed in Annex C and may also be made available through CoVet's Trust Center or another published subprocessor page. CoVet may add, replace, or update Subprocessors by providing notice through the Trust Center, the Services, email, or another commercially reasonable method.
6.3 Objection right. Client may object to a new Subprocessor on reasonable data protection grounds within fourteen (14) days after notice. If the Parties cannot resolve the objection in a commercially reasonable manner, CoVet may make available an alternative, suspend the affected feature, or permit Client to terminate the affected Services as described in the Applicable Agreement.
7. Data Subject Requests
If CoVet receives a request from a Data Subject relating to Client Personal Data, CoVet will, where legally permitted, direct the Data Subject to Client or notify Client. CoVet will not independently respond to the request except as instructed by Client, required by law, or necessary to confirm that the request relates to Client.
8. Personal Data Breach
CoVet will notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data. The notice will include information reasonably available to CoVet, which may include the nature of the breach, affected categories of Personal Data and Data Subjects, likely consequences, and measures taken or proposed to address and mitigate the breach.
CoVet will reasonably cooperate with Client's investigation, mitigation, and legally required notices. Client is responsible for determining whether to notify Data Subjects, supervisory authorities, regulators, or other third parties, except where Data Protection Laws require CoVet to provide direct notice.
9. Audits and Documentation
CoVet will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, policies, certifications, independent audit reports, or written responses. CoVet may satisfy this obligation by making materials available through its Trust Center subject to appropriate confidentiality and access controls.
If Client reasonably requires additional audit activity, Client may request an audit no more than once per calendar year unless required by a supervisory authority or following a Personal Data Breach. Any audit must be conducted during normal business hours, at Client's expense, on reasonable advance notice, and in a manner that does not unreasonably interfere with CoVet's operations or compromise the security or confidentiality of other customers' data.
10. Return and Deletion
Upon termination or expiration of the Applicable Agreement, CoVet will, in accordance with the Applicable Agreement and the functionality of the Services, delete or make available for retrieval Client Personal Data in CoVet's possession or control. CoVet may retain Personal Data to the extent required by law, necessary for legitimate security, backup, dispute, audit, or compliance purposes, or otherwise permitted by the Applicable Agreement, provided that CoVet continues to protect retained Personal Data under this DPA and limits further Processing to those retained purposes.
11. International Transfers
Client acknowledges that CoVet and its Subprocessors may Process Personal Data in Canada, the United States, the European Economic Area, the United Kingdom, and other locations where CoVet or its Subprocessors maintain operations, subject to the safeguards required by Data Protection Laws.
For transfers of Personal Data from the EEA, United Kingdom, or Switzerland to a country that does not provide an adequate level of protection under applicable Data Protection Laws, the Standard Contractual Clauses and related transfer terms in Exhibit 1 apply to the extent required.
12. Liability and Order of Precedence
The liability of each Party under this DPA is subject to the limitations and exclusions of liability in the Applicable Agreement, except to the extent such limitations or exclusions are prohibited by Data Protection Laws or the Standard Contractual Clauses. If there is a conflict between this DPA and the Applicable Agreement, this DPA controls solely with respect to Processing of Personal Data. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control to the extent of the conflict.
13. Updates to this DPA
CoVet may update this DPA from time to time by posting an updated version or otherwise providing notice. Updates will not materially reduce the level of protection for Personal Data during the term of the Applicable Agreement. Client's continued use of the Services after an updated DPA becomes effective constitutes acceptance of the updated DPA, unless Client has a separate signed agreement that provides otherwise.
Annex A: Details of Processing
A.1 Subject Matter
The subject matter of the Processing is CoVet's provision of the Services to Client under the Applicable Agreement, including Processing of Client Data submitted to, generated through, or otherwise Processed by the Services.
A.2 Duration
The Processing will continue for the term of the Applicable Agreement and thereafter as necessary for deletion, return, legal, security, backup, audit, or compliance purposes.
A.3 Nature and Purpose
Account creation, authentication, billing, subscription administration, support, and communications.
Recording, upload, transcription, structuring, summarization, drafting, generation, storage, retrieval, and display of clinical, workflow, and communication content requested by Client or Authorized Users.
Operation, maintenance, troubleshooting, security monitoring, abuse prevention, reliability, analytics, and improvement of the Services.
Processing through AI service providers solely to provide the features requested by Client and Authorized Users, subject to this DPA's restrictions on model training and fine-tuning.
Integrations, exports, imports, and data transfers configured or requested by Client or Authorized Users.
Compliance with legal obligations, enforcement of the Applicable Agreement, and protection of the Services, CoVet, Client, Authorized Users, and Data Subjects.
A.4 Categories of Personal Data
Account, profile, role, authentication, contact, billing, subscription, and organization information.
Professional and practice information relating to veterinary professionals, clinic staff, administrators, contractors, and other Authorized Users.
