This Data Processing Agreement ("DPA") is entered into between Warp Speed Solutions Inc., a company incorporated in Puerto Rico ("Routina," "Processor") and the customer identified in the applicable Order Form or account ("Customer," "Controller"). This DPA forms part of the agreement between Routina and Customer (the "Agreement") and applies to the processing of personal data in connection with the Routina Service.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing personal data — in most cases, the Customer.
- "Processor" means the entity that processes personal data on behalf of the Controller — in this context, Routina.
- "Data Subject" means the identified or identifiable natural person to whom personal data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR, CCPA, or other applicable privacy law.
- "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, erasure, or destruction.
- "Protected Health Information" (PHI) means individually identifiable health information as defined under HIPAA.
- "Sensitive Data" means categories of personal data that warrant heightened protection, including health data, financial data, government-issued identifiers, and biometric data.
- "Subprocessor" means any third party engaged by Routina to process personal data on Routina's behalf in connection with the Service.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "CCPA" means the California Consumer Privacy Act.
- "HIPAA" means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.
- "SCCs" means Standard Contractual Clauses approved by the European Commission for international data transfers.
2. Scope and Role of the Parties
This DPA applies to Routina's processing of personal data on behalf of the Customer in connection with the provision of the Service. The Customer acts as the Controller (or Business under CCPA) and Routina acts as the Processor (or Service Provider under CCPA).
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects relevant to the processing are as follows:
- Subject matter: Provision of the Routina AI orchestration platform
- Duration: For the term of the Agreement and as required for legal retention obligations
- Nature and purpose: Automated processing, storage, and orchestration of operational data across connected systems to enable AI-driven workflow automation
- Types of personal data: Contact information, scheduling data, patient or client records (as configured by the Customer), operational logs, and any other data the Customer chooses to connect via integrations
- Categories of data subjects: Customer's employees, contractors, patients, clients, end-users, and third parties whose data is processed through connected systems
3. Customer Obligations
The Customer represents and warrants that:
- It has a valid legal basis for processing personal data and for instructing Routina to process it on its behalf
- It has obtained all necessary consents, authorizations, and permissions from data subjects required to process and share their data with Routina
- It has provided data subjects with appropriate privacy notices that contemplate processing by Routina as a service provider
- Its instructions to Routina regarding data processing comply with all applicable laws
- It will notify Routina promptly if it becomes aware of any data subject complaint, regulatory inquiry, or potential data breach affecting data processed through the Service
4. Routina's Obligations as Processor
Routina agrees to:
- Process personal data only on documented instructions from the Customer, unless required to do so by applicable law
- Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures as described in Section 8
- Assist the Customer in meeting its obligations regarding data subject rights requests as described in Section 6
- Assist the Customer with data protection impact assessments (DPIAs) where required under Article 35 GDPR
- Delete or return all personal data to the Customer upon termination of the Agreement, as described in Section 12
- Provide all information necessary to demonstrate compliance with obligations under this DPA and applicable law
- Not engage any Subprocessor without prior Customer authorization, except as set forth in Section 7
5. Processing Instructions
Routina processes personal data solely in accordance with the Customer's documented instructions, which are set out in the Agreement, the Order Form, and any additional written instructions provided by the Customer. Routina will promptly notify the Customer if it believes any instruction violates applicable law.
Where Routina is required by applicable law to process personal data other than as instructed, Routina will notify the Customer of that legal requirement before processing (unless the law prohibits such notification on grounds of public interest).
6. Data Subject Rights
Routina will assist the Customer, using appropriate technical and organizational measures, in fulfilling its obligations to respond to data subject requests to exercise rights under applicable law, including:
- Right of access to personal data
- Right to rectification of inaccurate or incomplete data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making and profiling
Where Routina receives a data subject request directly, it will promptly forward the request to the Customer and refrain from responding to the data subject directly unless authorized by the Customer or required by law.
7. Subprocessors
The Customer provides general authorization for Routina to engage Subprocessors in connection with the Service. Routina will: (a) enter into a written agreement with each Subprocessor imposing data protection obligations at least as stringent as those in this DPA; and (b) remain liable to the Customer for the performance of each Subprocessor's obligations.
