Data Processing Addendum
GDPR-Compliant Data Processing Agreement
Document: Data Processing Addendum (DPA)
Version: 1.1
Effective Date: February 8, 2026
Owner: Ruhavyn Legal Team
Classification: Public
PARTIES
This Data Processing Addendum ("DPA") is entered into by and between:
Controller: The entity identified as "Customer" in the applicable Service Agreement ("Customer" or "Controller")
Processor: Healing Sun Haven LLC, doing business as Ruhavyn ("Ruhavyn" or "Processor")
This DPA is incorporated into and forms part of the Master Service Agreement or Terms of Service ("Agreement") between Customer and Ruhavyn for the provision of the Ruhavyn enterprise wellness platform ("Services").
1. DEFINITIONS
1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any national implementing legislation.
1.2 "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
1.3 "Personal Data" means any information relating to a Data Subject that is processed by Ruhavyn on behalf of Customer in connection with the Services.
1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.5 "Processing" means any operation performed on Personal Data, whether by automated means, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
1.6 "Sub-processor" means any third party engaged by Ruhavyn to process Personal Data on behalf of Customer.
1.7 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Decision 2021/914.
1.8 "UK International Data Transfer Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018.
2. SCOPE AND ROLES
2.1 Scope. This DPA applies to all Processing of Personal Data by Ruhavyn on behalf of Customer in connection with the Services.
2.2 Customer as Controller. Customer is the Controller of Personal Data and determines the purposes and means of Processing.
2.3 Ruhavyn as Processor. Ruhavyn is the Processor and shall process Personal Data only on behalf of and in accordance with Customer's documented instructions.
2.4 Categories of Data Subjects. Data Subjects include Customer's employees, contractors, and other individuals authorized to use the Services.
2.5 Types of Personal Data Processed.
Category | Data Elements |
|---|---|
Identity Data | Email address, display name, profile information |
Wellness Data | Mood entries, diary entries, meditation usage |
Usage Data | Feature access, session duration, device information |
Technical Data | IP address, browser type, access logs |
2.6 Purpose of Processing. Ruhavyn processes Personal Data solely to provide the Services as described in the Agreement, including:
User authentication and account management
Delivery of wellness content and features
Generation of aggregated, anonymized analytics
Customer support and troubleshooting
2.7 CCPA/CPRA Provisions. To the extent the California Consumer Privacy Act (as amended by the CPRA) applies to the Processing:
Ruhavyn acts as a "Service Provider" as defined under the CCPA/CPRA
Ruhavyn shall not sell or share Personal Data
Ruhavyn shall not retain, use, or disclose Personal Data for any purpose other than performing the Services, including any commercial purpose other than providing the Services
Ruhavyn shall not combine Personal Data received from Customer with Personal Data received from other sources, except as permitted by the CCPA/CPRA
Ruhavyn certifies that it understands and will comply with the restrictions in this Section 2.7
3. CUSTOMER INSTRUCTIONS
3.1 Documented Instructions. Ruhavyn shall process Personal Data only in accordance with Customer's documented instructions, unless required to do otherwise by Applicable Data Protection Law.
3.2 Scope of Instructions. The Agreement, including this DPA, constitutes Customer's complete instructions for Processing at the time of execution. Additional instructions must be agreed in writing.
3.3 Compliance with Instructions. If Ruhavyn believes an instruction infringes Applicable Data Protection Law, it shall promptly notify Customer and may suspend Processing until the issue is resolved.
4. SECURITY MEASURES (ARTICLE 32)
4.1 Security Commitment. Ruhavyn shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
4.2 Technical Measures. Ruhavyn implements the following security controls:
Control | Implementation |
|---|---|
Encryption at Rest | AES-256 encryption for all stored data |
Encryption in Transit | TLS 1.3 for all data transmission |
Access Control | Role-Based Access Control (RBAC) with company-scoped isolation |
Database Security | Row Level Security (RLS) on 37 tables with 80 policies |
Authentication | bcrypt password hashing, JWT session management, MFA support |
API Security | SHA-256 hashed API keys, rate limiting |
Backup Encryption | AES-256 encrypted backups with 7-day retention |
Email Encryption | AES-256 field-level encryption on all user emails |
4.3 Organizational Measures. Ruhavyn implements the following organizational controls:
Security awareness training for all personnel
Background checks for employees with data access
Documented security policies and procedures
Regular security assessments and reviews
Incident response procedures
4.4 Audit Logging. Ruhavyn maintains comprehensive audit logs of security-relevant events for 90 days, including administrative actions, authentication events, and API access.
