← Back

Data Processing Agreement

Last updated: June 30, 2026

Notice: This DPA is incorporated by reference into the CredVault Terms of Service. If you require a signed copy of this DPA for your records, email hello@sycana.com with your organization name and contact details, and we will provide a countersigned copy.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller (Customer): The organization that has subscribed to the CredVault Service and, in its capacity as a data controller, determines the purposes and means of processing of personal data.

Data Processor (Sycana Health AI LLC): Sycana Health AI LLC, the operator of the CredVault platform, which processes personal data on behalf of the Customer.

2. Subject Matter & Duration

Subject matter: Processing of personal data in connection with the provision of the CredVault credential tracking and compliance management platform to the Customer.

Duration: This DPA takes effect on the date the Customer accepts the Terms of Service and continues until the Customer's account is terminated and all Customer data has been deleted or returned in accordance with this DPA.

3. Categories of Data Subjects & Personal Data

Data subjects: The Customer's authorized users (practice owners, administrators, credentialing coordinators) and the healthcare providers whose credentials are tracked through the Service.

Categories of personal data:

  • Identification data: name, email address, phone number, professional credentials (license numbers, NPI, DEA number, CAQH ID, board certification details);
  • Professional data: employment history, education, training, malpractice history (as provided by the Customer);
  • Sensitive data (where provided and encrypted): Social Security numbers, dates of birth — limited to what is operationally necessary for credentialing;
  • Account data: username, password (hashed), organization affiliation, role, account activity logs.

Special category data: The Service is not intended for the processing of special category data under Article 9 of the GDPR (health data, biometric data, genetic data) except as explicitly related to professional credential information voluntarily provided by the Customer. The Customer shall not upload patient health records or clinical data through the Service.

4. Processing Instructions

The Processor processes personal data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller instructs the Processor to process personal data for the following purposes:

  • Providing the CredVault credential tracking platform, including data storage, retrieval, organization, and display;
  • Sending credential expiration reminders and alerts via email and SMS;
  • Generating reports, summaries, and credential status analyses;
  • Providing AI-powered document parsing services to extract credential data from uploaded files;
  • Processing subscription payments and managing billing;
  • Providing customer support and technical assistance;
  • Maintaining security, audit logs, and access controls.

If the Processor believes an instruction from the Controller violates applicable data protection law, the Processor shall promptly notify the Controller.

5. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller, unless required by law;
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality;
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7);
  • Not engage another processor (subprocessor) without prior specific or general written authorization from the Controller;
  • Assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data subject rights requests;
  • Assist the Controller in ensuring compliance with obligations regarding security of processing, breach notification, data protection impact assessments, and prior consultation;
  • Delete or return all personal data to the Controller at the end of the Service, at the Controller's choice, and delete existing copies unless retention is required by law;
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits.

6. Subprocessors

The Controller provides general authorization for the Processor to engage subprocessors. The following subprocessors are currently engaged:

SubprocessorPurposeData Location
Amazon Web Services (AWS)Cloud hosting, compute, file storageUnited States
ResendTransactional email deliveryUnited States
TwilioSMS notification deliveryUnited States
StripePayment processing & billingUnited States
AI Document ParsingData extraction from uploaded credential documentsUnited States

The Processor shall provide at least 30 days' prior notice of any changes to subprocessors. The Controller may object to a new subprocessor within 14 days of notice. If the objection is reasonable and cannot be resolved, the Controller may terminate the Service without penalty.

7. Technical & Organizational Security Measures

The Processor maintains the following security measures:

Organizational Measures:

  • Access control policies based on least-privilege and need-to-know principles;
  • Personnel background checks where permitted by law;
  • Confidentiality agreements for all employees and contractors with access to personal data;
  • Security awareness training for all personnel;
  • Incident response plan covering data breach detection, investigation, notification, and remediation.

Technical Measures:

  • Encryption in transit: all data transmitted over public networks is encrypted using TLS 1.2+;
  • Encryption at rest: all data at rest is encrypted using AES-256;
  • Field-level encryption: sensitive provider identifiers are encrypted individually using application-layer encryption;
  • Authentication: JWT-based with per-user token versioning, role-based access control (member, owner, admin);
  • Audit logging: append-only logs of all credential changes, provider modifications, and administrative actions;
  • Network security: infrastructure hosted in AWS VPCs with security groups, network ACLs, and no direct internet access to database servers;
  • Rate limiting on authentication endpoints to prevent brute-force attacks;
  • Automated vulnerability scanning of dependencies and infrastructure.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach;
  • Provide the Controller with sufficient information to allow the Controller to meet its breach notification obligations under applicable law;
  • Cooperate fully with the Controller in investigating and remediating the breach;
  • Document all facts relating to the breach, its effects, and the remedial actions taken.

Notification shall include: (i) the nature of the breach, (ii) categories and approximate number of data subjects and records concerned, (iii) likely consequences, (iv) measures taken or proposed to address the breach, and (v) contact details for the data protection officer or other responsible contact.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling the Controller's obligations to respond to data subject requests under applicable data protection law, including rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. If a data subject makes a request directly to the Processor, the Processor shall promptly inform the Controller and shall not respond to the request without the Controller's prior authorization.

10. Data Retention & Deletion

Upon termination of the Service, the Processor shall, at the Controller's election, delete or return all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law (e.g., billing records for tax compliance). The Processor may retain aggregated, anonymized data that cannot be linked to an identified or identifiable individual.

11. International Data Transfers

The Processor's infrastructure is located in the United States. For data subjects in the EEA, UK, or Switzerland, the Processor relies on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor), incorporated by reference into this DPA;
  • For subprocessors: written agreements with each subprocessor containing data protection obligations equivalent to those in this DPA and ensuring appropriate transfer safeguards.

The Controller may request a copy of the executed SCCs and relevant subprocessor agreements by emailing privacy@sycana.com.

12. Liability & Indemnification

Each party's liability arising out of or related to this DPA shall be subject to the limitations set forth in the Terms of Service. The Processor's liability to the Controller for all claims arising under this DPA, regardless of the form of action, shall not exceed the fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

13. Governing Law

This DPA shall be governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles. This is without prejudice to the data protection rights of data subjects under the GDPR or other applicable data protection laws.

14. Contact & Execution

To request a signed copy of this DPA or to discuss any questions, contact: