Data Processing Agreement (DPA) & Business Associate Agreement (BAA)

Last updated: May 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into between GALIMED ("Data Processor") operated by Groupe Business Thérapie, and the Customer ("Data Controller"), hereinafter collectively referred to as the "Parties".

2. Purpose of Processing

The Processor processes personal health data on behalf of the Data Controller in connection with the provision of GALIMED services (AI symptom analysis, prescription management, teleconsultation).

3. Categories of Data Processed

• Identification data (email, name)
• Health data (symptoms, AI diagnoses, prescriptions)
• Connection data (logs, IP addresses)
• Billing data (processed by Stripe/PayPal)

4. Subprocessors

Subprocessor	Purpose	Location
Microsoft Azure	Hosting, Cosmos DB, App Service	France / USA
OpenAI	AI symptom analysis	USA
Stripe	Payments	USA / EU
PayPal	Payments	USA / EU

5. Security Measures

• Encryption in transit (TLS 1.2+) and at rest (Azure Storage Encryption)
• JWT authentication with secrets in Azure Key Vault
• Rate limiting and protection against brute force attacks
• Structured logging with request correlation
• Automated Cosmos DB backups (continuous, 30 days)
• Monitoring via Azure Application Insights

6. Data Transfers

Data is primarily hosted in the European Union (Azure France Central). Transfers to the USA (OpenAI, Stripe) are governed by Standard Contractual Clauses (SCC) and Data Processing Agreements.

7. Business Associate Agreement (HIPAA - USA)

For US healthcare providers subject to HIPAA, this DPA constitutes a Business Associate Agreement (BAA) as defined by 45 CFR § 164.504(e).

GALIMED agrees to:

• Not use or disclose PHI (Protected Health Information) other than as permitted by the BAA or required by law
• Use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the BAA
• Report to the Covered Entity any use or disclosure of PHI not provided for by the BAA
• Ensure any subcontractors agree to the same restrictions and conditions
• Make PHI available to the Covered Entity for amendment and accounting of disclosures
• Make internal practices, books, and records relating to the use and disclosure of PHI available to HHS
• Return or destroy all PHI at termination of the agreement

8. Audit

The Data Controller may request an audit of the Processor's compliance with this DPA. The Processor will provide necessary information and allow audits by an independent auditor bound by confidentiality.

9. Data Breach Notification

The Processor will notify the Data Controller without undue delay (within 72 hours maximum) after becoming aware of any personal data breach.

10. Termination

Upon termination of services, the Processor will return or delete all personal data, except where required by applicable law to retain copies.

11. Governing Law

This DPA is governed by English law. Disputes will be submitted to the competent courts of London, UK, without prejudice to the Data Controller's right to lodge a complaint with the supervisory authority of their country of residence.

12. Contact

For any questions regarding this DPA: contact@groupe-businesstherapie.net