ProperForm Data Processing Addendum

Last Updated: 4/7/2026

This Data Processing Addendum ("DPA") supplements and is incorporated into the ProperForm Provider Terms of Service ("Terms") between ProperForm, Inc. ("ProperForm") and the provider agreeing to the Terms ("Provider"). This DPA governs ProperForm's processing of Provider Personal Data (as defined below) in connection with ProperForm's provision of the Services to Provider.

1. Definitions

As used in this DPA, the following terms have the meanings below. Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.

  • "Applicable Privacy Law" means any U.S. federal or state law or regulation governing the privacy, security, or processing of personal data or personal information that applies to the processing of Provider Personal Data under the Terms and this DPA, including without limitation: the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and any other U.S. state or federal privacy law enacted after the date of this DPA that applies to the processing of Provider Personal Data, as may be in effect from time to time.

  • "Business Purpose" means the specific limited and stated purpose(s) for which ProperForm processes Provider Personal Data on behalf of Provider, as described in Exhibit A to this DPA.

  • "Controller" means the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data, as defined under Applicable Privacy Law (including as the "Business" under the CCPA).

  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, which may include Provider's Team Members, Clients, and other individuals whose data Provider submits to the Services.

  • "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under Applicable Privacy Law. For purposes of this DPA, "Personal Data" refers to Provider Personal Data unless otherwise specified.

  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.

  • "Provider Personal Data" means Personal Data that Provider or its Team Members or Clients submit to, or that ProperForm collects on behalf of Provider through, the Services. Provider Personal Data excludes: (a) Usage Data (as defined in the Terms); (b) Personal Data that ProperForm independently collects from Provider for ProperForm's own purposes as a Controller, such as Provider account registration and billing data, which is governed by ProperForm's Privacy Policy; and (c) to the extent that Provider Personal Data constitutes Protected Health Information, such data is governed by the BAA as provided in Section 2.3 of this DPA.

  • "Security Incident" means any confirmed unauthorized acquisition, access, use, or disclosure of Provider Personal Data that compromises the security, confidentiality, or integrity of such data.

  • "Sensitive Personal Data" means the categories of personal data designated as "sensitive" or "sensitive personal information" under Applicable Privacy Law.

  • "Service Provider" has the meaning given to it under the CCPA, and includes the equivalent role of "Processor" or "Contracted Processor" under other Applicable Privacy Laws.

  • "Subprocessor" means any third party engaged by ProperForm to process Provider Personal Data on behalf of Provider in connection with the Services.

2. Roles and Scope

2.1. Roles.

As between ProperForm and Provider with respect to Provider Personal Data:

(a) Provider is the Controller (or "Business" under the CCPA) and determines the purposes and means of processing Provider Personal Data; and (b) ProperForm is the Service Provider (or "Processor" under other Applicable Privacy Laws) and processes Provider Personal Data solely on behalf of and at the direction of Provider, in accordance with the Terms and this DPA.

2.2. Scope.

This DPA applies to ProperForm's processing of Provider Personal Data in connection with ProperForm's provision of the Services. This DPA does not apply to:

(a) Personal Data that ProperForm processes as a Controller for its own purposes (e.g., account, billing, and usage data), which is governed by ProperForm's Privacy Policy; or (b) Protected Health Information ("PHI") processed by ProperForm under the BAA, except as provided in Section 2.3 below.

2.3. HIPAA Coordination.

To the extent Provider Personal Data includes PHI, the BAA governs ProperForm's processing of that PHI. This DPA applies to Provider Personal Data that does not constitute PHI, as well as to any non-PHI personal data that is processed alongside PHI in the Services. In the event of any conflict between this DPA and the BAA with respect to PHI, the BAA controls.

3. Processing Instructions

3.1. Instructions.

ProperForm will process Provider Personal Data solely: (a) to provide and operate the Services in accordance with the Terms; (b) as further documented in this DPA, the Terms, and any additional written instructions Provider provides to ProperForm from time to time; and (c) as required by Applicable Privacy Law. ProperForm will promptly notify Provider if, in ProperForm's reasonable judgment, a Provider instruction would cause ProperForm to violate Applicable Privacy Law, in which case ProperForm is not required to follow that instruction until it is modified to comply.

3.2. Restrictions on Processing.

ProperForm will not:

(a) sell Provider Personal Data within the meaning of Applicable Privacy Law(b) share Provider Personal Data for cross-context behavioral advertising or targeted advertising purposes; (c) retain, use, or disclose Provider Personal Data for any commercial purpose other than the Business Purposes specified in Exhibit A, as otherwise set forth in the Terms, or as required by Applicable Privacy Law; (d) retain, use, or disclose Provider Personal Data outside of the direct business relationship between ProperForm and Provider, except as required by Applicable Privacy Law; (e) combine Provider Personal Data with Personal Data obtained from other sources or ProperForm's own interactions with consumers, except as permitted to provide the Services or as otherwise expressly permitted under Applicable Privacy Law; or (f) use Provider Personal Data to train, fine-tune, or otherwise develop artificial intelligence or machine learning models, whether operated by ProperForm or any third party.

