Data Processing Agreement (DPA)

Last updated: April 28, 2026

Preamble

This Data Processing Agreement (hereinafter, “DPA”) governs the processing of personal data that the Processor carries out on behalf of the Controller within the framework of the main agreement for the provision of the VRET service (hereinafter, “Main Agreement”), in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

Acceptance of the Terms of Service incorporates this DPA as a binding annex. The Controller may also sign the DPA as a separate document where required (for example, a format imposed by its DPO). In the event of conflict between this DPA and the Main Agreement on data protection matters, this DPA prevails.

1. Parties

RoleIdentification
Data ControllerThe psychologist, licensed mental-health professional or legal entity (clinic, mutual insurer, association) that contracts the VRET service.
Data ProcessorRayan Chelouati, natural person (self-employed professional, Art. 10 LSSI-CE), NIF/NIE Y2655152T, domiciled at Calle Mezquita, Edificio Velazquez, 11202 Algeciras (Cadiz), Spain; hereinafter VRET. The Provider will automatically novate to the SL (limited company) that is incorporated, without any need for re-acceptance by the Controller.

2. Subject Matter, Nature, Purpose and Duration

  • Subject Matter: processing by VRET, on behalf of the Controller, of the patient personal data necessary for the provision of the VRET SaaS service (access to the VR scenario catalog, running of sessions, collection of markers and clinical notes, storage and, where applicable, recording of the virtual environment).
  • Nature: hosting, encryption, storage, indexing, transmission to the patient’s VR headset, and exposure to the Controller for consultation and export.
  • Purpose: support for the Controller’s clinical activity in accordance with the Medical Notice and the therapeutic indications decided by the professional.
  • Duration: for as long as the Main Agreement is in force, plus the export and deletion windows described in section 11.

3. Categories of Data Subjects and Data

Data Subjects: the Controller’s patients who receive therapy supported by the Software.

Categories of personal data processed by VRET on behalf of the Controller:

  • Pseudonymous identifiers: the patient alias chosen by the Controller. VRET does not receive the national ID (DNI), full name, date of birth or any other direct identifier of the patient. If the Controller enters direct identifiers into free-text fields (notes), these will be treated as patient data under this DPA and the Controller is responsible for the decision to enter them.
  • Data concerning health (Art. 9 GDPR): clinical notes, SUDS markers and clinical-event markers, session telemetry, recordings of the virtual environment with the psychologist’s audio and the patient’s audio/behavior. The recording of the virtual environment does not include any real image of the patient.

The legal basis for processing data concerning health is Art. 9(2)(h) GDPR (health care provided by a professional subject to the obligation of secrecy), exercised by the Controller.

4. Obligations of the Processor (VRET)

In accordance with Art. 28(3) GDPR, VRET undertakes to:

  1. Process the data exclusively under documented instructions from the Controller, including those relating to international transfers. These instructions are set out in the Main Agreement, this DPA, the configurable parameters of the Software (plans, retention, recording on/off) and any specific written requests the Controller submits to privacidad [arroba] vret.es.
  2. Ensure that persons authorized to process the data have committed to respect confidentiality through a written agreement and mandatory GDPR training.
  3. Adopt the appropriate technical and organizational measures in accordance with Art. 32 GDPR. Details in Annex II.
  4. Not subcontract another processor without the Controller’s prior authorization. Acceptance of the Main Agreement includes general authorization for the subprocessors listed in Annex III. Any addition or replacement will be communicated with a minimum of 30 days’ notice; the Controller may object on reasoned grounds, in which case the parties will negotiate in good faith; if no agreement is reached, the Controller may terminate the Main Agreement without penalty.
  5. Assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection). Target time: 5 business days from the Controller’s documented request.
  6. Assist the Controller in complying with Arts. 32 to 36 GDPR: security measures, breach notification, impact assessment and, where applicable, prior consultation with the Spanish Data Protection Agency.
  7. Return or delete the data at the end of the contract in accordance with section 11.
  8. Make available to the Controller the information necessary to demonstrate compliance with the Art. 28 obligations and allow reasonable audits (see section 9).
  9. Notify the Controller without undue delay from the moment of detection of any security breach affecting its data. Target time: 24 h from detection.
  10. Not use patient data to train its own or third-party AI models, nor for any purpose other than the provision of the service. This clause is binding and irrevocable for the duration of the Main Agreement.