5. SUB-PROCESSORS
5.1 Authorized Sub-processors. Customer authorizes Ruhavyn to engage carefully vetted Sub-processors to provide the Services. All Sub-processors must:
✓ Maintain SOC 2 Type II certification
✓ Comply with ISO 27001 standards
✓ Support GDPR and CCPA compliance
✓ Provide HIPAA-ready infrastructure where applicable
✓ Sign Data Processing Agreements with data protection obligations no less protective than this DPA
Categories of Sub-processors:
Service Category | Purpose | Security Standards |
|---|---|---|
Database & Authentication | Secure data storage, user authentication, RLS policies | SOC 2 Type II, ISO 27001, HIPAA-ready |
Payment Processing | Subscription billing, payment security | PCI DSS Level 1, SOC 2 Type II |
AI Infrastructure | Therapeutic AI features (non-PHI only) | SOC 2 Type II, enterprise-grade privacy |
Frontend Hosting | Web application delivery, CDN | SOC 2 Type II, enterprise SLA |
Enterprise SSO | Single Sign-On infrastructure | SOC 2 Type II certified infrastructure |
5.2 Sub-processor Obligations. Ruhavyn shall:
Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
Remain liable for Sub-processor compliance
Conduct due diligence on Sub-processor security practices
5.3 Changes to Sub-processors. Ruhavyn shall provide Customer with at least 30 days' prior written notice before engaging a new Sub-processor. Customer may object to a new Sub-processor by providing written notice within 14 days, and the parties shall discuss the objection in good faith.
5.4 Sub-processor List. A complete list of authorized Sub-processors with detailed vendor information, compliance certifications, and locations is provided to Customer upon contract execution. For current Sub-processor information, enterprise clients may contact: info@healingsunhaven.com
6. DATA SUBJECT RIGHTS
6.1 Cooperation. Ruhavyn shall assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:
Right | Support Provided |
|---|---|
Access | Data export functionality, support for manual requests |
Rectification | Self-service profile updates, admin data correction |
Erasure | Account deletion with complete data purge within 30 days |
Data Portability | JSON export of all user data |
Restriction | Account suspension capability |
Objection | Support for processing limitation requests |
6.2 Data Subject Requests. If Ruhavyn receives a request directly from a Data Subject, it shall promptly redirect the request to Customer unless legally prohibited.
6.3 Response Timeline. Ruhavyn shall respond to Customer's data subject request assistance within 10 business days.
7. INTERNATIONAL DATA TRANSFERS
7.1 Transfer Mechanisms. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries not recognized as providing adequate protection, Ruhavyn relies on:
Standard Contractual Clauses (SCCs) — Module Two (Controller to Processor)
Supplementary Measures — Encryption, access controls, and contractual protections
7.2 SCCs Incorporated. The SCCs approved by European Commission Decision 2021/914 are incorporated by reference as Annex I to this DPA. In case of conflict between this DPA and the SCCs, the SCCs shall prevail.
7.3 UK International Data Transfer Addendum. For transfers of Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is incorporated by reference. The relevant tables of the Addendum shall be completed as follows: the Exporter is the Customer, the Importer is Ruhavyn, and the Approved SCCs referenced are those incorporated under Section 7.2.
7.4 EU Data Residency. Upon request and subject to additional fees, Customer may elect EU data residency for all Personal Data storage.
7.5 Data Location. Primary data processing occurs in the United States. Customer acknowledges and authorizes this transfer.
8. PERSONAL DATA BREACH
8.1 Notification Timeline. Ruhavyn shall notify Customer of any Personal Data Breach without undue delay and within 48 hours of becoming aware.
8.2 Breach Information. Notification shall include, to the extent available:
Nature of the Personal Data Breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information
8.3 Cooperation. Ruhavyn shall cooperate with Customer's investigation and remediation efforts and provide reasonable assistance for Customer's notification obligations to supervisory authorities and Data Subjects.
8.4 Documentation. Ruhavyn shall document all Personal Data Breaches, including facts, effects, and remedial action taken.
