Animedic

Data Processing Addendum

Effective April 22, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Animedic LLC (“Animedic,” “Processor”) and the Customer (“Controller”) governing Customer’s use of the Services. It applies whenever Animedic processes personal data on behalf of the Customer in connection with the Services.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or, where applicable, in the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) or the UK Data Protection Act 2018.

2. Scope and roles

With respect to Personal Data that the Customer (or the Customer’s end users acting under the Customer’s instruction) uploads to the Services, the Customer is the Controller and Animedic is the Processor. Each party will comply with applicable data protection laws.

3. Processing instructions

Animedic will process Personal Data only for the purposes of providing the Services, as documented in the Terms, this DPA, and any additional written instructions from the Customer that Animedichas agreed to in writing. Animedic will inform the Customer if, in its opinion, an instruction infringes applicable law.

4. Confidentiality

Animedic will ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

5. Security

Animedic will implement and maintain appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit (TLS 1.2+).
  • Encryption at rest on managed database systems.
  • Row-level security, column-level revocations, and RLS-aware RPCs for sensitive fields.
  • Bcrypt hashing for user passwords and kiosk PINs.
  • One-way-hashed kiosk access tokens (raw tokens shown once).
  • Multi-factor authentication support for administrators.
  • Role-based access controls and least-privilege service accounts.
  • Audit logging of record-level access and changes.
  • Regular backups with defined retention.
  • Documented incident response procedures.

6. Subprocessors

The Customer authorizes Animedic to engage the subprocessors listed below. Animedicwill impose obligations on each subprocessor no less protective than those in this DPA, and remains liable for each subprocessor’s performance.

  • Vercel Inc. — application hosting (United States).
  • Supabase Inc. — database, authentication, and object storage (United States).
  • Resend Inc. — transactional email delivery (United States).
  • Stripe, Inc. — payment processing, when enabled (United States).

Animedic will notify the Customer of any intended change to subprocessors at least 30 days before the change takes effect. The Customer may object on reasonable data-protection grounds. If the objection cannot be resolved, the Customer may terminate the affected Services.

7. Data subject requests

Taking into account the nature of the processing, Animedicwill assist the Customer, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from data subjects exercising their rights.

8. Personal Data breaches

Animedicwill notify the Customer without undue delay after becoming aware of a Personal Data breach affecting the Customer’s Personal Data, and will provide the information reasonably available to allow the Customer to comply with its own notification obligations.

9. International transfers

Where Animedictransfers Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed to provide an adequate level of protection, the transfer is subject to the European Commission’s Standard Contractual Clauses (module 2, Controller to Processor), incorporated by reference into this DPA.

10. Return or deletion

On termination of the Services, Animedicwill, at the Customer’s election, delete or return all Personal Data within 30 days, unless retention is required by law. The Customer can export its own data from within the Services at any time prior to deletion.

11. Audits

Animedicwill make available to the Customer information necessary to demonstrate compliance with this DPA. Where audits are required by applicable law, the Customer may request an audit by written notice, conducted during business hours, at the Customer’s expense, subject to reasonable scope and confidentiality obligations.

12. Details of processing

Subject matter: provision of the Services.
Duration: term of the underlying agreement plus the retention period described above.
Nature and purpose: processing operations required to host, secure, operate, support, and improve the Services.
Categories of data subjects:Customer’s personnel, pet owners recorded as clients, and other individuals whose information the Customer chooses to enter.
Categories of Personal Data:contact information, professional information, financial information (invoices and payments), and veterinary records pertaining to the Customer’s patients.

13. Contact

Questions or requests under this DPA should be sent to privacy@animedic.app, or by mail to Animedic LLC, Saint George, UT.