5. Obligations of the Controller

  1. Collect the patient’s informed consent in accordance with the applicable regulations, including, where appropriate, explicit consent under Art. 9(2)(a) GDPR for the recording of the virtual environment.
  2. Ensure that the processing relies on a valid legal basis (Art. 9(2)(h) or another applicable to its practice).
  3. Configure the Software in accordance with its clinical needs and the regulations applicable to its professional practice, including decisions on which pseudonym to use, which scenarios to deploy and whether to enable recording.
  4. Maintain the confidentiality of credentials and apply the least-access principle among the members of its team.
  5. Communicate to VRET without delay any data subject rights requests and any security breaches it becomes aware of that affect the information hosted in VRET.

6. Support Access (Break-Glass)

In ordinary operation, no member of the VRET team accesses the Controller’s clinical data. Support access by VRET to clinical data only occurs in one of the following cases:

  • Explicit request from the Controller, via ticket or signed email, identifying the scope and duration of the access.
  • Security or availability incident documented in writing, where access is necessary to contain or repair the incident.
  • Legal requirement from a competent authority.

Each access is recorded in an immutable log with: the operator’s identity, justification, scope (resources accessed), start and end time. The Controller is notified of the access (unless legally prohibited). The detailed SOP can be reviewed under NDA on request.

7. Confidentiality and Authorized Personnel

VRET maintains an internal list of personnel authorized to operate the platform. Each member signs a confidentiality undertaking, receives mandatory GDPR training and is subject to the least-access principle. The confidentiality obligation survives the termination of the employment relationship for a period of no less than five (5) years.

8. Subprocessors

The canonical and up-to-date list of subprocessors is Annex III of this DPA. The relationship between VRET and each subprocessor is governed by the corresponding Art. 28(4) DPA, with obligations equivalent to those of this agreement.

Any addition or replacement of a subprocessor affecting patient data will be notified to the Controller with a minimum of 30 days’ notice by registered email and an updated publication in this DPA (Annex III). The Controller may object on reasoned grounds in accordance with section 4.4.

9. Audit and Evidence of Compliance

  1. Security questionnaire: VRET responds to reasonable security questionnaires from the Controller’s DPO within a target time of 10 business days.
  2. Documentation available under NDA: internal security policy, RoPA (Art. 30), DPIA, breach runbook, break-glass SOP, list of subprocessors with copies of the DPAs.
  3. Subprocessor certifications: VRET provides the certifications published by its subprocessors (SOC 2, ISO 27001, where they exist) as evidence of the Art. 32 measures at their layers.
  4. Audit by the Controller: with reasonable notice (no less than 30 days) and on justified grounds, the Controller may carry out a documentary audit. On-site audits of production infrastructure require prior agreement on scope, duration, independent auditor and costs; they may be replaced by the delivery of equivalent reports (SOC 2 Type II, ISAE 3000) where available.

10. Breach Notification

If VRET detects a breach of the security of the personal data processed on behalf of the Controller, it will notify without undue delay, with a target time of 24 hours from detection, by email to the contact address registered by the Controller. The notification will include:

  • Nature and category of the affected data.
  • Estimated volume of data subjects and records affected.
  • Possible consequences and the assessed level of risk.
  • Measures taken or proposed to contain and mitigate.
  • Contact details of the person responsible for the response at VRET.

VRET will assist the Controller with its notification obligations to the Spanish Data Protection Agency (Art. 33) and, where applicable, to the data subjects (Art. 34). The full runbook is available under NDA.

