Data Processing Agreement (DPA)
Template terms for business customers — execution may require a countersigned copy.
This document sets out the data protection commitments that apply when Vitacore processes personal data on behalf of a business customer (the "Customer") who acts as a controller under applicable privacy laws. A Customer may request a PDF or DocuSign copy for signature. Legal counsel should review before reliance.
1. Definitions
- "Agreement" means the underlying commercial agreement or order form between Customer and Vitacore for FormFit / Vitacore Forge services.
- "Personal Data" means personal information contained within Customer Data that Vitacore processes on behalf of Customer.
- "Services" means the scanning, modeling, manufacturing coordination, and related hosted services provided by Vitacore under the Agreement.
2. Roles
The parties acknowledge that for Personal Data processed in connection with the Services, Customer is the controller (or equivalent) and Vitacore is the processor (or equivalent), unless Vitacore processes Personal Data as an independent controller for its own purposes (e.g., billing, security telemetry unrelated to Customer instructions), in which case the Agreement and privacy policy govern that processing.
3. Processing instructions
Vitacore will process Personal Data only on documented instructions from Customer, including as set forth in the Agreement and this DPA, unless otherwise required by applicable law (in which case Vitacore will inform Customer unless prohibited).
Nature and purpose: hosting, processing, and securing scan media, derived 3D assets, and related identifiers to deliver custom mask manufacturing workflows.
Categories of data subjects: end-users and patients (or their guardians) participating in scanning; Customer personnel who administer accounts.
Categories of Personal Data: imaging and biometric-adjacent data (face scans), contact and order identifiers, technical metadata, and communications.
4. Location of processing
Vitacore processes and stores Personal Data primarily in Oregon, United States. Photogrammetry and closely related reconstruction steps are performed in the eastern United States. End users may access the Services from other jurisdictions; Personal Data is transferred between the end-user's device and Vitacore's systems—and between Vitacore's U.S. regions—only over secure, encrypted connections (for example TLS/HTTPS). Customer instructs Vitacore to perform this processing as part of delivering the Services.
5. Confidentiality and personnel
Vitacore ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations and receive training commensurate with their role.
6. Security
Vitacore implements technical and organizational measures appropriate to the risk, including encryption in transit (including HTTPS/TLS for scan video and photo uploads from end-user devices, including direct-to-storage uploads), access controls, segmentation of production systems, logging and monitoring, and vendor management for infrastructure subprocessors. Vitacore stores direct identifiers such as name and contact details separately from scan media and derived 3D assets so they are not commingled in a single identifiable bundle. Further detail is available in the Security overview on this site and may be expanded under NDA.
7. Subprocessors
Customer authorizes Vitacore to engage subprocessors to support the Services (e.g., hosting, storage, messaging). Vitacore will impose data protection terms on subprocessors and remain responsible for their performance. An up-to-date list is available upon request; Vitacore will notify Customer of material changes where contractually required.
8. Data subject requests
Where Customer receives a request from a data subject regarding Personal Data processed by Vitacore on Customer's behalf, Customer may route the request to Vitacore. Vitacore will assist Customer, taking into account the nature of processing, within a reasonable timeframe. Individuals may also contact customer.service@vitacore.com to inquire what data Vitacore holds, obtain a copy, or request deletion where the law allows.
9. Breach notification
Vitacore will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data processed on behalf of Customer, and will provide information reasonably necessary for Customer to meet regulatory obligations.
10. Deletion and return
Upon termination of the Services (or on Customer's written request), Vitacore will delete or return Personal Data in accordance with the Agreement. Vitacore retains data only as long as necessary for the purposes described in the Agreement and as required by applicable law. End-users who wish to inquire what data Vitacore stores about them, obtain a copy, or request deletion where permitted by law may contact customer.service@vitacore.com.
11. Audits
Vitacore will make available information reasonably necessary to demonstrate compliance and allow for audits mandated by applicable law, subject to reasonable notice, confidentiality, and scope limitations to protect security and other customers.
12. International transfers
Where Personal Data is transferred from regions requiring safeguards, Vitacore will implement appropriate mechanisms (such as standard contractual clauses or adequacy decisions) consistent with applicable law.
13. Contact
For DPA execution or subprocessor lists: privacy@vitacore.com. For data access, portability, or deletion requests from individuals (where the law allows): customer.service@vitacore.com.
This web version is a convenience copy. A countersigned DPA between Vitacore and Customer prevails over this template in case of conflict.