Data Processing Agreement
Effective since 1 April 2026 · Version 1.0
Data processing agreement governing the data processor relationship between Delta Labs SAS and mental health professionals, in accordance with Article 28 of the GDPR.
Parties
This Data Processing Agreement (hereinafter the "DPA") is entered into between:
The Data Controller: the User of the Delta Service, a mental health professional, acting as data controller for the health data of their patients (hereinafter "the Controller").
The Data Processor: Delta Labs SAS, a simplified joint-stock company with a share capital of €1,000, registered with the Niort Trade and Companies Register under number 102 094 448, SIRET 102 094 448 00010, registered office: 11 BIS Allée du Muguet, 79200 Parthenay, France, represented by Grégory Ilan Muschel, President, publisher of the Delta software (hereinafter "the Processor").
This DPA is an integral part of the Terms of Use and Terms of Sale of the Delta Service and takes effect upon their acceptance.
Article 1 — Purpose
This DPA defines the conditions under which the Processor processes, on behalf of the Controller, the personal data necessary for the provision of the Service, in accordance with Article 28 of the GDPR.
Article 2 — Description of processing
2.1 Nature and purpose
The Processor processes the data for:
- Generation of session notes and reports
- Building patient histories
- Identifying recurring themes
- Providing contextual cues via the Copilot
- Preparing pre-session briefings
- Proposing patient follow-up messages
2.2 Types of data
| Category | Detail |
|---|---|
| Patient identification | First name, last name, initials, identifier, contact details |
| Health data (GDPR art. 9) | Notes, reports, observations, diagnoses, history |
| Generated data | Transcripts, summaries, Copilot suggestions, briefings, messages |
| Metadata | Dates, durations, timestamps, session identifiers |
2.3 Data subjects
- The User's patients
- Any person mentioned in the session notes
2.4 Duration
Throughout the subscription, including the post-contractual retention period (Article 9).
Article 3 — Obligations of the Processor
3.1 Documented instructions
The Processor processes the data only on documented instructions from the Controller. The Terms of Use, the Terms of Sale and this DPA constitute the documented instructions.
3.2 Confidentiality
The Processor ensures that authorised persons are subject to a confidentiality obligation and access only the data strictly necessary.
3.3 Security
Measures implemented:
- Strong encryption of health data at rest (AES-256) and in transit (TLS 1.3)
- Strict access control and data isolation between Controllers
- Pseudonymisation where possible
- Daily encrypted backups
- Regular penetration tests and audits
3.4 Onward subcontracting
The Processor will inform the Controller of any change of sub-processor with 30 days' advance notice. Absence of objection within 30 days constitutes acceptance of the change.
List of sub-processors:
| Sub-processor | Function | Location | Data |
|---|---|---|---|
| Amazon Web Services EMEA SARL | HDS hosting | France (eu-west-3) | All data (encrypted) |
| Google LLC (Gemini) | AI processing (content generation) | France | Clinical Data (strict minimum, zero retention) |
| Stripe Payments Europe Ltd | Payments | Ireland (EEA) | Banking data |
The data transmitted to Google LLC for AI processing is limited to the strict minimum necessary for each request. Google LLC contractually undertakes to retain no data beyond the time strictly necessary for the technical processing of the request (zero retention policy). No data is used for model training.
Article 4 — Assistance to the Controller
The Processor assists the Controller in responding to data subjects' rights requests and in fulfilling the obligations of Articles 32 to 36 of the GDPR (security, breach notification, DPIA).
Article 5 — Breach notification
The Processor will notify the Controller within 48 hours of a data breach, with:
- Nature of the breach
- Likely consequences
- Measures taken or proposed
- Contact point details
Article 6 — Data transfers
Clinical Data is hosted in France (AWS eu-west-3). AI processing via Google LLC takes place on servers located in France.
In the event that an onward sub-processor were established outside the European Economic Area, transfers would be governed by the European Commission's Standard Contractual Clauses (decision 2021/914) and, where applicable, by the supplementary measures recommended by the EDPB.
Stripe Payments Europe Ltd processes banking data within the EEA (Ireland).
Article 7 — Audit right
The Processor makes available the information necessary to demonstrate compliance with the GDPR and allows audits with 30 days' advance notice.
Article 8 — Records of processing activities
The Processor keeps a record of processing activities in accordance with Article 30(2) of the GDPR.
Article 9 — Fate of data at end of contract
9.1 Return
The User may export their data (CSV, PDF, JSON) for 90 days after termination.
9.2 Deletion
After 90 days, secure and irreversible deletion. Certificate of deletion available on request.
9.3 Exceptions
Billing data retained for 10 years (legal obligation). Anonymised data not affected.
Article 10 — Liability
The Processor is liable for damages caused by processing that does not comply with the processor's obligations or that is carried out outside the Controller's instructions.
Article 11 — Duration
This DPA remains in force as long as the Processor processes data on behalf of the Controller.
Article 12 — Governing law
French law for Users in France, Belgian law for Users in Belgium.
Article 13 — Contact
Delta Labs SAS
+33 7 66 80 89 66
11 BIS Allée du Muguet, 79200 Parthenay, France
This English version is provided for convenience only. In case of dispute, the French version of this document prevails over this English translation.