9. AUDIT RIGHTS
9.1 Audit Information. Upon Customer's written request (no more than once per year), Ruhavyn shall provide:
SOC 2 Type II reports (when available)
Penetration test summaries
Security policy documentation
Completed security questionnaires
9.2 On-Site Audits. Subject to reasonable notice (minimum 30 days), Customer may conduct or commission an audit of Ruhavyn's Processing activities. Such audits shall:
Be conducted during normal business hours
Not unreasonably interfere with Ruhavyn's operations
Be subject to confidentiality obligations
Be at Customer's expense
9.3 Third-Party Audits. Customer may request Ruhavyn engage a mutually agreed third-party auditor. Costs shall be borne by Customer unless the audit reveals material non-compliance.
10. DATA DELETION
10.1 Upon Termination. Upon termination of the Agreement or upon Customer's request:
Timeline | Action |
|---|---|
Within 30 days | Delete all Personal Data from active systems |
Within 37 days | Remove from backup systems (7-day PITR window) |
Upon request | Provide written certification of deletion |
10.2 Exceptions. Ruhavyn may retain Personal Data to the extent required by Applicable Data Protection Law, provided such data remains protected per this DPA.
10.3 Data Return. Prior to deletion, Customer may request return of Personal Data in a machine-readable format (JSON). Ruhavyn shall provide such export within 30 days.
11. TERM AND SURVIVAL
11.1 Term. This DPA shall remain in effect for the duration of the Agreement and for as long as Ruhavyn processes Personal Data on behalf of Customer.
11.2 Survival. Sections 8 (Personal Data Breach), 9 (Audit Rights), 10 (Data Deletion), and 12 (Liability) shall survive termination of this DPA.
12. LIABILITY
12.1 Limitation. Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.
12.2 Indemnification. Each party shall indemnify the other for damages arising from its breach of this DPA or Applicable Data Protection Law, subject to the limitations in the Agreement.
13. MISCELLANEOUS
13.1 Governing Law. This DPA is governed by the laws specified in the Agreement. For EU Data Subjects, GDPR shall apply regardless of governing law. For UK Data Subjects, UK GDPR shall apply.
13.2 Amendments. Ruhavyn may update this DPA to reflect changes in Applicable Data Protection Law. Material changes shall be notified to Customer with 30 days' notice.
13.3 Conflict. In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
13.4 Entire Agreement. This DPA, together with the Agreement and any exhibits (including the SCCs and UK Addendum incorporated by reference), constitutes the complete agreement regarding Processing of Personal Data.
14. CONTACT INFORMATION
Ruhavyn Data Protection Contact
General Inquiries: info@healingsunhaven.com
Support Team: support@healingsunhaven.com
Legal Entity: Healing Sun Haven LLC
For DPA Inquiries: info@healingsunhaven.com
SIGNATURES
This DPA is effective upon Customer's acceptance of the Agreement or separate execution below.
CUSTOMER (CONTROLLER)
Signature: _______________________
Name: _______________________
Title: _______________________
Date: _______________________
HEALING SUN HAVEN LLC (PROCESSOR)
Signature: _______________________
Name: _______________________
Title: _______________________
Date: _______________________
EXHIBIT A: TECHNICAL AND ORGANIZATIONAL MEASURES
The following technical and organizational measures are implemented by Ruhavyn:
A.1 Access Control
Role-Based Access Control (RBAC) with Admin, Member, and Service roles
Company-scoped data isolation via Row Level Security
Multi-factor authentication support via SSO providers
Automatic session expiration and re-authentication requirements
A.2 Encryption
AES-256 encryption for all data at rest
TLS 1.3 encryption for all data in transit
SHA-256 hashing for API keys and sensitive tokens
bcrypt hashing for password storage (via authentication infrastructure)
AES-256 field-level encryption on all user email addresses
A.3 Network Security
Web Application Firewall (WAF)
DDoS protection
Network segmentation between services
HTTPS-only connections enforced
A.4 Database Security
Row Level Security on all 37 data tables
80 security policies enforcing access controls
48 hardened database functions with secured search paths
Parameterized queries preventing SQL injection
A.5 Monitoring & Logging
Real-time security monitoring
90-day audit log retention
Automated alerting for security anomalies
Failed authentication tracking
A.6 Business Continuity
Daily automated backups
7-day Point-in-Time Recovery
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Questions? Contact: info@healingsunhaven.com
More information: https://ruhavyn.com/trust-center
Last reviewed: February 8, 2026
© 2026 Healing Sun Haven LLC. All rights reserved.
