Data Processing Addendum (DPA)

Last Updated: 10 November 2025

This DPA forms part of the Phalanx HealthTech, LLC Terms of Service (the “Agreement”).

1. Purpose and Scope

This Data Processing Addendum (“DPA”) governs the handling of data by Phalanx HealthTech, LLC (“Phalanx”) in connection with Customer’s use of the T1MBER platform and related services (the “Service”).

This DPA applies solely to the limited processing of Customer Data necessary to provide and support the Service, as defined in the Agreement.

This DPA does not apply to, and Phalanx does not agree to process, Protected Health Information (PHI) or any other regulated data under HIPAA, GDPR, or similar privacy frameworks.

2. Relationship of the Parties

Phalanx acts solely as a technology vendor providing a hosted software platform.

Phalanx does not act as:

  • a “Business Associate” under HIPAA,

  • a “Processor” under the EU or UK GDPR, or

  • a “Service Provider” under the CCPA.

Customer is solely responsible for determining whether and how to use the Service in compliance with its own legal and regulatory obligations.

Customer acknowledges that Phalanx processes only metadata and usage data related to Customer’s account and platform activity, not PHI or personal data of patients or clients.

3. Categories of Data Processed

Phalanx processes only the following types of information (“Customer Data”):

  • Account identifiers (e.g., business name, contact email, subscription ID)

  • Assessment metadata and configuration values entered by Customer

  • System and usage telemetry (e.g., login events, timestamps, performance metrics)

  • Anonymized or aggregated data for analytics and product improvement

Customer shall not transmit, upload, or store PHI, patient identifiers, or any personal health data through the Service.

Customer represents and warrants that it will not transmit PHI or any personal data subject to HIPAA, GDPR, or similar laws through the Service.

If Customer does so in violation of this DPA, Customer assumes all resulting risk and liability.

4. Processing Purpose and Duration

Phalanx will process Customer Data solely:

  • to provide, maintain, and support the Service,

  • to analyze and improve the performance and functionality of the Service, and

  • to generate aggregated or anonymized insights.

Processing continues only for the duration of Customer’s subscription and will cease upon termination or deletion of the account.

5. Customer Responsibilities

Customer is solely responsible for:

  • determining the adequacy of the Service for its intended use,

  • ensuring that no PHI or regulated data is uploaded or transmitted to the Service,

  • providing any legally required notices to individuals, and

  • implementing its own administrative, physical, and technical safeguards to maintain compliance with applicable law.

Phalanx shall not be responsible for Customer’s failure to meet its regulatory or contractual obligations.

6. Security Measures

Phalanx implements commercially reasonable administrative, technical, and organizational measures designed to protect Customer Data against unauthorized access, loss, or disclosure.

These measures include:

  • encrypted transport (TLS 1.2+),

  • restricted access control to production systems,

  • regular vulnerability scanning, and

  • audit logging of administrative actions.

Phalanx does not guarantee that the Service is immune from unauthorized access or attack and expressly disclaims any warranty to that effect.

7. Subprocessors

Phalanx may engage subprocessors (e.g., hosting and analytics providers) as reasonably necessary to operate the Service.

All subprocessors are bound by written agreements imposing confidentiality and security obligations substantially similar to those contained herein.

A current list of subprocessors is available upon written request.

8. Data Deletion and Retention

Upon termination of the Agreement or at Customer’s written request, Phalanx will delete or anonymize Customer Data from active systems within sixty (60) days, unless retention is required by law, regulation, or for legitimate business continuity purposes (e.g., backups).

Archived data will be overwritten in the ordinary course of backup rotation.

9. Disclosure to Authorities

Phalanx may disclose Customer Data only:

  • as required by applicable law, regulation, or legal process; or

  • to respond to lawful requests from government or law enforcement authorities.

Phalanx will, where legally permissible, provide prompt notice to Customer before such disclosure to allow Customer to seek protective measures.

10. Compliance Disclaimers

Phalanx does not provide legal, regulatory, or professional advice.

Use of the Service does not establish attorney-client, auditor-client, or consultant-client relationships.

Compliance determinations remain solely the responsibility of Customer.

Phalanx expressly disclaims any obligation to comply with or assist Customer in complying with HIPAA, GDPR, or similar data protection frameworks, as no regulated data is intended to be processed.

11. Limitation of Liability

Phalanx’s total aggregate liability under this DPA, regardless of the cause of action, shall be limited to the total fees paid by Customer under the Agreement during the twelve (12) months preceding the event giving rise to the claim.

In no event shall Phalanx be liable for indirect, incidental, consequential, punitive, or regulatory damages, including enforcement actions, fines, or penalties arising from Customer’s use or misuse of the Service.

12. Governing Law and Venue

This DPA shall be governed by and construed under the laws of the State of Idaho, without regard to conflict-of-law principles.

The parties agree to the exclusive jurisdiction of the state and federal courts located in Ada County, Idaho.

13. Miscellaneous

This DPA forms part of and is incorporated into the Agreement between Phalanx and Customer.

In the event of a conflict between this DPA and the Agreement, the terms of this DPA shall control with respect to the processing of Customer Data.

If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in full force and effect.

Phalanx may update this DPA from time to time by posting a revised version at phalanxht.com/legal/dpa.

Phalanx HealthTech, LLC