Last Updated: March 30, 2026
Legal Review Required. This document is a starting draft intended for review by qualified legal counsel before use with customers. It does not constitute legal advice.
This Data Processing Addendum ("DPA") is incorporated into and forms part of the PawPIMS Master Subscription Agreement ("Agreement") between PawPIMS, LLC ("PawPIMS") and the subscribing Customer. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data processing matters.
This DPA applies where PawPIMS processes Personal Information on behalf of Customer in its role as a Service Provider under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), or as a Data Processor under other applicable privacy laws.
Customer is the "Business" under CCPA and the "Data Controller" under analogous laws with respect to Personal Information about Customer's clients (pet owners) and employees that Customer submits to or generates through the Service.
PawPIMS is a "Service Provider" under CCPA and a "Data Processor" under analogous laws. PawPIMS processes Personal Information on behalf of Customer solely to perform the Service and as described in this DPA. PawPIMS does not "sell" or "share" Personal Information as those terms are defined under CCPA.
Each Party is independently responsible for its compliance with applicable privacy laws. PawPIMS's obligations under this DPA do not relieve Customer of its obligations as a Business or Controller.
PawPIMS will:
PawPIMS will ensure that personnel authorized to process Personal Information are subject to confidentiality obligations.
PawPIMS will implement and maintain appropriate technical and organizational security measures as described in Section 7.2 of the Agreement to protect Personal Information against unauthorized access, disclosure, alteration, or destruction.
PawPIMS will assist Customer in fulfilling its obligations to respond to data subject rights requests (access, deletion, correction, portability) to the extent PawPIMS has the technical capability to do so. Customer is responsible for identifying and responding to requests from its own clients. PawPIMS will provide Customer with the tools and data exports necessary to fulfill such requests.
Upon termination of the Agreement or upon Customer's written request, PawPIMS will delete or return Customer's Personal Information as described in Section 16.5 of the Agreement and Section 11 of the Privacy Policy.
PawPIMS will reasonably cooperate with Customer in responding to regulatory inquiries, audits, or investigations relating to PawPIMS's processing of Personal Information under this DPA.
Customer represents and warrants that:
Customer authorizes PawPIMS to engage the Subprocessors listed in Exhibit B. PawPIMS will enter into data processing agreements with each Subprocessor that impose data protection obligations substantially equivalent to those in this DPA.
PawPIMS will provide Customer with at least 30 days' advance written notice (via email or in-Service notice) before adding or replacing a Subprocessor that will process Personal Information. If Customer objects to a new Subprocessor on reasonable data protection grounds, Customer must notify PawPIMS in writing within 15 days of receiving notice. The Parties will work in good faith to resolve the objection. If the Parties cannot resolve the objection, Customer may terminate the Agreement with a pro-rated refund of prepaid annual fees for the remaining unused period.
PawPIMS remains responsible to Customer for the performance of its Subprocessors' obligations under this DPA to the same extent PawPIMS would be liable if it performed the processing directly.
PawPIMS will notify Customer without undue delay, and in no event later than 72 hours after becoming aware, of any confirmed security incident involving unauthorized access to Customer's Personal Information ("Security Incident"). The notification will include, to the extent known: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of individuals affected; (c) the categories and approximate volume of Personal Information records involved; (d) the likely consequences; and (e) the measures taken or proposed to address the incident.
PawPIMS will take reasonable steps to contain and remediate confirmed Security Incidents and will keep Customer informed of material developments.
Customer is responsible for notifying its own clients and regulators as required by applicable breach notification laws. PawPIMS will cooperate with Customer's notification obligations upon request.
PawPIMS will maintain records of its processing activities and make them available to Customer upon written request, not more than once per calendar year.
Upon 30 days' advance written notice, no more than once per year (unless a Security Incident justifies additional review), Customer may audit PawPIMS's compliance with this DPA, at Customer's expense. Any on-site audit must be conducted during normal business hours, with minimal disruption to PawPIMS's operations, and subject to confidentiality obligations.
PawPIMS may satisfy Customer's audit rights by providing a current SOC 2 Type II report or equivalent third-party security certification covering the period in question. Customer may conduct an on-site audit only if it reasonably determines that such certification does not address a specific concern.
PawPIMS certifies that it understands its obligations under CCPA and will comply with them. Specifically:
PawPIMS will not process "Sensitive Personal Information" (as defined by CPRA) beyond what is necessary to perform the Service.
This DPA remains in effect for the duration of the Agreement and terminates automatically upon termination of the Agreement. PawPIMS's obligations with respect to Personal Information processed during the term of this DPA survive termination until all such Personal Information is deleted or returned in accordance with Section 3.5.
| Element | Description |
|---|---|
| Subject Matter | Veterinary practice management services |
| Nature of Processing | Storage, retrieval, transmission, generation, and deletion of records in connection with veterinary practice operations |
| Business Purpose | Providing Customer with the PawPIMS Service as described in the Agreement |
| Duration | Duration of the Subscription Term |
| Categories of Data Subjects | Customer's clients (pet owners), employees, and contractors; pets (not natural persons but associated with personal information) |
| Categories of Personal Information | Names; physical and email addresses; phone numbers; financial records; communication records (email and SMS content); electronic signatures; IP addresses; appointment and visit records |
| Sensitive Personal Information | Government-issued identification numbers (if submitted by Customer); financial account numbers (tokenized; not stored by PawPIMS) |
| Special Categories | None โ veterinary medicine is excluded from HIPAA |
| Subprocessor | Location | Purpose | Personal Information Processed |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | United States | Cloud hosting, database, compute, storage | All Customer Data |
| Twilio Inc. | United States | SMS delivery | Client phone numbers; SMS message content |
| PayJunction (Everon, LLC) | United States | Payment processing | Billing contact information; tokenized payment data |
| Google LLC (OAuth / Calendar API) | United States | Calendar integration | Authorized User OAuth tokens; appointment data |
Current as of the Last Updated date above. Subject to update with 30 days' notice per Section 5.2.
For questions about this DPA, contact privacy@pawpims.vet.