Data Processing Agreement
Effective: on subscription / contract execution.
This page is the standing Data Processing Agreement (DPA) for Eidolon SaaS customers. It supplements the Terms of Service and applies whenever Eidolon AI acts as Data Processor on the customer's behalf — typically Eidolon Nursery, Care, Clinic, and Research (SaaS mode).
1. Subject matter
Eidolon AI processes personal data on the customer's instructions to provide the contracted Eidolon product. The customer is the Data Controller; Eidolon AI is the Data Processor.
2. Categories of data
Per-product categories are documented on each product's privacy page. For Eidolon Nursery these include children's identity, health, developmental records, attendance, and contact data. For Eidolon Clinic these include patient identity, encounter data, observations, conditions, and prescription data per FHIR R4 resource scope.
3. Duration
For the term of the underlying contract, plus a 90-day grace period for export. After grace, personal data is securely deleted.
4. Sub-processors
The current sub-processor list is on the security page. We notify the customer 30 days in advance of any addition; the customer may object during the notice period.
5. International transfers
Default jurisdiction is UK or EU per customer choice. Where Standard Contractual Clauses apply (e.g., AU customers using UK-hosted Eidolon Care), they are incorporated by reference.
6. Customer rights
- Audit our processing on 30 days' written notice (annually).
- Receive notification of any personal-data breach within 72 hours of our awareness.
- Receive support responding to data subject access requests.
- Export all personal data in machine-readable format on request.
Negotiated terms. Institutional customers (universities, multi-site care groups, national clinical networks) typically request a DPA addendum with negotiated provisions. Email legal@eidolonai.co.uk to start that conversation.