Theralytics Terms of Service

Effective Date: August 27, 2025

These Terms of Service (the “Terms”) are a legally binding agreement between Theralytics, LP (“Theralytics,” “we,” “us,” or “our”) and the entity or person that accesses or uses our websites, mobile applications, and cloud-based software and services (collectively, the “Services”). By accessing or using the Services, you agree to be bound by these Terms. If you are accepting on behalf of a company or other legal entity, you represent that you have authority to bind that entity, and “Customer” or“you” refers to that entity.

If you do not agree to these Terms, do not access or use the Services.


1. Scope; Related Agreements

1.1 Services. Theralytics provides subscription software and related services to healthcare practices, including scheduling, documentation, data collection, reporting, analytics, billing, and revenue cycle tools. Specific features may vary and are described in applicable online materials or an order form, statement of work, or similar document that references these Terms (an “Order”).

1.2 Privacy Policy. Our processing of personal information is described in our Privacy Policy. To the extent of any conflict, these Terms control solely with respect to the use of the Services; privacy rights are governed by the Privacy Policy.

1.3 Business Associate Addendum (HIPAA). If Customer is a Covered Entity or Business Associate and the Services involve access to Protected Health Information (PHI), the parties will enter into a Business Associate Addendum (BAA), which is incorporated by reference when signed by both parties. Where the BAA applies, it governs Theralytics’ use and disclosure of PHI and controls over these Terms in the event of any conflict relating to PHI.

1.4 Data Processing Addendum (Non-PHI). If Theralytics processes Personal Data other than PHI on Customer’s behalf, Theralytics’ Data Processing Addendum (DPA) is attached as Exhibit B and is incorporated into and forms part of these Terms, and governs Theralytics’ processing of such personal data and controls in the event of conflict.

1.5 Third-Party Services. The Services may interoperate with or link to third-party products or services (e.g., clearinghouses, payers, EDI gateways, SMS/email providers, maps, payment processors, app stores). Those third parties are independent of Theralytics and subject to their own terms and privacy notices. Theralytics is not responsible for third-party products or services and makes no warranties about them.


2. Accounts; Eligibility; Authorized Users

2.1 Accounts. To use the Services, Customer must create an account and provide accurate, complete information. Customer is responsible for all activity under its account and for maintaining the confidentiality of credentials. Customer will promptly notify us of any unauthorized use or security incident.

2.2 Eligibility. Customer and its Authorized Users (defined below) must be at least 18 years old and legally capable of entering into contracts. The Services are intended for professional and business use only.

2.3 Authorized Users. Authorized Users” are Customer’s employees, contractors, or agents whom Customer authorizes to access the Services for Customer’s benefit, subject to these Terms. Customer remains responsible for its Authorized Users’ compliance with these Terms.


3. Customer Data; PHI; Ownership and Licenses

3.1 Customer Data. Customer Data” means data, content, images, files, and other information that Customer (including Authorized Users) submits to or generates within the Services, including PHI. As between the parties, Customer retains all right, title, and interest in and to Customer Data.

3.2 License to Provide the Services. Customer grants Theralytics a nonexclusive, worldwide, royalty-free license to host, copy, process, transmit, display, and otherwise use Customer Data solely as necessary to provide and improve the Services and as permitted by the BAA (for PHI) and/or DPA (for non-PHI). Theralytics will not use Customer Data to build or train generalized AI models for use outside the Services, nor for targeted advertising or cross-context behavioral advertising.

3.3 Usage Data; De-identification. Theralytics may generate, use, and disclose Aggregated or De-identified Data derived from the Services (including from Customer Data) for legitimate business purposes such as analytics, benchmarking, improving the Services, and developing new features, provided that such data does not identify Customer, any individual, or include PHI as defined under HIPAA unless de-identified incompliance with 45 C.F.R. § 164.514. Theralytics retains all right, title, and interest in Aggregated or De-identified Data.

3.4 Customer Responsibilities. Customer is solely responsible for the accuracy, quality, and legality of Customer Data, the means by which it acquired Customer Data, and ensuring that Customer has provided all notices and obtained all consents and authorizations required by applicable law (including HIPAA, state privacy laws, and payer rules) for Customer Data to be processed in connection with the Services.

3.5 Clinical Decisions. The Services are administrative tools to support practice operations and are not medical devices or clinical decision support. Customer is solely responsible for clinical decisions, documentation, coding, claims submission accuracy, and compliance with payer rules.


4. Acceptable Use; Restrictions

4.1 Acceptable Use. Customer will use the Services only in accordance with these Terms, the BAA/DPA (as applicable), and applicable laws and regulations (including HIPAA, 42 CFR Part 2 if applicable, state consumer privacy laws (and consumer health data laws, where applicable), the Telephone Consumer Protection Act (TCPA),CAN-SPAM, and anti-spam laws. Customer will not use or configure the Services to engage in prohibited geofencing around healthcare facilities.

