Data Processing Agreement
Last updated: July 9, 2026
Effective Date: July 9, 2026
This DPA forms part of the CuraVet Terms of Service.
This Data Processing Agreement sets out how CuraVet processes personal information — including information about your clients (pet owners) and staff — on behalf of your veterinary practice, and the protections we put in place, consistent with PIPEDA and other applicable data protection laws.
Table of Contents
- 1. Introduction and Purpose
- 2. Definitions
- 3. Roles of the Parties
- 4. Scope and Processing Instructions
- 5. Responsibilities of the Clinic
- 6. Obligations of CuraVet
- 7. Sub-processors
- 8. Security Measures
- 9. Personal Data Breach Notification
- 10. Assisting with Individual (Data Subject) Requests
- 11. International Data Transfers
- 12. Return and Deletion of Data
- 13. Records and Audit
- 14. Term and Termination
- 15. Liability and Relationship to the Terms of Service
- 16. Acceptance
- 17. Contact
- Annex A — List of Sub-processors
1. Introduction and Purpose
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the CuraVet Terms of Service (the "Agreement") between CuraVet ("CuraVet," "we," "us," or "our") and the veterinary clinic, practice, hospital, or other organization that uses the Service (the "Clinic," "you," or "your").
This DPA governs how CuraVet processes personal information that the Clinic makes available to the Service — in particular, personal information about the Clinic's own clients (pet owners) and staff that may be captured in consultation recordings, transcriptions, generated medical notes, uploaded documents, and account data (collectively, "Client Personal Information").
The purpose of this DPA is to reflect the parties' agreement on the processing of Client Personal Information in accordance with applicable data protection law, including Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and substantially similar provincial legislation, and to give the Clinic the contractual protections that PIPEDA expects an organization to have in place with its service providers.
2. Definitions
- "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Client Personal Information under this DPA, including PIPEDA and substantially similar provincial statutes, and, where applicable, the GDPR, UK GDPR, and CCPA.
- "Client Personal Information" means personal information about an identifiable individual (such as a pet owner or Clinic staff member) that CuraVet processes on the Clinic's behalf under the Agreement.
- "Processing" means any operation performed on Client Personal Information, such as collection, recording, storage, transcription, generation of notes, transmission, or deletion.
- "Sub-processor" means any third party engaged by CuraVet to process Client Personal Information on CuraVet's behalf (for example, cloud hosting or AI transcription providers listed in Annex A).
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Information.
- Under PIPEDA terminology, the Clinic is the organization accountable for the personal information (analogous to a "controller"), and CuraVet acts as a service provider processing that information on the Clinic's behalf (analogous to a "processor").
3. Roles of the Parties
The Clinic determines the purposes for which, and the manner in which, Client Personal Information is processed. The Clinic remains the organization accountable for that information under PIPEDA, including for having a valid basis to collect it and for obtaining any consent required from its clients.
CuraVet processes Client Personal Information solely as a service provider acting on the Clinic's behalf and on the Clinic's documented instructions, as set out in the Agreement and this DPA. CuraVet does not use Client Personal Information for its own purposes and does not sell it.
4. Scope and Processing Instructions
CuraVet will process Client Personal Information only to provide and support the Service — namely to record and transcribe veterinary consultations, generate and store clinical documentation, enable export and sharing at the Clinic's direction, provide customer support, and maintain the security and integrity of the Service.
The Agreement and this DPA (including the Clinic's use of the Service's features and settings) constitute the Clinic's complete and final documented instructions to CuraVet. CuraVet will inform the Clinic if, in its opinion, an instruction infringes Applicable Data Protection Law.
5. Responsibilities of the Clinic
- The Clinic is responsible for the accuracy, quality, and lawfulness of the Client Personal Information it provides to the Service.
- The Clinic is responsible for having a valid basis under Applicable Data Protection Law for collecting and processing Client Personal Information, and for obtaining and maintaining any consent required from its clients (pet owners) and staff — including, where relevant, consent to record consultations and to have them processed by third-party AI services described in our Privacy Policy.
- The Clinic must not use the Service to process special categories of human health information or other sensitive data beyond what is incidental to veterinary documentation, and must configure its use of the Service accordingly.
- The Clinic is responsible for managing access to its account, including the invitation and removal of team members, and for the actions of its authorized users.
6. Obligations of CuraVet
- Process Client Personal Information only on the Clinic's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case CuraVet will, where legally permitted, inform the Clinic first).
- Ensure that personnel authorized to process Client Personal Information are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Section 8.
- Assist the Clinic, taking into account the nature of the processing, in responding to requests from individuals and in meeting the Clinic's own security, breach-notification, and (where applicable) impact-assessment obligations.
- Make available information reasonably necessary to demonstrate compliance with this DPA (see Section 13).