11. Return and Deletion at End of Contract

Upon termination of the Main Agreement, VRET will apply the following cycle:

  • D+0 to D+30: export window. The Controller can download all its data in CSV, JSON or S3 formats (for recordings) from the dashboard or via the API.
  • D+60: operational deletion of the Controller’s data from the production systems.
  • D+67: expiry of the backups containing such data (7-day backup cycle).

Exception: the Controller may instruct VRET in writing to retain the information for the period necessary to comply with its obligations under Law 41/2002 (clinical records, 5 years minimum) or other applicable health regulations. In that case VRET will keep the data in cold storage, inaccessible for operational use, for the indicated period, and will apply deletion at the end.

At the Controller’s request, VRET will issue a signed deletion certificate.

12. Service Continuity

In the event that VRET ceases activity, the Controller will be given a minimum of 90 days’ notice and an export window equivalent to that set out in section 11. VRET undertakes to cooperate in good faith in the migration to the solution the Controller chooses.

13. International Transfers

Patient clinical data is not subject to international transfer outside the European Economic Area in the ordinary operation of the service.

Transfers to subprocessors located in or connected to the United States (Auth0/Okta for support, Stripe for payments, Resend, Cloudflare, Calendly) rely on the EU-US Data Privacy Framework (European Commission Adequacy Decision of 10 July 2023, Art. 45 GDPR) and, additionally, on the Standard Contractual Clauses approved by the Commission (Art. 46(2)(c)) where applicable.

UK Addendum (UK GDPR)

Where the Controller and/or the patients are located in the United Kingdom, the processing falls under the UK GDPR and the Data Protection Act 2018, and the competent supervisory authority is the Information Commissioner’s Office (ICO), not solely the Spanish Data Protection Agency.

UK-to-Spain (EEA) transfers are covered by the UK Government’s adequacy finding for the EEA. Transfers to US subprocessors rely on the UK Extension to the EU-US Data Privacy Framework where the subprocessor is DPF-certified for the UK, or, where a subprocessor is not DPF-certified for the UK, on the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

Where required (health data of UK data subjects processed on a non-occasional basis), VRET will designate a UK Representative under Article 27 UK GDPR. VRET has not yet appointed a UK Representative; it will do so where and when the Article 27 threshold is met.

14. No Use for AI Training

VRET will not use the patient clinical data (notes, SUDS markers, telemetry, psychologist audio, patient audio or behavior, recordings of the virtual environment) to train its own or third-party artificial-intelligence models. This obligation is binding, irrevocable and survives the termination of the Main Agreement with respect to the data VRET has processed.

15. Liability and Limitation

The quantitative limitation of VRET’s liability set out in the Terms of Service applies to this DPA. The limitation will not apply to administrative fines imposed on one party as a sole consequence of an infringement attributable to the other.

16. Term, Amendments, Governing Law and Jurisdiction

This DPA takes effect upon acceptance of the Terms of Service or upon its signature as a separate document, and remains in force for as long as VRET processes data on behalf of the Controller.

Material amendments will be communicated to the Controller by email with a minimum of 30 days’ notice; the Controller may terminate the Main Agreement without penalty if it does not accept the amendments.

This DPA is governed by Spanish law. Disputes are submitted to the jurisdiction set out in the Terms of Service.