4.2 Prohibited Conduct. Customer and Authorized Users will not: (a) copy, modify, create derivative works of, reverse engineer, or attempt to extract source code from the Services; (b) bypass, interfere with, or disable security or access controls; (c) use the Services to infringe or misappropriate others’ rights or to transmit unlawful, harassing, defamatory, or harmful content, malware, or spam; (d) attempt to access the Services to build a competitive product or service or benchmark the Services except as permitted by law; (e) exceed feature, user, or usage limits stated in an Order; (f) interfere with the Services’ operation or other users’ use; (g) upload or transmit payment card data unless expressly permitted in writing; or (h) use automated means (bots, scrapers) except as authorized via published APIs.

4.3 SMS/Email Messaging. If Customer uses messaging features, Customer will obtain legally sufficient consent from recipients, include any required notices (e.g., opt-out instructions), honor opt-outs, and comply with TCPA, CTIA, and CAN-SPAM. Use of SMS may require 10DLC brand/campaign registration and adherence to carrier policies. Theralytics may suspend messaging for unregistered use and pass through carrier fees or fines attributable to Customer’s campaigns.


5. Fees; Trials; Taxes; Changes; Automatic Renewal

5.1 Fees and Billing. Subscription fees and other charges are as stated in the applicable Order or online pricing page. Unless otherwise specified, fees are billed in U.S. dollars and are due upon invoice. Customer must notify Theralytics of any good-faith billing dispute within thirty (30) days of invoice; undisputed amounts remain due. Customer may not set off, withhold, or net payments owed.

5.2 Automatic Renewal & Cancellation. Subscriptions automatically renew for successive terms equal to the initial subscription term unless canceled effective at the end of the then-current term through the account portal or by written notice to support@theralytics.net. Where required by law (e.g., California Automatic Renewal Law), we will provide clear disclosures at sign-up, an email acknowledgment, and renewal reminders for annual plans, and we provide a cost-effective, online mechanism to cancel at any time. We comply with applicable automatic-renewal and negative-option laws (including the FTC’s Restore Online Shoppers’ Confidence Act and substantially similar state laws) by providing clear pre-purchase disclosures, obtaining affirmative consent, sending renewal reminders where required, and offering a simple cancellation method (e.g., via the Admin portal or by email). Unless expressly stated in an Order or required by law, cancellations are effective at the end of the then-current term and refunds are not provided for partial terms.

5.3 Free Trial. If Customer is offered a free trial, the trial length will be stated at sign-up. At the end of the trial, the subscription will convert to a paid plan unless canceled before the trial ends. Trials are provided “as is” without warranties and may be modified or terminated at any time.

‍5.4 Promotional Discounts (Referral Discount). If Customer enters a valid referral code at sign-up or is otherwise verified by Theralytics as a referred customer, Customer will receive a 25% discount on subscription fees for the first three (3) monthly subscription invoices following the Service Start Date (the “Referral Discount”). “Service Start Date” means the start date identified on the Order or, if not specified, the earlier of (i) the date Customer first receives access to the Services in a production environment or (ii) the billing commencement date. “Approved Affiliate” means a referrer approved by Theralytics under an active affiliate/referral program, in good standing and incompliance with its affiliate/referral agreement and Program Policies at the time the referral is credited. The Referral Discount is available only for first-time subscriptions by new customers and does not apply to renewals, seat expansions, upgrades, add-ons, or separate orders by an existing customer or its affiliates. Referral codes must be unique to and issued by Theralytics to the Approved Affiliate, used only for eligible third-party referrals, and may not be publicly posted, resold, shared on coupon sites, or used for self-referrals by Customer, the Approved Affiliate, or their respective affiliates. Referral codes must be entered at sign-up (or verified by Theralytics during order processing) and cannot be applied retroactively to issued invoices. The Referral Discount applies only to recurring subscription fees and excludes implementation/onboarding, add-ons, third-party pass-through fees, usage charges, taxes, and prior balances. The Referral Discount is void where prohibited by law, cannot be combined with other promotions, has no cash value, is non-transferable, and may be withdrawn prospectively if Customer is in default. Theralytics may deny, reverse, or charge back the Referral Discount if the referring party is not an Approved Affiliate, the code was not issued by Theralytics to that Approved Affiliate, or the discount was obtained in violation of these Terms or Program Policies. Theralytics may modify or discontinue promotional discounts prospectively by notice, but changes will not affect discounts already applied to issued invoices. Theralytics may void the Referral Discount or charge back the promotional amount where a code is misused, duplicated, resold, or applied in violation of these Terms. If Customer is a healthcare provider that receives reimbursement from federal or state healthcare programs, Customer is solely responsible for determining and making any disclosures or cost-reporting required in connection with the Referral Discount as a price reduction on administrative/business services. To the extent of any conflict between these promotional terms and an Order, the Order governs with respect to pricing and promotional discounts.