7. Sub-processors
The Clinic provides a general authorization for CuraVet to engage Sub-processors to process Client Personal Information in connection with the Service. A current list of Sub-processors is set out in Annex A.
CuraVet will impose data protection obligations on each Sub-processor that are substantially the same as those set out in this DPA, and remains responsible for each Sub-processor's performance of those obligations.
CuraVet will give the Clinic notice of any intended addition or replacement of a Sub-processor (for example, by updating Annex A). If the Clinic has a reasonable, data-protection-based objection to a new Sub-processor, it may raise the objection with CuraVet, and the parties will work in good faith to resolve it; if it cannot be resolved, the Clinic may stop using the affected feature or terminate the Agreement.
8. Security Measures
- Encryption of Client Personal Information in transit (TLS) and at rest.
- Access controls and authentication that restrict access to Client Personal Information to authorized personnel and systems on a need-to-know basis.
- Logical separation of each Clinic's data within the platform.
- Use of reputable infrastructure and Sub-processors that maintain recognized security practices.
- Regular review of security practices, and prompt remediation of identified vulnerabilities.
9. Personal Data Breach Notification
CuraVet will notify the Clinic without undue delay after becoming aware of a Personal Data Breach affecting the Clinic's Client Personal Information, and will provide information reasonably available to help the Clinic meet any obligation it has to report the breach to a regulator (such as the Office of the Privacy Commissioner of Canada) or to notify affected individuals.
CuraVet's notification is not an acknowledgement of fault or liability.
10. Assisting with Individual (Data Subject) Requests
Where an individual makes a request to exercise their rights under Applicable Data Protection Law (such as access, correction, or deletion) in respect of Client Personal Information, and the request reaches CuraVet directly, CuraVet will (unless legally prohibited) direct the individual to the Clinic and/or notify the Clinic.
Taking into account the nature of the processing, CuraVet will provide reasonable assistance — including through the Service's own features — to enable the Clinic to respond to such requests.
11. International Data Transfers
Client Personal Information may be processed and stored outside the Clinic's province or country, including in the United States, by CuraVet and its Sub-processors. CuraVet will take reasonable steps to ensure that such processing is subject to protections consistent with Applicable Data Protection Law and comparable to those provided under this DPA.
Our Privacy Policy describes the categories of Sub-processors involved in this processing and the locations where information may be handled.
12. Return and Deletion of Data
Upon termination of the Agreement, and on the Clinic's request, CuraVet will make Client Personal Information available for export for a reasonable period, after which CuraVet will delete or anonymize Client Personal Information in accordance with its retention practices and any residual copies retained in routine backups, which are overwritten on a rolling basis.
CuraVet may retain Client Personal Information to the extent required by law, in which case it will continue to protect that information in accordance with this DPA.
13. Records and Audit
CuraVet will maintain records of its processing sufficient to demonstrate compliance with this DPA and, on reasonable written request and no more than once per year (or following a Personal Data Breach), will make available to the Clinic a summary of its relevant security and data protection practices.
This does not require CuraVet to disclose information that would compromise the security or confidentiality of the Service or of other customers' data.
14. Term and Termination
This DPA takes effect when the Clinic accepts the Agreement and remains in force for as long as CuraVet processes Client Personal Information on the Clinic's behalf. Provisions that by their nature should survive termination (including confidentiality, deletion, and liability) will survive.
15. Liability and Relationship to the Terms of Service
This DPA is subject to the terms of the Agreement, including its limitations and exclusions of liability. In the event of a conflict between this DPA and the Agreement with respect to the processing of Client Personal Information, this DPA controls.
16. Acceptance
By checking the acceptance box at sign-up, or by otherwise accepting the Terms of Service or using the Service, the Clinic (through its authorized representative) agrees to be bound by this DPA. That electronic acceptance has the same legal effect as a signature.
For larger organizations or corporate groups that require a separately signed data processing agreement, please contact us at support@curavet.ai.
17. Contact
Questions about this DPA, or requests for a countersigned copy, can be sent to our Privacy Officer at support@curavet.ai.
Annex A — List of Sub-processors
CuraVet engages the following categories of Sub-processors to process Client Personal Information in connection with the Service. This list may be updated from time to time in accordance with Section 7. A current list of the specific named Sub-processors within each category is available to Clinic customers on request at support@curavet.ai.
- Cloud infrastructure provider — database, authentication, and encrypted file/recording storage.
- AI / language-model provider(s) — audio transcription and generation of clinical documentation.
- Payment processor — billing and subscription information (card data is handled by the payment processor, not stored by CuraVet).
- Mobile subscription-management provider — in-app purchases and subscriptions.
- Email delivery provider — transactional and support emails.
- Web hosting and content-delivery provider.