Data Processing Agreement (DPA)

Controller: the customer center or business.

Processor: Halthia (SaaS provider).

This agreement complements the terms of service and governs processing on behalf of the controller under Art. 28 GDPR.

Purpose: delivery of the management service for centers and service businesses, plus related support/security operations.

Halthia acts as management software for professional use.

Scope: strictly necessary processing operations to provide the service (hosting, organization, access, storage, support and security).

Duration: during the main contract term and, after termination, for the period needed for return/deletion or legal retention obligations.

Data categories: identification, contact, administrative/billing data, and any other personal information the customer decides to process through the platform.

Data subjects: clients, prospective clients, professionals and authorized staff of the customer.

Halthia processes personal data only on documented instructions from the customer.

Confidentiality obligations for authorized personnel and access on a need-to-know basis.

Risk-based technical and organizational measures under Art. 32 GDPR.

Reasonable assistance to the controller for data subject rights, DPIAs and regulatory requests where applicable.

Personal data breach notification without undue delay after becoming aware.

Halthia may rely on subprocessors for infrastructure, transactional email, operational analytics, support and payments.

Where international transfers occur, appropriate GDPR safeguards are applied (including standard contractual clauses where applicable).

See the current subprocessor list and purposes at /en/subprocessors.

Halthia processes data according to documented controller instructions, unless otherwise required by applicable law.

Halthia provides reasonably necessary information to demonstrate Art. 28 GDPR compliance and allows reasonable audits under prior notice, confidentiality obligations, and safeguards for service continuity and security.

If an instruction appears to infringe GDPR or other applicable law, Halthia will inform the customer without undue delay.

At termination, customers may request return or deletion according to instructions and legal retention obligations.

Residual backup copies are deleted in line with technical cycles and retention policies.

Current DPA version: 2026-04.

For bilateral PDF signature, custom annexes or legal review: support@halthia.com.

This public version summarizes the processing framework. The executable contractual wording is formalized in customer contracting documentation (order/contract + DPA) or via bilateral signature where applicable.

General legal and privacy framework: /en/privacy, /en/terms, /en/cookies and /en/legal-notice.

Enterprise operational framework: /en/subprocessors, /en/sla and /en/security-incidents.