3.3. CCPA Certification.

ProperForm certifies that it understands the restrictions set forth in Section 3.3 and will comply with them in accordance with the CCPA.

4. Details of Processing

The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects involved in the processing of Provider Personal Data under this DPA are set forth in Exhibit A.

5. Provider Obligations

Provider represents and warrants that: (a) it has and will maintain a lawful basis for processing Provider Personal Data, and for disclosing Provider Personal Data to ProperForm, under all Applicable Privacy Laws; (b) it has provided all required notices to, and obtained all required consents from, Data Subjects in connection with Provider's submission of Provider Personal Data to the Services; and (c) its instructions to ProperForm comply with all Applicable Privacy Laws.

5.2. Accuracy and Quality.

Provider is solely responsible for the accuracy, quality, and legality of Provider Personal Data and the means by which Provider acquires it.

5.3. Notice of Changes.

Provider will notify ProperForm of any restrictions on, or changes to, the processing of Provider Personal Data that may affect ProperForm's ability to perform its obligations under the Terms or this DPA.

6. Confidentiality

6.1. Personnel Obligations.

ProperForm will ensure that all ProperForm personnel authorized to process Provider Personal Data are subject to enforceable confidentiality obligations with respect to such data, whether by contract or applicable professional obligation, and that such personnel process Provider Personal Data only in accordance with ProperForm's instructions and this DPA.

6.2. Access Limitation.

ProperForm will limit access to Provider Personal Data to personnel and Subprocessors who have a need to access such data for purposes of providing the Services.

7. Security

7.1. Security Measures.

ProperForm will implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Provider Personal Data against unauthorized or unlawful access, acquisition, use, disclosure, alteration, or destruction. ProperForm's security measures will take into account: (a) the nature, scope, context, and purposes of processing; (b) the sensitivity of the Provider Personal Data involved, including any Sensitive Personal Data; (c) current industry standards and best practices; and (d) the requirements of Applicable Privacy Law.

7.2. Specific Measures.

Without limiting Section 7.1, ProperForm's security program will include, as appropriate to the Services:

(a) encryption of Provider Personal Data at rest and in transit using industry-standard protocols; (b) role-based access controls restricting access to Provider Personal Data to authorized personnel; (c) multi-factor authentication for systems that store or provide access to Provider Personal Data; (d) logging and monitoring of access to and use of Provider Personal Data; (e) workforce training on privacy and information security obligations; and (f) physical security controls for facilities where Provider Personal Data is processed.

7.3. Risk Assessments.

ProperForm will conduct and document periodic risk assessments to evaluate the sufficiency of its security measures, identify risks and vulnerabilities, and implement remediation measures as necessary.

7.4. Provider's Security Responsibilities.

Provider is responsible for implementing appropriate security measures for its own systems, networks, and devices, and for securing Provider Personal Data prior to its transmission to ProperForm through the Services. ProperForm is not responsible for security incidents attributable to Provider's own systems or failures.

8. Subprocessors

8.1. General Authorization.

Provider grants ProperForm a general authorization to engage Subprocessors to process Provider Personal Data in connection with the Services, as provided in this Section 8.

8.2. Subprocessor Obligations.

Before engaging any Subprocessor, ProperForm will ensure that the Subprocessor is bound by a written contract that imposes on the Subprocessor data protection obligations as protective of Personal Data to those applicable to ProperForm under this DPA.

8.3. Subprocessor List.

ProperForm will maintain a list of its current Subprocessors available at https://trust.properform.fit/subprocessors.

8.4. Changes to Subprocessors.

ProperForm will provide Provider with prior written notice before adding or replacing a Subprocessor. Provider may object to any such change, based on reasonable data privacy grounds, by providing written notice to ProperForm within 15 days of receiving notification. If the parties cannot resolve the objection through good-faith discussion within 30 days of Provider's objection, either party may terminate the affected Services upon written notice in accordance with the Terms.

8.5. Liability for Subprocessors.

ProperForm remains liable to Provider for the acts and omissions of its Subprocessors with respect to Provider Personal Data to the same extent that ProperForm would be liable if performing the Subprocessor's services directly, subject to the limitations of liability in the Terms.

9. Data Subject Rights

9.1. Assistance.

Taking into account the nature of the processing, ProperForm will, to the extent reasonably practicable, provide Provider with technical and organizational assistance in fulfilling Provider's obligations to respond to Data Subject rights requests under Applicable Privacy Law, including requests to access, correct, delete, port, or opt out of certain processing of Provider Personal Data.

