DPA Full Text

This Data Processing Agreement (the "DPA") is entered into between Wealth in Motion PT LLC, a California limited liability company doing business as "The Home Health Pro" ("Provider"), and the educational institution that has executed an order form, master services agreement, or other ordering document with Provider that incorporates this DPA by reference ("Institution"). Provider and Institution are each a "Party" and together the "Parties."

This DPA governs Provider's processing of Personal Data and Education Records on behalf of Institution in connection with the Services and supplements the underlying agreement. Where the underlying agreement is silent or conflicts with this DPA on matters of data protection, this DPA controls.

"Education Records" has the meaning given in 20 U.S.C. § 1232g and 34 CFR § 99.3.

"FERPA" means the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99, each as amended.

"Personal Data" means any information relating to an identified or identifiable natural person that Provider processes on behalf of Institution under the Services, including without limitation Education Records and personally identifiable information from Education Records ("PII from Education Records").

"Personal Data Breach" means a confirmed breach of security leading to the unauthorized acquisition, access, use, disclosure, alteration, or destruction of Personal Data.

"Services" means the curriculum platform and related services provided by Provider to Institution under the underlying agreement.

"Subprocessor" means any third party engaged by Provider to process Personal Data on behalf of Institution.

Capitalized terms used but not defined in this DPA have the meanings given in the underlying agreement.

2.1 Institution is and remains the controller of Education Records and other Personal Data submitted to or generated by the Services in connection with Institution's use. Provider processes Personal Data only on behalf of Institution and only for the purposes set out in this DPA and the underlying agreement.

2.2 Subject matter of processing

Provision of a curriculum platform for the delivery, tracking, and grading of physical therapy education to Institution's enrolled students.

2.3 Duration

For the term of the underlying agreement and any wind-down period required to return or delete Personal Data.

2.4 Categories of data subjects

Students, faculty, program directors, instructors, and other authorized users designated by Institution.

2.5 Categories of Personal Data

Name, school email address, role, organization, cohort, program assignment, password hash or SSO identifiers, course progress, quiz attempts and scores, activity responses, discussion entries, saved home exercise programs, resource downloads, instructor feedback, and audit log entries.

3.1 Institution designates Provider as a "school official" with a "legitimate educational interest" in Institution's Education Records under 34 CFR § 99.31(a)(1)(i)(B). Provider:

• (a) Performs a service for Institution that Institution would otherwise use its employees to perform;
• (b) Is under the direct control of Institution with respect to the use and maintenance of Education Records;
• (c) Uses Education Records only for the purposes for which they are disclosed; and
• (d) Does not redisclose PII from Education Records to any other party without the prior written authorization of Institution or another applicable FERPA exception.

3.2 Provider acknowledges that PII from Education Records is subject to the same protections under this DPA whether processed in the United States or elsewhere, and whether processed by Provider or by a Subprocessor.

4.1 Provider processes Personal Data solely to provide and improve the Services, to comply with documented instructions of Institution, and to comply with applicable law.

4.2 Provider shall not:

• (a) Sell, lease, or rent Personal Data;
• (b) Use Personal Data for behavioral advertising or to build a profile of any data subject for any purpose other than providing the Services;
• (c) Use Personal Data, including content submitted by students, to train artificial-intelligence models for any third party; or
• (d) Combine Personal Data with personal data from any other source for any purpose not necessary to provide the Services.

4.3 Provider may use de-identified or aggregated data derived from the Services for the purpose of operating, improving, and securing the Services, provided that such data cannot reasonably be used to identify any data subject and is not re-identified.

5.1 Institution authorizes Provider to engage Subprocessors to process Personal Data, subject to this Section 5. The current list of Subprocessors is published at thehomehealthpro.com/privacy/subprocessors.

5.2 Provider shall enter into a written agreement with each Subprocessor that imposes obligations on the Subprocessor that are no less protective of Personal Data than those imposed on Provider under this DPA.

5.3Provider shall give Institution at least thirty (30) days' advance notice before adding or replacing a Subprocessor that processes PII from Education Records, by updating the published list and by email to Institution's designated privacy contact where that contact has subscribed to subprocessor notifications.

5.4 Institution may object in writing to a new Subprocessor on reasonable data-protection grounds within the notice period. The Parties shall work in good faith to resolve the objection, including by offering an alternative configuration where feasible. If unresolved, Institution may terminate the affected portion of the Services.

