TEXLINE DATA PROCESSING ADDENDUM
Effective Date: January 17, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Texline Inc. ("Texline" or "Processor") and the healthcare clinic or practice ("Customer" or "Controller") and governs the processing of personal information and personal health information.
1. DEFINITIONS
In this DPA:
- "Controller" or "Custodian" means the Customer, who determines the purposes and means of processing personal information.
- "Processor" or "Information Manager" means Texline, who processes personal information on behalf of the Controller.
- "Personal Information" has the meaning given under PIPEDA and includes any information about an identifiable individual.
- "Personal Health Information" ("PHI") means information about an individual's health or healthcare, as defined under applicable provincial health privacy legislation.
- "Data Breach" means any unauthorized access, acquisition, use, or disclosure of personal information that compromises its security or confidentiality.
- "Sub-processor" means any third party engaged by Texline to process personal information on behalf of the Controller.
2. ROLES AND RESPONSIBILITIES
2.1 Customer (Controller/Custodian)
Customer acknowledges and agrees that:
- Customer is the Controller and Custodian of all personal information and PHI processed through the Service.
- Customer is solely responsible for determining the lawful basis for processing and obtaining all necessary consents and authorizations.
- Customer is responsible for the accuracy, quality, and legality of personal information provided to Texline.
- Customer is responsible for compliance with applicable privacy laws, including PIPEDA and provincial health privacy legislation.
2.2 Texline (Processor/Information Manager)
Texline agrees that:
- Texline acts solely as a Processor and Information Manager, processing personal information only on Customer's behalf.
- Texline will not process personal information for any purpose other than to provide the Service and as instructed by Customer.
- Texline will not sell, rent, or otherwise disclose personal information for its own commercial purposes.
3. PROCESSING INSTRUCTIONS
3.1 Scope of Processing
Texline will process personal information only:
- As necessary to provide the Service described in the Terms of Service
- In accordance with Customer's documented instructions
- As required by applicable law (in which case Texline will inform Customer unless prohibited by law)
3.2 Nature of Processing
Processing activities include:
- Collection and storage of voicemail recordings and transcriptions
- Transmission and storage of SMS messages
- AI-assisted analysis for intent detection and prioritization
- Task management and workflow automation
- Analytics and reporting
3.3 Categories of Data Subjects
- Patients and prospective patients of Customer
- Customer's staff and authorized users
3.4 Types of Personal Information
- Contact information (name, phone number, email)
- Communication content (voicemail messages, SMS messages)
- Appointment information
- Other information provided by Customer or patients through the Service
4. SECURITY SAFEGUARDS
Texline implements and maintains appropriate administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction.
4.1 Technical Safeguards
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication mechanisms
- Access controls and role-based permissions
- Regular security testing and vulnerability assessments
- Intrusion detection and monitoring
4.2 Administrative Safeguards
- Employee training on privacy and security
- Confidentiality agreements with personnel
- Documented security policies and procedures
- Incident response plan
4.3 Physical Safeguards
- Secure data center facilities
- Physical access controls
5. SUB-PROCESSORS
5.1 Authorization
Customer authorizes Texline to engage Sub-processors to assist in providing the Service, subject to the requirements of this Section.
5.2 Sub-processor Obligations
Texline will:
- Enter into written agreements with Sub-processors that impose data protection obligations equivalent to those in this DPA
- Remain responsible for the acts and omissions of Sub-processors
- Maintain a list of current Sub-processors available upon request
5.3 Current Sub-processors
Current Sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting | Canada / USA |
| Twilio | SMS/Voice services | USA |
| OpenAI / Anthropic | AI processing | USA |
6. DATA BREACH NOTIFICATION
6.1 Notification
Texline will notify Customer without unreasonable delay (and in any event within 72 hours) upon becoming aware of a Data Breach involving Customer's personal information.
6.2 Information Provided
Notification will include, to the extent known:
- Description of the nature of the breach
- Categories and approximate number of individuals affected
- Categories and approximate number of records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
6.3 Cooperation
Texline will cooperate with Customer and provide reasonable assistance to investigate the breach and fulfill Customer's notification obligations to affected individuals and regulators.
7. DATA SUBJECT REQUESTS
If Texline receives a request from a patient or other data subject regarding their personal information, Texline will:
- Promptly notify Customer of the request
- Direct the data subject to contact Customer
- Provide reasonable assistance to Customer in responding to the request
Customer is responsible for responding to data subject requests and determining the appropriate response.
8. AUDITS AND ASSESSMENTS
Upon reasonable request and subject to confidentiality obligations, Texline will:
- Provide Customer with information necessary to demonstrate compliance with this DPA
- Make available security certifications and audit reports (if available)
- Cooperate with audits conducted by Customer or a third-party auditor, with reasonable advance notice and during normal business hours
9. DATA DELETION AND RETURN
9.1 Upon Termination
Upon termination or expiration of the Terms of Service, Texline will:
- At Customer's request, return or provide Customer with a copy of Customer Data in a commonly used format
- Delete Customer Data within 90 days of termination, unless retention is required by applicable law
9.2 Certification
Upon request, Texline will provide written certification of data deletion.
10. APPLICABLE LAW
This DPA is designed to comply with:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Personal Health Information Protection Act (PHIPA) - Ontario
- Health Information Act (HIA) - Alberta
- Personal Information Protection Act (PIPA) - British Columbia
- Other applicable provincial health privacy legislation
This DPA is governed by the laws specified in the Terms of Service.
11. CONTACT
For questions about this DPA, please contact:
Texline Inc.
Email: info@texline.ai
Address: Toronto, Ontario, Canada