9.2. Data Subject Requests.

If ProperForm receives a rights request directly from a Data Subject that relates to Provider Personal Data, ProperForm will:

(a) promptly notify Provider of the request, including the identity of the requestor and the nature of the request, to the extent permitted by Applicable Privacy Law; and (b) not respond to the request independently except as directed by Provider or as required by Applicable Privacy Law.

ProperForm will cooperate with Provider in responding to any such request within the timeframes required by Applicable Privacy Law.

10. Security Incidents

10.1. Notification.

ProperForm will notify Provider of a confirmed Security Incident without unreasonable delay and, in any event, no later than 72 hours after ProperForm becomes aware that a Security Incident has occurred, to the extent reasonably practicable. Initial notification may be provided before all information specified in Section 10.2 is available; ProperForm will supplement the notification with additional information as it becomes available.

10.2. Notification Content.

Each Security Incident notification will include, to the extent available at the time of notification:

(a) the date(s) on which the Security Incident occurred and was discovered by ProperForm; (b) the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and the categories and approximate volume of Provider Personal Data involved; (c) the likely consequences of the Security Incident; (d) the measures ProperForm has taken or proposes to take to address and mitigate the Security Incident; and (e) the name and contact information of a ProperForm representative from whom Provider may obtain additional information.

10.3. Cooperation.

ProperForm will cooperate with Provider in:

(a) investigating and remediating the Security Incident; (b) Provider's compliance with any notification obligations under Applicable Privacy Law, including notifications to regulatory authorities or affected individuals; and (c) any regulatory inquiries or proceedings related to the Security Incident.

Nothing in this DPA requires or authorizes ProperForm to make any notification to a regulatory authority or to affected individuals on Provider's behalf, except as required by Applicable Privacy Law or expressly agreed by the parties in writing.

10.4. Mitigation.

ProperForm will take all reasonable measures to contain, mitigate, and remediate the Security Incident and to prevent its recurrence.

10.5. Unsuccessful Attempts.

ProperForm may experience routine unsuccessful attempts at unauthorized access, including pings, port scans, failed log-in attempts, denial-of-service attacks that do not result in a system compromise, and similar events that do not meet the definition of a Security Incident. This DPA constitutes advance general notice to Provider of such events, and ProperForm is not required to provide individual notice of each such unsuccessful attempt.

11. Audit Rights

11.1. Compliance Documentation.

ProperForm will maintain documentation of its data protection practices, security measures, and processing activities under this DPA and will make such documentation available to Provider upon written request, no more than once per calendar year absent a confirmed Security Incident.

11.2. Written Questionnaire.

Upon Provider's written request, no more than once per calendar year (absent a confirmed Security Incident), ProperForm will respond to a reasonable written data protection questionnaire regarding ProperForm's security practices and compliance with this DPA. ProperForm will respond within 30 days of receiving the questionnaire.

11.3. Confidentiality of Audit Results.

All documentation, questionnaire responses, and information disclosed to Provider in connection with any audit, assessment, or documentation request under this Section 11 constitute ProperForm's Confidential Information under the Terms and may not be disclosed by Provider to any third party without ProperForm's prior written consent, except as required by Applicable Privacy Law.

12. Return and Deletion of Provider Personal Data

12.1. Upon Termination.

Upon termination or expiration of the Terms or this DPA, subject to the Terms and DPA, ProperForm will, at Provider's written election and to the extent technically feasible:

(a) return to Provider all Provider Personal Data in ProperForm's possession or control in a commercially reasonable, portable format; or (b) delete all Provider Personal Data in ProperForm's possession or control, including Provider Personal Data held by Subprocessors.

12.2. Exceptions.

ProperForm may retain Provider Personal Data after termination solely:

(a) to the extent required by Applicable Privacy Law, in which case ProperForm will continue to protect the retained data in accordance with this DPA and will limit further processing to what is required by law; (b) as part of routine backup or archival systems, provided that retained copies are overwritten and deleted in the ordinary course of ProperForm's backup retention cycle; or (c) in a de-identified or anonymized form that cannot reasonably be re-identified or linked to Provider or any individual.

12.3. PHI.

The return and deletion of PHI are governed exclusively by the BAA and are not subject to this Section 12.

13. CCPA/CPRA Service Provider Provisions

13.1. Service Provider Acknowledgment.

The parties acknowledge and agree that ProperForm processes Provider Personal Data as a "Service Provider" as defined under the CCPA/CPRA, and as a Processor or Contracted Processor as defined under other Applicable Privacy Laws. ProperForm will not engage in any processing activity that would disqualify ProperForm from its status as a Service Provider under the CCPA.

13.2. No Sale or Sharing.

ProperForm will not sell or share Provider Personal Data as those terms are defined under the CCPA, and will not use Provider Personal Data for cross-context behavioral advertising.