6.1Provider shall implement and maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Provider's current safeguards include:

• (a) Encryption of Personal Data in transit using TLS and at rest using libSQL encryption;
• (b) Role-based access control with least-privilege defaults;
• (c) Multi-factor authentication for production system access by Provider personnel;
• (d) Three-environment isolation (development, staging, production) with non-shared credentials;
• (e) Audit logging of access to Personal Data;
• (f) Rate limiting and monitoring for abusive traffic;
• (g) Periodic backup of production databases with encrypted storage and rolling 90-day retention.

6.2 Provider shall maintain a written information security program and shall update its security measures from time to time to reflect evolving threats and best practices. The current public summary is at thehomehealthpro.com/security.

Provider shall ensure that personnel authorized to process Personal Data are bound by appropriate written confidentiality obligations and have received training in their data-protection and FERPA responsibilities. Provider limits access to Personal Data to personnel who require access to perform the Services.

8.1Provider shall notify Institution's primary contact in writing without undue delay, and in any event no later than seventy-two (72) hours after Provider confirms a Personal Data Breach affecting Institution's data.

8.2 The notification shall include, to the extent then known: (a) the nature of the incident; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences; (d) the measures taken or proposed to address the incident and mitigate its effects; and (e) recommended actions for Institution. Provider shall provide additional information as it becomes available.

8.3 Notification will not be construed as an acknowledgment of fault or liability. Institution remains responsible for determining whether the incident triggers notification obligations to data subjects, regulators, or other parties under applicable law.

9.1 Institution remains responsible under FERPA for responding to requests by students or eligible parents to inspect, review, correct, or seek removal of Education Records. Provider shall cooperate with Institution as reasonably necessary to fulfill those requests, including by providing exports of Personal Data on Institution's instruction.

9.2 If a data subject contacts Provider directly with a rights request, Provider shall, where legally permitted, refer the data subject to Institution and notify Institution of the contact.

10.1 Institution may audit Provider's compliance with this DPA once per contract year, on no less than thirty (30) days' prior written notice, during normal business hours, and in a manner that does not unreasonably interfere with Provider's operations. Audits may be conducted by:

• (a) Completing Provider's pre-filled HECVAT response;
• (b) Reviewing Provider's written security policies and applicable third-party reports; or
• (c) Engaging a qualified independent auditor at Institution's expense, subject to Provider's reasonable confidentiality requirements.

10.2 Provider shall make available to Institution, on request, an export of audit-log entries scoped to Institution's organization.

Personal Data is processed and stored in the United States. Provider shall not transfer Personal Data outside the United States without Institution's prior written consent. If Provider becomes subject to a legal obligation to transfer Personal Data outside the United States, Provider shall promptly notify Institution where lawfully permitted.

12.1On termination or expiry of the underlying agreement, and in any event on Institution's written request, Provider shall:

• (a) Make available to Institution, for a period of thirty (30) days, an export of Personal Data in a structured, commonly used format;
• (b) Delete all Personal Data from Provider's production systems within thirty (30) days of the later of termination or Institution's deletion request;
• (c) Allow encrypted backup copies to age out per Provider's rolling 90-day backup retention, after which no further copies are retained.

12.2 Provider may retain Personal Data to the extent and for as long as required by applicable law, in which case the retained Personal Data remains subject to the protections of this DPA.

This DPA takes effect on the effective date of the underlying agreement and remains in force for the term of that agreement and any wind-down period required by Section 12. Termination of the underlying agreement automatically terminates this DPA, except that the obligations of Sections 4, 6, 7, 8, 9, 12, and 15 survive termination to the extent necessary to wind down processing.

In the event of a conflict between this DPA and the underlying agreement on matters of data protection, this DPA controls. In the event of a conflict between this DPA and an applicable state-specific addendum signed by both Parties, the state-specific addendum controls.

This DPA is governed by the laws of the State of California, without regard to its conflict of laws principles. The Parties consent to the exclusive jurisdiction of the state and federal courts located in Los Angeles County, California, except that where Institution is a public entity that cannot legally consent to forum or governing law of this kind, the governing law and forum of the underlying agreement control.

Notices to Provider under this DPA must be sent in writing to legal@thehomehealthpro.com. Notices to Institution are sent to the privacy contact designated in the underlying agreement, or in the absence of such designation, to Institution's primary contact on file.

17.1 Liability. Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of the underlying agreement, except as required otherwise by applicable law.

17.2 Severability. If any provision of this DPA is held unenforceable, the rest remains in effect.

17.3 Counterparts. This DPA may be executed in counterparts, including by electronic signature, each of which is an original and all of which together constitute one agreement.

17.4 Entire agreement. This DPA, together with the underlying agreement and any executed state-specific addendum, is the entire agreement of the Parties on its subject matter and supersedes any prior communications.

The Parties have executed this Data Processing Agreement effective as of the date last signed below.