Clinical workflow content submitted to or generated through the Services, including audio recordings, transcripts, prompts, messages, files, generated notes, case information, client communications, and related metadata.
Pet owner, client, patient, appointment, and case information to the extent such information identifies or can reasonably be linked to an individual.
Technical, device, usage, log, security, diagnostic, and support information, including IP address, device identifiers, browser or app information, timestamps, and feature usage.
Any other Personal Data submitted by Client or Authorized Users through the Services, subject to the Applicable Agreement and this DPA.
A.5 Sensitive Data
Client may submit sensitive or regulated Personal Data only where permitted by the Applicable Agreement and necessary for Client's use of the Services. Where Client submits PHI and Exhibit 2 applies, CoVet will Process PHI in accordance with Exhibit 2. CoVet does not require Client to submit special categories of Personal Data under the GDPR unless such submission is necessary for Client's chosen use of the Services and Client has satisfied applicable legal requirements.
A.6 Categories of Data Subjects
Client's Authorized Users, administrators, employees, contractors, and representatives.
Veterinary clients, pet owners, prospective clients, and contact persons.
Individuals whose information appears in clinical notes, communications, files, recordings, transcripts, support requests, integrations, or other Client Data.
Billing, procurement, legal, support, and business contacts.
A.7 Frequency of Transfer
Continuous for the duration of Client's use of the Services.
A.8 Parties for Standard Contractual Clauses
Role | Name and details | Activities | SCC role |
|---|---|---|---|
Data Exporter | Client, as identified in the Applicable Agreement or account records. | Submitting, accessing, and using Personal Data in connection with the Services. | Controller or Processor, as applicable. |
Data Importer | CoVetAI Inc. (CoVet). Contact: info@co.vet or support@co.vet. | Processing Personal Data to provide, secure, maintain, support, and improve the Services. | Processor or Subprocessor, as applicable. |
Annex B: Technical and Organizational Measures
CoVet maintains technical and organizational measures designed to provide a level of security appropriate to the risk presented by the Processing. Those measures include the controls summarized below and may evolve over time as CoVet's security program matures.
Control area | Summary |
|---|---|
Governance and policies | Information security, data management, incident response, vendor risk, business continuity, secure development, and access control policies. |
Access controls | Role-based access, least privilege, unique credentials, access reviews, onboarding and offboarding controls, and authentication safeguards. |
Encryption and infrastructure | Encryption in transit and at rest, secure cloud infrastructure, network segmentation where appropriate, hardening, and logical separation of customer data. |
Monitoring and incident response | Logging, availability monitoring, security event review, incident response procedures, escalation, remediation, and breach response support. |
Vulnerability and secure development | Vulnerability management, penetration testing or vulnerability assessments, patch management, secure software development practices, and code/change review controls. |
Personnel and training | Confidentiality obligations, security awareness training, role-specific responsibilities, and workforce security procedures. |
Vendor management | Vendor risk review, contractual data protection obligations, and oversight of Subprocessors that may Process Client Personal Data. |
Continuity and recovery | Backup, continuity, disaster recovery, and availability practices designed to support reliable delivery of the Services. |
Annex C: Subprocessors
The following Subprocessors are listed as of the Last Updated date above. CoVet may update this list in accordance with Section 6.
Subprocessor | Location | Function |
|---|---|---|
OpenAI | United States | AI processing and related model services used to provide requested Service features. |
Claude | United States | AI processing and related model services used to provide requested Service features. |
GCP | Canada / United States | Cloud hosting, storage, infrastructure, networking, security, and related platform services. |
GitHub | Canada / United States | Software development, code hosting, security, deployment, and operational support tooling. |
The current Trust Center is available at:
Exhibit 1: Standard Contractual Clauses
1. Incorporation
Where required for an international transfer of Personal Data, the Parties incorporate by reference the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs"). The SCCs apply only to transfers subject to the GDPR or other Data Protection Laws that require such safeguards.
2. Module and Selections
Module Two (Controller to Processor) applies where Client is a Controller and CoVet is a Processor.
Module Three (Processor to Processor) applies where Client is a Processor and CoVet is a Subprocessor.
Clause 7 (Docking Clause) applies.
For Clause 9 (Use of subprocessors), Option 2 (General written authorization) applies, with the notice and objection periods stated in Section 6 of this DPA.
For Clause 11 (Redress), the optional language does not apply.
For Clause 13 (Supervision), the competent supervisory authority will be determined in accordance with the GDPR. Where no other supervisory authority is clearly applicable, the Irish Data Protection Commission will act as the competent supervisory authority for SCC purposes.
For Clauses 17 and 18, the SCCs will be governed by the laws of Ireland and disputes will be resolved by the courts of Ireland, solely for purposes of the SCCs.
3. Annexes
SCC Annex I is completed by Annex A of this DPA.
SCC Annex II is completed by Annex B of this DPA.
SCC Annex III is completed by Annex C of this DPA.