5.5 Price Changes. We may change fees upon at least thirty (30) days’ prior notice, which may be by email or in-product notice, effective on the next renewal term.

5.6 Taxes. Fees are exclusive of sales, use, VAT, GST, and similar taxes. Customer is responsible for such taxes (excluding taxes based on Theralytics’ net income).

5.7 Late Payments; Suspension. Late amounts may accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. We may suspend or limit the Services for non-payment upon reasonable prior notice. We will not permanently delete Customer Data for non-payment without providing prior notice and a reasonable opportunity to cure.


6. Support; Availability; Changes

6.1 Support. Standard support is provided during posted business hours via channels identified on our website. Enhanced support or service-level commitments may be available by separate agreement. Theralytics aims to substantially conform with WCAG 2.1 AA for customer-facing interfaces and will consider reasonable accessibility feedback for remediation. This statement is not a certification or warranty of compliance and does not apply to third-party content or sites outside the Services.

6.2 Availability; Maintenance. We strive to maintain the Services’ availability but do not guarantee uninterrupted operation. We may perform scheduled maintenance and will use commercially reasonable efforts to minimize disruptions.

6.3 Modifications. We may modify features, update software, or discontinue features that are obsolete, insecure, or low-usage, provided the Services’ core functionality is not materially reduced during a paid term. We will provide notice of material changes where practicable.


7. Security; Compliance; Subprocessors

7.1 Security Program. We maintain appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the Services and Customer Data, including access controls, encryption in transit, vulnerability management, logging/monitoring, and employee training. Theralytics maintains commercially reasonable technology/errors & omissions and cyber liability insurance; certificates available upon request. We operate a responsible vulnerability-disclosure program and accept reports at security@theralytics.net; good-faith researchers are authorized to test within program bounds.

7.2 Incident Response. In the event of a security incident involving Customer Data, we will notify Customer without undue delay and provide information reasonably necessary for Customer to meet applicable breach-notification obligations, subject to law-enforcement requests and our internal investigations.

7.3 Subprocessors. We may engage third-party subprocessors to support the Services. We will impose data-protection obligations on subprocessors consistent with these Terms and, where applicable, the BAA/DPA. A current list of material subprocessors will be made available upon request. Customer may subscribe to subprocessor-change notifications; notice to the admin email on file satisfies this obligation.


8. Confidentiality

8.1 Definition. “Confidential Information” means non-public information disclosed by either party that is identified as confidential or reasonably should be understood to be confidential (including Customer Data, product roadmaps, pricing, and business information).

8.2 Obligations. The receiving party will use Confidential Information only to fulfill its obligations under these Terms, protect it using reasonable measures, and not disclose it except to personnel and subprocessors who need to know it and are bound by confidentiality obligations at least as protective.

8.3 Exclusions. Confidential Information does not include information that is publicly available without breach, independently developed without use of the discloser’s information, or rightfully obtained from a third party without confidentiality obligations. The receiving party may disclose Confidential Information to the extent required by law, after providing reasonable notice to the discloser (if legally permitted).


9. Intellectual Property; Feedback; Publicity

9.1 Ownership. As between the parties, Theralytics and its licensors own all right, title, and interest in and to the Services, software, documentation, designs, and all related intellectual property. No rights are granted except as expressly stated.

9.2 License. Subject to these Terms and payment of applicable fees, Theralytics grants Customer a limited, nonexclusive, nontransferable, revocable license during the subscription term to access and use the Services for Customer’s internal business purposes.

9.3 Feedback. If Customer provides feedback or suggestions, Theralytics may use them without restriction or obligation.

9.4 Publicity. We may identify Customer as a customer (name and logo) in our customer lists and marketing materials. Customer may opt out by written notice.

9.5 Professional Services. Unless stated otherwise in an Order/SOW: (a) Customer owns Customer-specific deliverables that do not include Theralytics’ pre-existing intellectual property; and (b) Theralytics retains all rights in its platform, tools, and reusable templates, and grants Customer a non-exclusive license to Theralytics IP embedded in deliverables for Customer’s internal use with the Services.


10. Mobile Applications; App Stores

10.1 License. If Customer downloads our mobile app, Theralytics grants Customer a limited, nontransferable license to install and use the app on devices that Customer owns or controls and as permitted by the app store provider’s terms.