Routina maintains a current list of Subprocessors below. Routina will notify the Customer of any intended changes at least 30 days in advance, giving the Customer the opportunity to object. If the Customer objects and the parties cannot resolve the issue, the Customer may terminate the relevant services.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI language model inference (Claude) | United States |
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage | United States |
| Twilio Inc. | SMS and voice communications | United States |
| Stripe Inc. | Payment processing | United States |
| Slack Technologies LLC | Internal notifications and alerts | United States |
| Google LLC | Workspace integrations, analytics | United States |
8. Security Measures
Routina implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:
- Encryption: Personal data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256)
- Access controls: Role-based access controls (RBAC), multi-factor authentication for internal systems, and principle of least privilege
- Audit logging: All agent actions, data accesses, and configuration changes are logged with timestamps and user attribution
- Network security: Firewalls, intrusion detection systems, and regular vulnerability scanning
- Vendor management: Security assessments of Subprocessors and contractual security requirements
- Employee training: Regular privacy and security training for all personnel with access to personal data
- Business continuity: Backup procedures and disaster recovery planning with defined recovery time objectives
- Penetration testing: Regular third-party security assessments and penetration testing
9. Personal Data Breach Notification
In the event Routina becomes aware of a confirmed personal data breach affecting Customer data, Routina will:
- Notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide the Customer with sufficient information to enable it to comply with its own breach notification obligations, including: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of personal data records affected; (d) the likely consequences of the breach; and (e) the measures taken or proposed to address the breach
- Cooperate fully with the Customer and take all reasonable steps to investigate, mitigate, and remediate the breach
The Customer acknowledges that Routina cannot always provide complete information at the time of initial notification. Routina will provide additional details as they become available.
10. HIPAA and Business Associate Agreement
Where the Customer is a "covered entity" or "business associate" as defined under HIPAA and uses the Routina Service to create, receive, maintain, or transmit Protected Health Information (PHI), the parties must execute a separate Business Associate Agreement (BAA) prior to any such use.
Routina's Service infrastructure is designed to support HIPAA compliance requirements, including:
- Administrative, physical, and technical safeguards for PHI as required under the HIPAA Security Rule
- Full audit trail logging of all access to and actions involving PHI
- Minimum necessary access controls limiting PHI exposure to what is required for service delivery
- Procedures for reporting security incidents involving PHI within the timeframes required by the HIPAA Breach Notification Rule
To request a BAA, contact legal@getroutina.com. Do not transmit PHI through the Service until a signed BAA is in place.
11. International Data Transfers
Routina is based in Puerto Rico, United States. Personal data processed through the Service may be transferred to and stored in the United States. Where the Customer is located in the EEA, UK, or another jurisdiction with data transfer restrictions, Routina relies on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers of EEA personal data to third countries
- UK International Data Transfer Addendum: For transfers from the United Kingdom
- Other lawful mechanisms: As applicable and as agreed between the parties
Customers in the EEA or UK may request execution of SCCs by contacting legal@getroutina.com.
12. Data Retention and Deletion
Routina retains personal data for the duration of the Agreement and as necessary to fulfill legal, regulatory, or contractual obligations. Upon termination of the Agreement:
- Routina will, at the Customer's election, return or securely delete all personal data processed on the Customer's behalf within 90 days of termination
- Routina will provide written confirmation of deletion upon Customer's request
- Backups containing personal data will be purged in accordance with Routina's backup rotation schedule, not to exceed 90 days from the deletion request
- Where retention is required by applicable law, Routina will retain the minimum data necessary and notify the Customer
13. Audits and Assessments
Routina will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (no less than 30 days), Routina will permit the Customer or its authorized representative to conduct audits or inspections related to Routina's processing of Customer personal data, subject to confidentiality obligations and the following conditions:
- Audits will be conducted during normal business hours and in a manner that minimizes disruption to Routina's operations
- The Customer bears the cost of any audit unless the audit reveals a material breach of this DPA
- Audits may be conducted no more than once per calendar year, except where required by a supervisory authority or following a confirmed data breach
- Routina may satisfy audit requests through provision of third-party security certifications or audit reports (e.g., SOC 2 Type II) where available
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement. To the extent permitted by applicable law, Routina's aggregate liability under this DPA shall not exceed the greater of: (a) the fees paid by the Customer to Routina in the 12 months preceding the incident giving rise to the claim, or (b) $10,000 USD.
Nothing in this DPA limits either party's liability where such limitation is not permitted by applicable data protection law.
15. Term and Termination
This DPA is effective from the date the Customer accepts the Agreement and continues until the termination of the Agreement. Termination of the Agreement shall automatically terminate this DPA. Provisions that by their nature survive termination — including obligations related to data deletion, confidentiality, and liability — will remain in effect following termination.
16. Contact and Execution
For data protection inquiries, requests to execute SCCs, or to initiate a Business Associate Agreement, please contact:
Warp Speed Solutions Inc. (Routina) — Data Protection
Privacy & DPA inquiries: privacy@getroutina.com
Legal & BAA requests: legal@getroutina.com
Built in Puerto Rico, United States