Data Processing Addendum

Last updated: May 4, 2026. This DPA-style page summarizes the data processing terms EMDRSuite should offer to therapist customers who process personal data through the platform.

Roles

For patient data entered by therapists, the therapist is generally the controller or covered entity/customer, and EMDRSuite acts as processor or service provider, subject to the final contract and jurisdiction.

Processing instructions

EMDRSuite processes customer data to provide the service, maintain security, process billing, support users, troubleshoot, and comply with documented lawful instructions.

Categories of data

Data may include therapist account data, patient profile metadata, session configuration, clinical notes entered by the therapist, session token metadata, billing status, support content, and technical logs.

Security measures

EMDRSuite should maintain appropriate technical and organizational measures, including access control, encrypted transport, secure secrets, vendor review, least privilege access, and backup controls.

Subprocessors

EMDRSuite may use vetted subprocessors to host, store, secure, and bill the service. Material changes should be reflected on the Subprocessors page.

Data subject requests

EMDRSuite should assist therapists with access, deletion, correction, export, and restriction requests where required and technically possible.

Deletion and return

Upon account closure or written request, customer data should be deleted or returned according to legal requirements, backup cycles, and professional recordkeeping obligations.

Transfers

International transfers should be supported by appropriate contractual safeguards, including standard contractual clauses where required.