10.2 App Store Terms. The app store provider (e.g., Apple, Google) is not a party to these Terms and has no obligation to provide maintenance or support. Customer’s use of the app must comply with the app store terms.

10.3 APIs. Access to any published APIs is subject to documented authentication, rate limits, and usage guidelines. Theralytics may throttle or suspend API access to protect the Services or enforce limits.


11. Disclaimers

11.1 As-Is. Except as expressly stated in an Order, the Services are provided “as is” and “as available.” Theralytics disclaims all warranties, express or implied, including merchantability, fitness for a particular purpose, and non-infringement.

11.2 No Medical or Legal Advice. Theralytics does not provide medical, legal, coding, or reimbursement advice. Customer is solely responsible for clinical judgment, coding accuracy, claims submission, and payer compliance.


12. Limitation of Liability

12.1 Types of Damages. To the maximum extent permitted by law, neither party will be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenues, goodwill, or data, even if advised of the possibility of such damages.

12.2 Cap. Except for (a) Customer’s payment obligations, (b) a party’s willful misconduct or violation of the other party’s intellectual property rights, or (c) each party’s indemnification obligations, each party’s aggregate liability arising out of or related to these Terms will not exceed the amounts paid or payable by Customer to Theralytics for the Services giving rise to the claim during the twelve (12) months preceding the event giving rise to the claim.

12.3 Exclusions. The limitations in this Section do not limit liability to the extent prohibited by applicable law.


13. Indemnification

13.1 By Theralytics. Theralytics will defend Customer against third-party claims alleging that the Services, when used as permitted under these Terms, infringe a U.S. patent, copyright, or trademark, and will pay damages and costs finally awarded against Customer (or settlement amounts approved by Theralytics). Theralytics’ obligations do not apply to claims arising from (a) Customer Data; (b) modifications not made by Theralytics; (c) combinations with products or services not provided by Theralytics; or (d) use in violation of these Terms. If the Services become or are likely to become infringing, Theralytics may procure the right for Customer to continue using them, replace or modify them, or, if none is reasonably available, terminate the affected Services and refund prepaid, unused fees.

13.2 By Customer. Customer will defend Theralytics against third-party claims arising from (a) Customer’s use of the Services in violation of law or these Terms; (b) Customer Data (including allegations that Customer Data infringes or violates rights); or (c) messages sent by Customer via the Services in violation of the TCPA, CAN-SPAM, or similar laws, and will pay damages and costs finally awarded (or settlement amounts approved by Customer).

13.3 Conditions. The indemnified party must provide prompt notice, reasonable cooperation, and sole control of the defense and settlement to the indemnifying party (except that the indemnifying party may not settle a claim without a full release and without imposing obligations other than payment on the indemnified party).


14. Term; Suspension; Termination; Data Return/Deletion

14.1 Term. These Terms are effective from the Effective Date and continue while Customer has an active subscription or otherwise uses the Services.

14.2 Suspension. We may suspend access immediately if we reasonably determine that (a) Customer’s account is overdue; (b) Customer or its Authorized Users pose a security risk, violate these Terms, or use the Services unlawfully; or (c) suspension is necessary to prevent harm. We will restore access when the issue is resolved.

14.3 Termination for Cause. Either party may terminate an Order or the Services for material breach if the breach is not cured within thirty (30) days after written notice. We may terminate immediately for repeated or egregious violations of Section 4 (Acceptable Use).

14.4 Effect of Termination. Upon termination, Customer will stop using the Services and pay all undisputed fees due. If requested within thirty (30) days after termination, we will make available to Customer a one-time export of Customer Data in a commercially reasonable format. Thereafter, we will delete or deidentify Customer Data from active systems and, within ninety (90) days, from routine backups, unless retention is legally required. Our obligations regarding PHI are governed by the BAA. We may condition data export on payment of any overdue amounts and a reasonable data-export fee where extraordinary effort is required. Upon request, Theralytics will provide reasonable transition assistance (e.g., additional exports or coordination with replacement vendors) at then-current professional services rates.

14.5 Survival. Sections that by their nature should survive (including 3, 4, 6.3, 7–9, 11–16) will survive termination.


15. Dispute Resolution; Arbitration; Governing Law

15.1 Informal Resolution. Before filing a claim, the complaining party agrees to first attempt to resolve the dispute by sending a written notice describing the dispute and proposed resolution to the other party. If not resolved within thirty (30) days, either party may proceed to arbitration (or small-claims court for qualifying disputes).

15.2 Binding Arbitration & Class-Action Waiver. Except for the claims identified in Section 15.4 (Excluded Claims), any dispute, claim, or controversy arising out of or relating to these Terms or the Services will be resolved exclusively by final and binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration will be conducted by a single arbitrator in Miami-Dade County, Florida, unless the parties agree otherwise or the AAA rules require a different location. Each party waives any right to a jury trial and to participate in a class or representative action. The Federal Arbitration Act (FAA) governs the interpretation and enforcement of this Section.