13.3. No Combining Data.

ProperForm will not combine Provider Personal Data with personal information received from other sources or collected from ProperForm's own interactions with consumers, except as permitted under the CCPA/CPRA to provide a requested Service or as otherwise expressly permitted by Applicable Privacy Law.

13.4. Notification of Inability to Comply.

ProperForm will notify Provider promptly if ProperForm determines that it can no longer meet its obligations as a Service Provider under the CCPA or under Applicable Privacy Law with respect to Provider Personal Data.

13.5. Provider's Right to Remediate.

Upon written notice to ProperForm that ProperForm is processing Provider Personal Data in a manner inconsistent with this DPA or Applicable Privacy Law, Provider has the right to take reasonable and appropriate steps to remediate such unauthorized processing, including directing ProperForm to cease processing and to return or delete the affected Provider Personal Data.

13.6. Sensitive Personal Data.

To the extent Provider Personal Data includes Sensitive Personal Data, Prope rForm will process such data only as necessary to provide the Services and will not use or disclose Sensitive Personal Data for any purpose beyond those permitted for a Service Provider under the CCPA and Applicable Privacy Law.

14. Multi-State Privacy Law Compliance

14.1. General Compliance.

Each party will comply with all Applicable Privacy Laws applicable to that party in connection with the processing of Provider Personal Data.

14.2. Updates for New Laws.

The parties will cooperate in good faith to update this DPA as necessary to comply with newly enacted or amended Applicable Privacy Laws. The parties agree to negotiate in good faith and to execute any required amendments within a reasonable period before the effective date of any new law or amendment applicable to the processing of Provider Personal Data.

15. Term and Termination

15.1. Term.

This DPA is effective as of the effective date of the Terms and will remain in effect for so long as the Terms remain in effect.

15.2. Termination.

This DPA terminates automatically upon termination or expiration of the Terms. Any provisions of this DPA that, expressly or by their nature, are intended to survive termination of the DPA will survive such termination.

16. General Provisions

16.1. Order of Precedence.

In the event of any conflict between this DPA and the Terms with respect to the subject matter of this DPA, this DPA controls. In the event of any conflict between this DPA and the BAA with respect to PHI, the BAA controls.

16.2. Governing Law.

This DPA is governed by the same governing law and subject to the same venue and dispute resolution provisions as the Terms.

16.3. Entire Agreement on Subject Matter.

This DPA, together with the Terms and the BAA, constitutes the entire agreement between the parties with respect to ProperForm's processing of Provider Personal Data. This DPA supersedes and replaces any prior data processing agreements between the parties on the same subject matter.

16.4. Amendments.

This DPA may not be modified except by a written instrument executed by authorized representatives of both parties, except as otherwise expressly provided in the Terms or this DPA (including Section 14.3).

16.5. Severability.

If any provision of this DPA is determined by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision will be enforced to the maximum extent permissible and all remaining provisions will continue in full force and effect.

16.6. Interpretation.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms or the BAA, as applicable. Any reference in this DPA to a statutory provision includes that provision.

Exhibit A — Details of Processing

Subject Matter of Processing: ProperForm processes Provider Personal Data in connection with providing and operating the Services to Provider, including hosting, storage, retrieval, and processing of data submitted through the Services.

Nature of Processing: Collection, storage, retrieval, use, disclosure, transmission, combination (as permitted), and deletion of Provider Personal Data.

Business Purpose(s) for Processing:

  • Providing, operating, and maintaining the Services as described in the Terms
  • Enabling Provider to create, store, assign, and deliver therapy plans, exercise programs, and related content to Clients through the Services
  • AI-based transcription of Provider audio and video recordings as part of the Services
  • Enabling Client access to Provider-assigned content and functionality through the client-facing portal of the Services
  • Technical support, security, and maintenance of the Services
  • Security monitoring, fraud prevention, and abuse detection in connection with the Services
  • Generating aggregated and de-identified analytics to improve Service performance, in compliance with Section 3.3(f)

Categories of Provider Personal Data:

  • Provider and Team Member account data: Includes name, email address, job title, professional licensing information, login credentials
  • Client account data: Includes name, email address, login credentials established through Provider's invitation
  • Clinical Clinical Data: Includes Client plans, exercise instructions, AI-generated transcriptions, clinical notes, and related content created or assigned by Provider
  • Audio and visual recordings
  • Client PHI and other health information logged by Clients through the Services
  • Technical and device data: Includes IP addresses, device identifiers, log data, browser type, and usage information

Categories of Data Subjects:

  • Provider's employees, contractors, and other Team Members
  • Provider's Clients (individuals to whom Provider provides professional services through the Services)

Duration of Processing: Continuous for the duration of the Terms, subject to the return and deletion provisions of the Terms.