Legal

Data Processing Addendum

Version 2026-07-03.3 · Chordae, a product of Apex Medical Enterprises
Draft pending final legal review. A signable copy is available on request.

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Apex Medical Enterprises (“Chordae,” “we”) and the customer organization (“Customer,” “you”) and applies to our processing of Customer Personal Data on your behalf.

No patient data. The Service is not intended for and must not contain Protected Health Information (PHI). This DPA does not make Chordae a HIPAA business associate, and no Business Associate Agreement is offered.

1. Roles

For personal data of your staff and users processed through the Service (“Customer Personal Data”), you are the controller/business and Chordae is the processor/service provider. You are responsible for the lawfulness of the data you provide.

2. Scope & purpose

We process Customer Personal Data only to provide, secure, and support the Service, and on your documented instructions (which include these Terms and your use of the Service’s features).

3. No sale; limited use (service-provider terms)

We will not sell or share Customer Personal Data, and will not retain, use, or disclose it for any purpose other than providing the Service or as permitted by applicable law. We will not combine it with data from other sources except as needed to provide the Service. We may use aggregated or de-identified data that does not identify you or any individual.

4. Confidentiality & security

Personnel with access to Customer Personal Data are bound by confidentiality obligations. We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect the data, including encryption in transit, hashed passwords, access controls, and regular backups.

5. Sub-processors

You authorize us to engage sub-processors to help provide the Service. We maintain a current list at /subprocessors, impose data-protection obligations on them, and remain responsible for their performance. We will provide a mechanism to be notified of new sub-processors, and you may reasonably object.

6. Assisting you

Taking into account the nature of the processing, we will provide reasonable assistance to help you respond to data-subject or consumer rights requests and to meet your security, breach-notification, and assessment obligations.

7. Security incidents

We will notify you without undue delay after becoming aware of a confirmed breach of security leading to unauthorized acquisition of Customer Personal Data in our control, and will provide information reasonably available to help you meet your notification obligations.

8. Deletion & return

On termination, we will, at your request and within a commercially reasonable period, delete or return Customer Personal Data, except as required to be retained by law.

9. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA (including summaries of our security practices and any third-party reports we maintain). On-site audits are limited to reasonable frequency, scope, and notice, subject to confidentiality.

10. International transfers

The Service and its sub-processors are operated in the United States. If Customer Personal Data of individuals outside the U.S. is provided, the parties will implement a lawful transfer mechanism where required.

11. Liability, precedence & term

This DPA is subject to the limitation of liability in the Terms of Service. In case of conflict on data-processing matters, this DPA controls over the Terms. It remains in effect while we process Customer Personal Data. Governed by the laws of the State of Texas.

12. Contact

Apex Medical Enterprises — admin@apexmedicalenterprises.com