Annex I — Description of Processing

ElementDetail
Main purposeClinical support through VR (relaxation, graduated exposure)
Secondary purposeTechnical support, security, aggregated product improvement
Type of processingHosting, encryption, indexing, transmission, storage, export
Categories of data subjectsThe Controller’s patients
Categories of personal dataPseudonym, clinical notes, SUDS, session telemetry, VR environment recordings (optional)
Special categories (Art. 9)Data concerning health (all of the above except the pseudonym)
Controller’s legal basisArt. 9(2)(h) GDPR + Law 41/2002
DurationTerm of the Main Agreement + export and deletion windows

Annex II — Technical and Organizational Measures (Art. 32)

II.A — Technical measures

  • Encryption in transit: TLS 1.2+ mandatory.
  • Encryption at rest: AES-256 on the provider’s disk; additional field-level AES-256-GCM envelope encryption over columns holding sensitive clinical data.
  • Isolation between customers: PostgreSQL Row-Level Security with a NOBYPASSRLS application role.
  • Authentication: SSO/OIDC, MFA support, RS256 JWTs revocable in real time on password change.
  • Application hardening: strict CSP, CSRF protection on public endpoints, rate-limiting, input validation with Pydantic v2 and strict typing, SQL escaping via a parameterized ORM.
  • Backups: encrypted, 7-day retention, within the same EU environment.
  • Error telemetry: with automatic redaction of clinical PII before sending to Sentry.
  • Testing: an automated battery of tenant-isolation tests (Security Gates G1-G9) on every deployment.
  • Patching: dependencies audited with npm audit and pip-audit; critical security patches applied within a target time of 7 days.

II.B — Organizational measures

  • Internal security policy, mandatory GDPR training, least-access principle, hardware MFA on administrative accounts, centralized credential management.
  • Auditable break-glass SOP for any support access to clinical data.
  • Breach response procedure with notification templates for the Spanish Data Protection Agency and the Controller.
  • Offboarding procedure with access revocation within a target time of 24 h.
  • Voluntary designation of a Data Protection Officer.

Annex III — Subprocessors

This is the canonical and up-to-date list. As of the date of this DPA, the authorized subprocessors are the following (any addition or replacement is notified with 30 days’ notice). MailTracker (mailtracker.rayanch.dev) is VRET’s internal infrastructure, not a third-party subprocessor; its SMTP backend (Google) is indeed the actual subprocessor for email delivery:

ProviderFunctionJurisdictionTransfer safeguard
Supabase Inc.Primary PostgreSQL (clinical data)EU — IrelandArt. 28 DPA + SCC for US support
Cloudflare R2Object storage (VR recordings)EUArt. 28 DPA
Hetzner Online GmbHCompute / backend hostingEU — GermanyArt. 28 DPA
Auth0 / Okta Inc.Authentication and SSOEU + US (support)Art. 28 DPA + DPF
Stripe Payments Europe Ltd.Payments (no clinical data)Ireland + USArt. 28 DPA + DPF
vret_redis (self-hosted on Hetzner)Redis cache + pub/sub (no clinical data)EU — GermanyCovered by Hetzner (Art. 28 DPA)
ResendTransactional emailEU + USArt. 28 DPA + DPF
Google LLC (Google Analytics 4)Usage analytics for the public website (with consent only)US + EU — IrelandArt. 28 DPA + DPF
LinkedIn Corporation (Insight Tag)Ad measurement of LinkedIn Ads campaigns (with consent only)US + EU — IrelandArt. 28 DPA + DPF
SentryError telemetry with PII redactionEU — FrankfurtArt. 28 DPA
Cloudflare Inc.CDN, WAF, DNSGlobal with EU jurisdictionArt. 28 DPA + DPF
CalendlyDemo scheduling (no clinical data)USArt. 28 DPA + DPF
Microsoft Corporation (Clarity)Heatmaps and session replays on the public website (with consent only; sensitive inputs masked; the clinical /dashboard panel is excluded and is not recorded)US + EU — IrelandArt. 28 DPA + DPF

Annex IV — Acceptance

Online acceptance of the Terms of Service implies acceptance of this DPA in the version in force at the time of the Controller’s sign-up. Historical versions are retained to evidence the version applicable to each Controller.

If your DPO requires a handwritten or advanced signature (eIDAS), write to us at privacidad [arroba] vret.es with the subject “DPA signature + clinic name” and we will provide the PDF document for signature.