15.3 Public Injunctive Relief. To the extent non-waivable under applicable law (e.g., McGill-type rules), the right to seek public injunctive relief in court is preserved, and any such claim may be stayed pending arbitration of all arbitrable claims.15.4 Excluded Claims; Equitable Relief. This Section does not apply to claims seeking to enforce or protect intellectual-property rights, confidentiality, or unauthorized access or use of the Services. Either party may seek temporary or preliminary injunctive relief in court to protect its rights pending arbitration.15.5 Governing Law; Venue. These Terms are governed by the laws of the State of Florida, without regard to conflict-of-laws rules, and by the FAA for arbitration issues. Subject to the arbitration provisions above, the parties consent to exclusive jurisdiction in the state and federal courts located in Miami-Dade County, Florida.


16. Export; Sanctions; Anti-Bribery

Customer represents that neither it nor its Authorized Users are located in, organized under the laws of, or ordinarily resident in any country or region subject to comprehensive U.S. sanctions and that it will not use the Services in violation of U.S. export-control or sanctions laws. Customer will comply with applicable anti-bribery and anti-corruption laws(including the U.S. FCPA and U.K. Bribery Act).


17. Electronic Communications; E-Sign; Notices

Customer consents to receive notices and communications electronically through the Services, email, or the email address on file. Customer agrees that electronic agreements, policies, and records satisfy any legal requirements for writings and signatures (E-SIGN). Legal notices to Theralytics must be sent to legal@theralytics.net with a copy to our physical address listed on our website, Attn: Legal.


18. Changes to These Terms

We may update these Terms from time to time to reflect changes in our Services or legal requirements. We will post the revised Terms and update the “Effective Date” above. Material changes will be notified by email or in-product notice at least thirty (30)days before they take effect for existing subscriptions. Continued use after the effective date constitutes acceptance of the changes. Material changes to Section 15 (Dispute Resolution) will not apply to disputes for which a party has given written notice before the change takes effect, nor to the remainder of the then-current subscription term unless Customer affirmatively accepts the change.


19. Miscellaneous

19.1 Entire Agreement; Order of Precedence. These Terms, the Order, the BAA (if any),and the DPA (if any) form the entire agreement and supersede all prior or contemporaneous agreements relating to the Services. In the event of conflict, the following order applies: (1) BAA (for PHI), (2) DPA (for non-PHI personal data), (3) Order, (4) these Terms.

19.2 Assignment. Customer may not assign these Terms without Theralytics’ prior written consent, except to an affiliate or in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee assumes all obligations. Theralytics may assign these Terms without restriction.

19.3 Severability; Waiver. If any provision is held unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will remain in effect. A waiver is effective only if in writing and does not waive any other provision.

19.4 Force Majeure. Neither party is liable for delays or failures caused by events beyond its reasonable control (e.g., acts of God, internet failures, power outages, epidemic, war, labor disputes), but this does not excuse Customer’s payment obligations.

19.5 No Third-Party Beneficiaries. There are no third-party beneficiaries to these Terms.

19.6 Contact. For questions about the Services or these Terms, contact info@theralytics.net or visit the Contact page on our website.

19.7 Independent Contractors. The parties are independent contractors; these Terms do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship.



Exhibit A – Service-Specific Terms (if applicable)

Clearinghouse & Payer Connectivity. Where Theralytics facilitates claim submission and remittance, Customer is responsible for payer enrollment (including maintaining current NPIs and credentials), coding accuracy, and timely submission. Theralytics does not guarantee payer approvals, payments, or outcomes.

Messaging Capabilities. For SMS or email reminders or notifications, Customer must obtain opt-in consent from recipients and provide required opt-out mechanisms. Customer is the sender for TCPA/CAN-SPAM purposes. Customer will maintain current 10DLC registrations and accepts pass-through of carrier fees/fines arising from its campaigns.

Beta/Preview Features. Beta features may be offered from time to time for evaluation only, on an “as is” basis, may be modified or discontinued at any time, and are excluded from support and uptime commitments. 

End of Terms



Exhibit B – Data Processing Addendum ("DPA")

This DPA is incorporated into and forms part of the Theralytics Terms of Service (the “Agreement”).

Effective Date: August 22, 2025
Parties: (1) Customer (as defined in the Agreement) acting as Controller/Business (and, where applicable, as a processor/service provider to its own third-party controller); and (2) Theralytics, LP ("Theralytics") acting as Processor/Service Provider/Contractor.

If the Agreement is signed by an entity on behalf of Customer, that entity represents it has authority to bind Customer to this DPA.

