Data Processing Agreement
Draft v0.1 · Aqta Technologies Ltd, Dublin, Ireland · Last revised 1 June 2026
Status. This page sets the processor terms Spectra proposes for production deployments. The executed DPA is countersigned by both parties at the start of a paid pilot. Custom terms are negotiable for national health services and patient-portal vendors.
1. Parties and roles
- Controller: the health system, clinic, or patient-portal vendor deploying Spectra.
- Processor: Aqta Technologies Ltd (Dublin, Ireland), operator of Spectra.
- Data subjects: the patients and carers who use Spectra to access the Controller's portal.
2. Scope
Spectra acts as an accessibility implementation layer on top of the Controller's existing patient portal. This DPA covers the processing of personal data by Spectra under Article 28 GDPR, in support of the Controller's compliance under the GDPR, the EU AI Act, and Directive 2019/882 (the EU Accessibility Act).
3. Categories of data processed
Transient. Passed to Gemini Live for real-time response. Not persisted to Spectra storage. Google's Vertex AI retention is per their EU customer agreement (no model training on customer data).
Persisted. One row per action Spectra takes on the patient's behalf. Signed with Ed25519. Contains action type, modality, BCP-47 language, portal surface category, outcome, and timestamps. Never contains the freeform voice transcript or the patient's clinical content.
Persisted. Auth0 session tokens and per-tenant configuration. Standard Article 32 GDPR safeguards.
Not persisted by Spectra. Held client-side only. The audit envelope above records that an action happened; not what was said.
Not persisted by Spectra. Spectra reads and writes against the buyer's portal under the patient's session; we do not retain the patient's records.
4. Sub-processors
Spectra engages the sub-processors below. Spectra remains fully liable to the Controller for the performance of any sub-processor and will give 30 days' notice before adding or replacing one.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud (europe-west1) | Hosting (Cloud Run), application logs | Belgium |
| Google Vertex AI / Gemini Live | Voice and language model runtime | EU multi-region |
| AWS SES (eu-central-1) | Transactional email | Frankfurt, Germany |
| Auth0 (Okta, eu-tenant) | Authentication (lands with first paid pilot) | EU |
| Revolut Merchant | Payment processing (Specialty tier and above) | EU |
5. Security measures (Article 32)
- TLS 1.3 in transit, AES-256 at rest on sub-processor storage.
- Per-tenant scoping of every read and write against the audit log.
- Ed25519 signing of every action envelope with a stable per-tenant fingerprint.
- Authentication via Auth0 with MFA available; role-based access control on the Controller's admin console.
- 72-hour breach notification to the Controller from the time Spectra becomes aware.
- EU-only sub-processor hosting (Cloud Run europe-west1, AWS eu-central-1, Auth0 EU tenant).
6. EU Accessibility Act conformity
Spectra issues a monthly Ed25519-signed accessibility attestation envelope for each tenant deployment. The envelope is one input to the Controller's national-regulator filing under Directive 2019/882. The Controller remains responsible for its overall conformity. The envelope conforms to the published spectra.attestation/v0 specification.
7. Medical-device scope
Spectra is an accessibility implementation layer, not a medical device under EU MDR 2017/745. It does not diagnose, treat, monitor, or recommend a treatment. The prompt envelope of every Spectra action explicitly disallows diagnostic recommendation. Buyers whose deployment requires a clinical evaluation are out of scope of this self-serve DPA and should write to hello@aqta.ai.
8. Data subject rights
Spectra assists the Controller in responding to data subject requests under Articles 15 to 22 GDPR. Because Spectra does not retain freeform voice transcripts or patient-identifying clinical content, most rights requests are answered by the Controller against the underlying portal; Spectra contributes the relevant audit envelope rows on request.
9. International transfers
Spectra processes data inside the EU. Any onward transfer is governed by Standard Contractual Clauses (Commission Decision 2021/914) and the supplementary measures the Controller specifies in the executed DPA.
10. Retention and deletion
- Action audit envelopes: retained for the period stated in the executed DPA, defaulting to 12 months.
- Authentication tokens: rotated per Auth0 defaults; revoked on tenant termination.
- On termination, all tenant data is deleted from active systems within 30 days; written confirmation provided on request.
11. Governing law
This DPA is governed by the laws of Ireland. Disputes are subject to the exclusive jurisdiction of the courts of Dublin.
12. Contact
Aqta Technologies Ltd, 26 to 27 Upper Pembroke Street, Dublin 2, D02 X361, Ireland. hello@aqta.ai. For an executed DPA referencing a specific pilot, use the subject line above with the pilot site name.
Spectra is operated by Aqta Technologies Ltd, registered in Ireland.
This draft was last revised 1 June 2026. The executed DPA supersedes any version on this page.