Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller (“Facility”): The care facility or individual subscribing to WellAI services
• Data Processor (“WellAI”): WellAI Inc., operating the WellAI platform at wellai.ca

2. Scope and Purpose

WellAI processes personal data on behalf of the Facility solely for the purpose of providing AI-powered wellness check-in services, including:

• Sending and receiving SMS messages and voice calls to residents
• Analyzing responses for sentiment, mood, and distress indicators
• Generating wellness reports and risk assessments
• Sending alerts to designated staff and family contacts
• Managing medication reminders and scheduling

3. Data Processed

WellAI processes the following categories of personal data:

• Resident names, phone numbers, and room identifiers
• SMS message content and voice call transcriptions
• AI-generated sentiment scores and wellness indicators
• Staff contact information and scheduling data
• Facility configuration and operational data

WellAI does not process medical records, diagnoses, prescriptions, or clinical health information. Medication reminders are based solely on names and times provided by the Facility.

4. WellAI Obligations

• Process personal data only as instructed by the Facility and as necessary to provide the Service
• Implement appropriate technical and organizational security measures (encryption, access controls, audit logging)
• Ensure all personnel with access to personal data are bound by confidentiality obligations
• Not engage sub-processors without prior written consent of the Facility
• Assist the Facility in responding to data subject access requests within 30 days
• Notify the Facility within 72 hours of becoming aware of a personal data breach
• Delete or return all personal data upon termination of the service agreement, at the Facility's choice
• Make available all information necessary to demonstrate compliance with this DPA

5. Facility Obligations

• Obtain valid consent from residents or their legal representatives before enrolling them in WellAI check-ins
• Ensure the accuracy of personal data provided to WellAI
• Promptly notify WellAI of any changes to resident data or consent withdrawals
• Not use WellAI as a substitute for professional medical care, emergency services, or legally mandated monitoring
• Maintain appropriate agreements with any third parties with whom resident data is shared

6. Sub-Processors

WellAI uses the following sub-processors to deliver the Service:

7. Data Retention

• Check-in data (messages, transcripts, sentiment): retained for 12 months from creation
• Resident profiles: retained for the duration of the service plus 30 days
• Audit logs: retained for 24 months
• Aggregated, anonymized data: may be retained indefinitely for service improvement
• Upon termination, all identifiable data deleted within 30 days unless legally required to retain

8. Data Breach Notification

In the event of a personal data breach, WellAI will:

• Notify the Facility within 72 hours of confirmed breach
• Provide details of the breach including affected data, impact assessment, and remediation steps
• Cooperate with the Facility in notifying affected individuals and relevant authorities as required by law
• Take immediate steps to contain and remediate the breach

9. Governing Law

This DPA is governed by the laws of the Province of Ontario, Canada. Disputes shall be resolved in the courts of Ontario.

10. Signatures