1. Purpose and Scope

1.1 Purpose. This DPA sets out the parties’ rights and obligations regarding Theralytics’ Processing of Personal Data on behalf of Customer under the Agreement, excluding PHI (as defined by HIPAA) governed by a separate Business Associate Addendum ("BAA").

1.2 Order of Precedence. In case of conflict relating to Personal Data, the following order applies: (1) BAA (for PHI), (2) this DPA (for non-PHI Personal Data),then (3) the Agreement.

1.3 Definitions. Capitalized terms not defined here have the meanings in the Agreement. “Applicable Data Protection Laws” means all laws, regulations, and binding guidance applying to the Processing of Personal Data under the Agreement, including, as applicable: EU/EEA GDPR, UK GDPR, FADP (Switzerland),and U.S. State Privacy Laws (defined in Section 11).

2. Roles; Processing Instructions

2.1 Roles. For Processing of Personal Data, Customer is Controller(or a processor on behalf of a third-party controller) and Theralytics is Processor (or sub-processor accordingly). For U.S. State Privacy Laws, Customer is Business/Controller and Theralytics is Service Provider/Processor/Contractor.

2.2 Documented Instructions. Theralytics will Process Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Annex I, unless otherwise required by law (in which case Theralytics will inform Customer unless legally prohibited). Customer shall not instruct Theralytics to Process Personal Data in violation of Applicable Data Protection Laws.

2.3 Customer Responsibilities. Customer is responsible for the lawfulness of Personal Data and its Processing instructions, including providing required notices and obtaining necessary consents/permissions and ensuring a valid Transfer Mechanism (if Customer determines one is needed).

3. Confidentiality and Personnel

3.1 Confidentiality. Theralytics will ensure that persons authorized to Process Personal Data are subject to a duty of confidentiality.

3.2 Training. Theralytics will provide personnel with appropriate privacy and security training commensurate with their roles.

4. Security Measures

4.1 Technical and Organizational Measures. Theralytics will implement and maintain appropriate technical and organizational measures ("TOMs")designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II.

4.2 Security by Design. Theralytics will assess risks and adopt safeguards appropriate to the Processing, including access controls, encryption in transit, vulnerability management, change management, logging/monitoring, and secure development practices.

5. Sub-processors

5.1 Authorization. Customer authorizes Theralytics to engage sub-processors to support the Services. A current list of material sub-processors will be maintained by Theralytics and made available to Customer upon request (and may be posted online).

5.2 Obligations. Theralytics will impose data-protection obligations on sub-processors no less protective than those in this DPA, including appropriate Transfer Mechanisms for cross-border transfers. Theralytics remains responsible for each sub-processor’s performance.

5.3 Changes. Theralytics will provide notice of new sub-processors and allow Customer to object on reasonable, documented privacy grounds. If the parties cannot resolve an objection, Customer may terminate the affected Services for convenience and receive a pro-rated refund of prepaid, unused fees. Customer may subscribe to subprocessor-change notifications; notice to the admin email on file satisfies this obligation.

6. Assistance; Data Subject Requests

6.1 Assistance. Taking into account the nature of Processing, Theralytics will assist Customer with appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to Data Subject requests and to comply with security, breach notifications, DPIAs, and consultations with supervisory authorities.

6.2 Requests. If Theralytics receives a request directly from a Data Subject, it will, where feasible, promptly redirect the Data Subject to Customer or notify Customer, unless prohibited by law. Theralytics will not respond to such requests except to acknowledge receipt and refer to Customer, or as otherwise instructed by Customer.

7. Personal Data Breach Notification

Theralytics will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed by Theralytics. Such notice will include information reasonably available to Theralytics to assist Customer in meeting any obligations to notify authorities or individuals. Theralytics will take appropriate steps to contain, investigate, and remediate the Breach.

8. Return and Deletion

At Customer’s choice, upon termination or expiry of the Services, Theralytics will delete or return all Personal Data (unless retention is required by law), and will delete existing copies within the timeframes in the Agreement, subject to standard backup retention. Upon request, Theralytics will provide a deletion certification.

9. Audits and Reports

9.1 Reports. Upon request, Theralytics will make available information necessary to demonstrate compliance with this DPA, which may include security summaries, third-party assessments/certifications, and penetration test summaries.

9.2 Audits. Customer (or an independent auditor mandated by Customer) may conduct an audit no more than once annually (and after any Personal Data Breach), with reasonable advance written notice, during normal business hours, and subject to confidentiality and reasonable time, scope, and place limitations. Remote audits and review of documentation will be preferred. On-site audits are limited to areas where Personal Data is Processed and may be chargeable at Theralytics’ reasonable rates for audit support.

