Legal & Commercial Templates

DPA Template

AI Diligence Console

DRAFT TEMPLATE, counsel-pending review
This document is a structural draft for investor data-room visibility.
Outside counsel will finalize all binding language.
Do not execute without counsel review.

DATA PROCESSING AGREEMENT (DPA)

Processor: Rōvn, Inc. ("Rōvn", "Processor") Controller: Customer named on the applicable Order Form or Master Services Agreement ("Customer", "Controller") Jurisdiction: State of Delaware · United States Effective Date: Effective date of underlying agreement, unless separately specified. Version: Draft v0.1 · 2026-05-14

This DPA is a companion to the Business Associate Agreement (BAA) for any processing that involves Protected Health Information (PHI). For PHI, the BAA controls in case of conflict.

1. DEFINITIONS

1.1 "Personal Data" means information relating to an identified or identifiable individual processed by Rōvn on behalf of Customer in the course of providing the services. Excludes information rendered de-identified or aggregated.

1.2 "PHI" means Protected Health Information as defined under HIPAA. PHI is governed by the BAA.

1.3 "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, alteration, and deletion.

1.4 "Sub-Processor" means any third party engaged by Rōvn to process Personal Data on Customer's behalf.

1.5 "Data Subject" means the individual to whom Personal Data relates (workers, facility staff, administrators).

2. SUBJECT MATTER AND DURATION

2.1 Subject Matter. Processing of Personal Data necessary for Rōvn to provide the Passport, facility workflow layer, and Verified API services to Customer.

2.2 Duration. For the term of the underlying agreement, plus the period required to fulfill data-return and deletion obligations.

3. NATURE AND PURPOSE OF PROCESSING

3.1 Nature. Storage, retrieval, organization, structuring, transmission, OCR, AI-assisted analysis, and verification orchestration.

3.2 Purpose. To provide healthcare workforce trust infrastructure, including credential verification, application intake, AI-assisted screening, onboarding, and active staff monitoring.

4. TYPES OF PERSONAL DATA

4.1 The Personal Data processed may include: - Identification: name, contact information, government-issued identifiers (license numbers). - Professional: licenses, certifications, work history, education, attestations. - Documentary: uploaded credential documents, signed attestations. - Communications: messages between Customer and workers via the platform. - Usage metadata: timestamps, IP addresses, audit logs.

4.2 PHI is not Personal Data under this DPA; PHI is governed by the BAA.

5. CATEGORIES OF DATA SUBJECTS

5.1 Workers (applicants and active employees represented in Passport). 5.2 Customer's authorized staff (recruiters, hiring managers, credentialing officers, administrators). 5.3 Third-party references provided by workers.

6. CUSTOMER OBLIGATIONS

6.1 Lawful Basis

Customer represents it has a lawful basis (typically consent, contract, or legal obligation) for processing Personal Data through Rōvn.

6.2 Instructions

Customer's instructions to Rōvn are limited to (a) the underlying agreement, (b) configuration of the services, and (c) any documented written instructions Customer issues during the term, provided they are within the scope of Rōvn's services.

6.3 Accuracy

Customer ensures the accuracy of Personal Data it provides or causes to be provided.

Customer ensures workers and other Data Subjects have provided required consents for processing within Rōvn.

6.5 No PHI Outside BAA

Customer shall not submit PHI to Rōvn outside the scope of an executed BAA.

7. RŌVN OBLIGATIONS

7.1 Security

Rōvn implements technical and organizational measures appropriate to the risk, including encryption in transit, encryption at rest, MFA on privileged access, network segmentation, vulnerability management, and audit logging.

7.2 Confidentiality

Rōvn ensures personnel with access to Personal Data are bound by confidentiality obligations.

7.3 Sub-Processor Engagement

Rōvn provides Customer notice of new or replacement Sub-Processors with at least thirty (30) days to object. If Customer reasonably objects on data-protection grounds, Rōvn will work in good faith to provide an alternative or, failing that, Customer may terminate the affected service.

7.4 Breach Notification

Rōvn notifies Customer without undue delay (no later than 72 hours after confirmation) of a Personal Data Breach affecting Customer's Personal Data, with available details and remediation status.

7.5 Cooperation

Rōvn assists Customer in responding to Data Subject requests, regulator inquiries, and data protection impact assessments (DPIAs), within commercially reasonable scope.