4. UK and Swiss Transfers
For transfers subject to the UK GDPR, the SCCs apply as amended by the United Kingdom International Data Transfer Addendum or other applicable UK transfer mechanism. For transfers subject to Swiss data protection law, references to the GDPR, EU Member States, and supervisory authorities will be interpreted as necessary to give effect to Swiss law and the Swiss Federal Data Protection and Information Commissioner.
5. Conflict
If there is a conflict between this DPA and the SCCs, the SCCs control to the extent required by applicable Data Protection Laws.
Exhibit 2: HIPAA Addendum
This HIPAA Addendum applies only where Client is a Covered Entity or Business Associate under HIPAA and CoVet creates, receives, maintains, or transmits PHI on behalf of Client in connection with the Services. If this HIPAA Addendum applies, CoVet acts as Client's Business Associate or Subcontractor, as applicable.
1. HIPAA Definitions
Capitalized terms used in this HIPAA Addendum but not defined in this DPA have the meanings given to them in HIPAA, including Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Electronic Protected Health Information, HITECH Act, Individual, Minimum Necessary, PHI, Required by Law, Secretary, Security Incident, Subcontractor, Unsecured Protected Health Information, and Use.
2. Permitted Uses and Disclosures
CoVet may Use or Disclose PHI only as permitted by this HIPAA Addendum, the Applicable Agreement, Client's documented instructions, or as Required by Law. Client authorizes CoVet to Use and Disclose PHI for the following permissible purposes:
To provide, operate, maintain, secure, support, troubleshoot, and improve the Services requested by Client or Authorized Users.
To record, receive, transcribe, summarize, structure, draft, generate, store, retrieve, display, transmit, and manage clinical documentation, communications, workflow content, files, and related outputs submitted to or generated through the Services.
To perform administrative, management, billing, legal, compliance, security, and audit activities for CoVet, provided any Disclosure to a third party for those purposes is made only where Required by Law or under reasonable assurances of confidentiality and limited further Use or Disclosure.
To provide Data Aggregation services relating to the health care operations of Client where permitted by HIPAA and the Applicable Agreement.
To de-identify PHI in accordance with HIPAA, where permitted by the Applicable Agreement, and use de-identified information in a manner not prohibited by HIPAA.
To report violations of law to appropriate authorities consistent with 45 C.F.R. 164.502(j)(1).
CoVet will make Uses, Disclosures, and requests for PHI consistent with HIPAA's Minimum Necessary standard where applicable. CoVet will not sell PHI, Use or Disclose PHI for underwriting purposes, or Use PHI to train or fine-tune AI models except as expressly authorized in writing by Client and permitted by HIPAA.
3. CoVet HIPAA Obligations
Use appropriate safeguards and comply with the HIPAA Security Rule with respect to Electronic PHI to prevent Use or Disclosure of PHI other than as permitted by this HIPAA Addendum.
Report to Client any unauthorized Use or Disclosure of PHI, Breach of Unsecured PHI, or Security Incident involving Electronic PHI of which CoVet becomes aware, in accordance with HIPAA and this DPA.
Ensure that any Subcontractor that creates, receives, maintains, or transmits PHI on behalf of CoVet agrees in writing to substantially the same restrictions, conditions, and requirements that apply to CoVet with respect to PHI.
Make PHI in a Designated Record Set available to Client as necessary for Client to satisfy obligations under 45 C.F.R. 164.524.
Make PHI available for amendment and incorporate amendments as directed by Client in accordance with 45 C.F.R. 164.526.
Make available information required for Client to provide an accounting of Disclosures in accordance with 45 C.F.R. 164.528.
Make CoVet's internal practices, books, and records relating to the Use and Disclosure of PHI available to the Secretary to determine compliance with HIPAA.
At termination, return or destroy PHI as provided in this DPA and the Applicable Agreement, if feasible, and continue to protect any retained PHI.
4. Client HIPAA Obligations
Client will not request that CoVet Use or Disclose PHI in a manner that would not be permissible under HIPAA if done by Client.
Client will notify CoVet of any limitation in Client's notice of privacy practices, any restriction on Use or Disclosure of PHI, or any change in an Individual's permission that may affect CoVet's Use or Disclosure of PHI.
Client is responsible for responding to Individual requests, determining whether a Breach requires notice, and satisfying Client's obligations under HIPAA except to the extent those obligations are expressly delegated to CoVet in the Applicable Agreement.
5. Termination for HIPAA Cause
If either Party knows of a pattern of activity or practice of the other Party that constitutes a material breach of this HIPAA Addendum, the non-breaching Party will provide an opportunity to cure if cure is feasible. If cure is not feasible or the breach is not cured, the non-breaching Party may terminate the affected Services or take other action required by HIPAA.
6. HITECH Act
The Parties will comply with applicable provisions of the HITECH Act and related HHS regulations. The Parties will cooperate in good faith to amend this HIPAA Addendum as reasonably necessary to comply with future changes to HIPAA that apply to the Services.