10. International Transfers

10.1 Transfers. If Theralytics Processes Personal Data originating from the EEA/Switzerland/UK in a country that does not provide an adequate level of data protection, the parties will rely on a valid Transfer Mechanism as described below.

10.2 EU/EEA – SCCs. The parties incorporate by reference the EU Standard Contractual Clauses(SCCs) for the transfer of personal data to third countries adopted by the European Commission in Decision (EU)2021/914, Module 2 (Controller→Processor), with Customer as data exporter and Theralytics as data importer. The SCCs will apply to the extent of any Restricted Transfer.

  • Clause 9 (sub-processing): Option 2 (general authorization), with notice as set out in Section 5.3.
  • Clause 11: Not applicable.
  • Clause 17: Governing law of Ireland.
  • Clause 18: Courts of Ireland.
  • Annexes I–III: Populated by Annex I–III to this DPA.
  • If the SCCs are replaced or superseded, the newly adopted clauses are deemed incorporated upon their effective date, and the parties will execute updates reasonably required to comply.

10.3 UK – IDTA/Addendum. For Restricted Transfers subject to UK GDPR, the parties incorporate the UK ICO Addendum to the EU SCCs (latest version as of the Effective Date). The Addendum’s Tables are completed by reference to the SCCs and this DPA (including Annexes). The governing law and venue for the Addendum follow UK law and courts unless otherwise mandated.

10.4 Switzerland – FDPIC Addendum. For transfers subject to the Swiss FADP, references to GDPR in the SCCs are to the FADP where applicable, and references to the EU and Member States include Switzerland; the competent authority is the FDPIC.

10.5 Data Privacy Framework (DPF). If Theralytics self-certifies to an applicable EU-U.S./UK-U.S./Swiss-U.S. Data Privacy Framework, the parties may rely on DPF for covered transfers; otherwise, the SCCs and applicable addenda apply.


11. U.S. State Privacy Addendum (Service-Provider Terms)

11.1 Scope. This Section applies to Personal Data subject to U.S. state consumer privacy laws, including California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA), Oregon (OCPA), Texas (TDPSA), and any substantially similar law to the extent applicable (collectively, “State Privacy Laws”).

11.2 Status and Restrictions. Theralytics acts as Service Provider/Processor/Contractor and will:
(a) not Sell or Share Personal Data;
(b) not retain, use, disclose, or otherwise Process Personal Data for any purpose other than the Business Purpose(s) specified in Annex I and the Agreement, including no cross-context behavioral advertising;
(c) not combine Personal Data with other data except as permitted by State Privacy Laws (e.g., to detect security incidents, protect against illegal activity, or for internal use to improve the Services) or as instructed by Customer;
(d) comply with applicable data security obligations;
(e) enable Customer to comply with consumer rights requests and provide reasonable assistance; and
(f) flow down these obligations to authorized sub-processors.

11.3 Certification. Theralytics certifies that it understands and will comply with the restrictions in Section 11.2.

11.4 Assessment and Controls. Upon request, Theralytics will provide information reasonably necessary to demonstrate compliance (e.g., summaries of technical controls).Customer may take reasonable steps to ensure Theralytics uses Personal Data consistent with Customer’s obligations, including exercising audit rights under Section 9.


12. De-identified and Aggregated Data

Theralytics may create and use De-identified or Aggregated information consistent with Applicable Data Protection Laws. Theralytics will take reasonable measures to prevent re-identification and will publicly commit to maintain and use such data only in de-identified/aggregated form.


13. Liability and Indemnity

The parties’ respective liability caps and exclusions in the Agreement apply to this DPA. Any indemnities in the Agreement apply to this DPA to the extent the underlying claim relates to obligations hereunder.


14. Duration; Termination

This DPA remains in effect for the duration of the Agreement and thereafter as long as Theralytics Processes Personal Data on behalf of Customer.


15. Miscellaneous

15.1 No Third-Party Beneficiaries. This DPA creates no third-party beneficiary rights.

15.2 Amendments. Theralytics may propose updates to maintain compliance with law or new Transfer Mechanisms. Material changes will be notified in advance where practicable.

15.3 Severability. If any provision is held invalid, the remainder remains in effect.

15.4 Counterparts; Electronic Signatures. This DPA may be executed electronically and in counterparts.


Annex I – Description of Processing

A. Parties
Data Exporter/Controller: Customer(specified in the Order/Agreement).
Data Importer/Processor: Theralytics, LP, 2423 SW 147th Ave., # 2058, Miami, FL 33185 (or current principal place of business); privacy contact: privacy@theralytics.net.

B. Subject Matter and Duration
Subject Matter: Provision of the Services under the Agreement (practice management, documentation, scheduling, billing/revenue cycle, analytics, communications, mobile apps, customer support).
Duration: Term of the Agreement and post-termination retention as permitted/required by the Agreement and law.