7.6 No Sale

Rōvn does not sell, share, or use Personal Data for cross-context behavioral advertising.

7.7 Limited Use

Rōvn uses Personal Data only to provide the services, improve service security and reliability, and meet legal obligations. Model improvement uses de-identified or aggregated data only.

8. SUB-PROCESSORS

8.1 Authorization. Customer authorizes Rōvn to engage Sub-Processors listed in the SUB_PROCESSOR_REGISTRY.md available in the data room and on rovn.to/legal/sub-processors.

8.2 Flow-Down. Rōvn imposes substantially equivalent data protection terms on Sub-Processors.

8.3 Liability. Rōvn remains liable to Customer for the acts and omissions of its Sub-Processors that breach this DPA.

9. DATA SUBJECT RIGHTS

9.1 Access, Correction, Deletion. Rōvn will assist Customer in fulfilling Data Subject access, correction, and deletion requests within statutory timelines.

9.2 Workers Direct Access. Workers may submit access, correction, export, and deletion requests directly via Passport. Rōvn fulfills these per the Privacy Policy.

9.3 Pass-Through Requests. When a Data Subject contacts Rōvn directly about Customer-controlled data, Rōvn will route the request to Customer for response, unless the request relates solely to Passport (worker-controlled) data.

10. INTERNATIONAL TRANSFERS

10.1 US-Only. Rōvn currently processes and stores Personal Data exclusively in US data centers. Rōvn does not transfer Personal Data outside the United States.

10.2 No EU/UK Operations. At pre-launch, Rōvn does not engage EU or UK customers and does not contemplate EU/UK Personal Data. If this changes, the parties will execute Standard Contractual Clauses or equivalent.

11. AUDIT RIGHTS

11.1 Documentation. Rōvn provides Customer with reasonable information necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g., SOC 2) when available.

11.2 Onsite Audit. Where documentation is insufficient, Customer may, on 30 days' written notice and not more than once per twelve (12) months, conduct an audit at Rōvn's facilities at Customer's cost, subject to (a) confidentiality obligations, (b) non-disruption of Rōvn operations, and (c) protection of other customers' data.

11.3 Regulator Audits. Rōvn cooperates with regulator audits as required by law.

12. TERM AND TERMINATION

12.1 Term. This DPA is effective from the date of the underlying agreement and continues for the duration of Rōvn's processing of Personal Data on Customer's behalf.

12.2 Return or Deletion. On termination, Customer may request return or deletion of Personal Data within ninety (90) days. Absent instruction, Rōvn deletes Personal Data within ninety (90) days, subject to legal retention (audit logs, verification receipts) per the Privacy Policy.

12.3 Survival. Sections 7 (Security), 8 (Sub-Processors), 11 (Audit), and 13 (General) survive termination as needed to give effect to the obligations they contain.

13. GENERAL

13.1 Order of Precedence. In conflict: BAA > DPA > Master Services Agreement > Order Form > Privacy Policy.

13.2 Governing Law. This DPA is governed by Delaware law.

13.3 Notices. Notices to Rōvn: legal@rovn.to. Notices to Customer: address on file.

13.4 Amendment. This DPA may be amended only in writing signed by both parties, except Rōvn may update the Sub-Processor list per Section 8.

13.5 Limitation of Liability. Liability under this DPA is subject to the limitations set forth in the underlying agreement.

13.6 Severability. Invalid provisions reformed; remainder unaffected.

13.7 Counterparts. May be executed in counterparts, including electronic signatures.

SCHEDULE 1, SECURITY MEASURES (SUMMARY)

Encryption in transit (TLS 1.2+).
Encryption at rest (AES-256 or equivalent).
MFA on administrative and privileged access.
Role-based access control with least-privilege.
Audit logging of all PHI/PII access.
Centralized logging with tamper-evident retention.
Vulnerability management on a regular cadence.
Incident response procedures.
Backup and disaster recovery procedures.
Personnel screening and security training.

Full security posture documentation in the data room.

End of Draft v0.1 · 2026-05-14 Outside counsel review required prior to execution.

Ask the AI agent about this section, the raise, compliance posture, or any cross-document question. Grounded in Rōvn's deep context, with on-page source citations.

AI queries route through AWS Bedrock under BAA · Anthropic Claude (Haiku 4.5) under BAA · zero-data-retention posture · no PHI in prompts.