Data Processing Addendum

1. Roles and scope

This DPA forms part of the agreement between the customer (the “Controller”) and Vetch Health, Inc. (the “Processor”) under which Vetch provides the platform. It applies whenever Vetch processes personal data on the controller’s behalf.

2. Subject matter and duration

Subject matter: the personal data processed by Vetch to provide the services described in the order form. Duration: for as long as Vetch hosts the customer’s data, plus a 60-day export window after termination.

3. Categories of data subjects and personal data

Data subjects: clinic staff, clinic clients (pet owners), referring veterinarians, and the individuals named in their messages or records.
Categories of personal data: contact details, account credentials, billing information, communications content, clinic operational records, and (for the AI scribe) audio captured during visits.
Special categories: health-related information about pet owners or their households if it appears in clinic records or messages. We treat this with the same care as Protected Health Information.

4. Vetch obligations

Process personal data only on documented instructions from the controller.
Ensure personnel authorised to process personal data are bound by confidentiality.
Implement appropriate technical and organisational measures (Annex II below).
Assist the controller with data subject requests, security incidents, DPIAs, and consultations with regulators.
Notify the controller without undue delay (and in any case within 72 hours) of becoming aware of a personal data breach.
Make available all information necessary to demonstrate compliance, and allow audits subject to reasonable confidentiality and frequency safeguards.

5. International transfers

Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, with a transfer impact assessment on file. Regional data residency (US, EU, UK) is available on Group plans.

6. Sub-processors

The controller authorises Vetch to engage the sub-processors listed below, each bound by contract to data protection terms equivalent to this DPA. We’ll give 30 days’ notice before adding or replacing a sub-processor; controllers may object on reasonable data-protection grounds.

Cloud hostingAmazon Web Services (US, EU regions)

Database & searchVetch-managed Postgres on AWS

Email deliveryPostmark (transactional), Customer.io (lifecycle)

SMS / voiceTwilio

AI inferenceAnthropic, OpenAI (zero-retention enterprise tiers)

Speech-to-textAssemblyAI (HIPAA-compliant tier)

Error monitoringSentry (PII-scrubbed)

AnalyticsPostHog (self-hosted EU instance for EU/UK customers)

PaymentsStripe

Customer supportPlain (self-hosted on AWS)

7. HIPAA

Vetch enters into a Business Associate Agreement with US customers on request. The BAA is incorporated into this DPA where executed and prevails over any conflicting term as to PHI.

8. Annex I — processing details

Purpose: providing the Vetch platform and contracted services.
Nature: hosting, processing, transmitting, storing, and analysing personal data.
Frequency: continuous during the subscription term.

9. Annex II — security measures

Encryption: TLS 1.2+ in transit, AES-256 at rest.
Access controls: SSO + MFA for staff, role-based access, least privilege, quarterly access reviews.
Network: private VPCs, segmented environments, Web Application Firewall, DDoS mitigation.
Monitoring: centralised logging, anomaly detection, on-call rotation 24/7.
Vulnerability management: continuous dependency scanning, quarterly penetration tests, annual third-party audit.
Backups: encrypted, multi-region, restore tested quarterly.
Personnel: background checks, security training on hire and annually, NDAs for all staff.

10. Contact

Data Protection Officer: dpo@vetch.vet. EU representative on request.