C. Nature and Purpose of Processing
Hosting, storage, retrieval, transmission, display, structuring, analysis, logging/monitoring, support, communications delivery, and other operations reasonably necessary to provide, secure, and improve the Services.

D. Types of Personal Data
Business contact data (names, emails, phone numbers), account/profile data, usage/telemetry data, device and connection data, support tickets, communications metadata (e.g., SMS/email logs), billing/transactional data, and any other data Customer submits to the Services excluding PHI (which is governed by the BAA).

E. Special Categories (if any)
Not anticipated. Customer will not intentionally submit special categoriesunless permitted by law and instructed.

F. Data Subjects
Customer’s personnel and contractors; end-users authorized by Customer; patients are excluded from this DPA to the extent their information constitutes PHI covered by the BAA.

G. Frequency
Continuous and as initiated by Customer during the term.

H. Transfers
As necessary for global service delivery and support, including tosub-processors identified by Theralytics.


Annex II – Technical and Organizational Measures (TOMs)

The following TOMs are implemented and maintained byTheralytics and may be updated from time to time to reflect evolving risks andindustry standards (without materially diminishing protection):

  • Information Security Program. Documented policies; risk assessments; governance with executive oversight.
  • Access Controls. Role-based access; least privilege; SSO/MFA for admin access; unique IDs; periodic access reviews; prompt de-provisioning.
  • Data Security. Encryption in transit (TLS 1.2+); encryption at rest for primary datastores; key management with restricted access; data minimization and segregation.
  • Application Security. Secure SDLC; code review; dependency scanning; static/dynamic testing; change management; environment segregation (dev/test/prod).
  • Vulnerability and Patch Management. Routine scanning; risk-based patching; penetration testing at least annually; remediation tracking.
  • Logging and Monitoring. Centralized logging; alerting for anomalous activities; time-synchronized clocks; retention consistent with legal and business needs.
  • Physical and Infrastructure Security. Hosting with reputable cloud providers; data center certifications (e.g., ISO/PCI/SOC maintained by provider); access controls and environmental safeguards.
  • Business Continuity and Disaster Recovery. Backups; tested recovery procedures; redundancy for critical components; documented RTO/RPO targets appropriate for the Services.
  • Incident Response. Formal plan; defined roles; prompt triage, containment, eradication, and recovery; post-incident reviews.
  • Personnel Security and Training. Background checks as permitted; confidentiality agreements; periodic security/privacy training.
  • Third-Party Management. Due diligence and contractual controls for sub-processors; ongoing reviews; transfer impact assessments where required.
  • Data Subject Rights Enablement. Capabilities and processes to locate, export, correct, and delete Personal Data upon Customer’s verified instruction.
  • Secure Communications. Protections for messaging features; opt-out handling and consent capture made available for Customer configuration.
  • Secure Destruction. Sanitization procedures (e.g., NIST SP 800-88-aligned) for media and logical deletion consistent with backup retention cycles.


Annex III – Authorized Sub-processors (as of Effective Date)

Theralytics may use the following categories of sub-processors (a detailed list, including locations and purposes, is available upon request):

  • Cloud infrastructure & CDN (compute, storage, networking,backup)
  • Database/analytics/monitoring providers
  • Email/SMS/voice communication providers
  • Customer support & ticketing
  • Payment processing
  • Logging & security tooling
  • Document generation and e-signature


Attachment 1 – EU SCCs (Module 2) – Incorporated by Reference

The parties incorporate the SCCs (Commission Implementing Decision (EU) 2021/914) Module 2. Annexes I–III to the SCCs are completed by reference to Annex I–III to this DPA. Conflicts between the SCCs and this DPA are resolved in favor of the SCCs for Restricted Transfers.


Attachment 2 – UK International Data Transfer Addendum – Incorporated by Reference

The parties incorporate the UK ICO Addendum to the EU SCCs(latest version as of the Effective Date). The Addendum’s tables are completed by reference to the Agreement, this DPA, and Annexes I–III.


Attachment 3– Swiss Addendum – Incorporated by Reference

For transfers subject to the Swiss FADP, the SCCs apply with the modifications in Section 10.4 of this DPA. The competent authority is the FDPIC, and references to the EU and Member States shall be interpreted to include Switzerland.

(866) 710-3590
info@theralytics.net
Features
SchedulingBilling ServicesData CollectionDocumentation Management
Mobile ApplicationReporting & Analytics
Quick Links
PricingBilling ServicesLeadership
BlogsCase StudiesSupportContact UsRequest Demo
Get in Touch
arrow graphic
© 2025 Theralytics. All rights reserved.
Privacy PolicyTerms of Service