Slate ORBack to home

Data Processing Agreement

Last updated April 26, 2026.

This Data Processing Agreement (the “DPA”) forms part of the Terms of Service or other written or electronic agreement (the “Agreement”) between Crystal Peak Dev LLC, a Delaware limited liability company doing business as Slate OR (“Provider”), and the customer entity (“Customer”) that has accepted the Agreement. This DPA governs the processing of Customer Personal Data in connection with the Slate OR scheduling-optimization service (the “Service”).

Scope and important limitations

Slate OR is intentionally designed not to receive Protected Health Information (PHI) as defined under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). Customer represents and warrants that Customer Personal Data transmitted to the Service consists only of de-identified appointment metadata in accordance with HIPAA's Safe Harbor standard (45 C.F.R. § 164.514(b)) and any equivalent applicable law. Customer Personal Data must not include patient names, dates of birth, medical record numbers, contact information, diagnoses, or any other element that identifies, or could reasonably be used to identify, an individual receiving care from Customer.

Provider is therefore not a Business Associate as defined under 45 C.F.R. § 160.103, and a Business Associate Agreement (BAA) is not required for use of the Service. Customer is responsible for ensuring that data submitted to the Service complies with this Section.

1. Processor relationships

Provider acts as a Processor of Customer Personal Data when Customer is the Controller, and as a Subprocessor when Customer is itself a Processor on behalf of a third-party Controller. Provider will Process Customer Personal Data only on Customer's documented instructions, including with regard to transfers, unless required by applicable law.

2. Processing details

2.1 Subject matter and duration

The subject matter of the processing is the provision of the Service. Processing continues for the term of the Agreement and the period needed for Provider to fulfill its obligations under this DPA.

2.2 Nature and purpose

The nature of the processing is the analysis of de-identified appointment metadata to generate scheduling templates, identify operational patterns, compute summary statistics, and support related Service features. The purpose is to assist Customer in operating its practice more efficiently.

2.3 Categories of data subjects

Customer's authorized users (such as practice administrators, schedulers, and clinicians) and pseudonymously-identified patients of Customer's practice (where Customer elects to provide a customer-generated pseudonymous identifier).

2.4 Categories of personal data

  • Authorized-user account data (name, email, hashed credentials, role)
  • Customer-uploaded appointment metadata (procedure type, scheduled and actual times, duration, provider identity, status flags)
  • Optional pseudonymous patient identifier generated by Customer
  • Service usage logs (IP address, user agent, timestamps)

Provider does not receive direct identifiers, contact information, clinical content, financial account numbers, or special categories of personal data as those terms are used in applicable law.

3. Confidentiality and personnel

Provider will ensure that personnel authorized to Process Customer Personal Data are subject to written confidentiality obligations and receive appropriate training on their data-protection responsibilities. Access to Customer Personal Data is restricted on a least-privilege basis.

4. Security

Provider implements and maintains technical and organizational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2 or higher).
  • Encryption of data at rest (AES-256 or equivalent, as managed by Provider's hosting and database providers).
  • Logical tenant isolation by Customer practice in application and database layers.
  • Role-based access control with multi-factor authentication for administrative access.
  • Logging of authentication events, administrative changes, and data access for security review.
  • Regular review of vulnerabilities affecting Provider's dependencies and infrastructure.

Provider may update its security measures from time to time provided that the overall level of protection is not materially reduced.

5. Subprocessors

Customer authorizes Provider to engage the subprocessors listed at slateor.com/trust (the “Subprocessor List”). Provider will:

  • Enter into a written agreement with each Subprocessor that imposes data-protection obligations no less protective than those in this DPA.
  • Provide at least thirty (30) days' notice before adding or replacing a Subprocessor by updating the Subprocessor List. Customer may object in writing within fifteen (15) days for legitimate, documented data-protection reasons; the parties will work in good faith to resolve the objection, failing which Customer may terminate the affected portion of the Service for convenience without penalty.
  • Remain liable to Customer for the performance of each Subprocessor's obligations.

6. International transfers

The Service is hosted in the United States. To the extent the Service receives personal data subject to the EU GDPR, the UK GDPR, or the Swiss FADP, the parties incorporate the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable) by reference, with the UK Addendum and Swiss equivalents where required.

7. Data subject rights

Provider will, taking into account the nature of the processing, provide Customer with reasonable assistance through appropriate technical and organizational measures, insofar as practicable, to enable Customer to fulfill obligations to respond to data-subject rights requests under applicable law. If Provider receives a data-subject request directly, Provider will, where lawful, forward the request to Customer and instruct the data subject to contact Customer.

8. Security-incident response

Provider will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data. Notification will include, to the extent then known, the nature of the incident, the categories and approximate volume of records affected, the likely consequences, and measures taken or proposed to address the incident and mitigate harm.

9. Audits and assurance

Customer may verify Provider's compliance with this DPA by review of Provider's most recent third-party audit report (when available, e.g., SOC 2) and by submitting reasonable questionnaires no more than once per year. Audit rights extend to inspections of Provider's facilities only where required by applicable law and only after the parties have agreed on scope, timing, and the scope of confidentiality protections.

10. Deletion and return

Within thirty (30) days following termination or expiration of the Agreement, Provider will delete or, if requested by Customer in writing, return Customer Personal Data, except to the extent retention is required by applicable law. Backup copies are overwritten in the ordinary course within thirty (30) additional days.

11. Conflicts and order of precedence

In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls. The Standard Contractual Clauses (where incorporated) prevail over conflicting terms of this DPA solely to the extent required by applicable law.

12. Liability

Each party's liability arising under or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Customer agrees that any regulatory fines, claims, or losses arising from Customer's breach of the data-scope representations in the Scope and important limitations section above (for example, transmission of PHI to the Service) are excluded from any such liability cap to the extent they are not the result of Provider's breach of this DPA.

13. Term

This DPA takes effect on the date the Agreement takes effect and continues until the later of (a) termination of the Agreement and (b) Provider's deletion of Customer Personal Data pursuant to Section 10.

14. Definitions

Capitalized terms used and not otherwise defined in this DPA have the meanings given to them in the Agreement or in applicable data-protection law (including the EU GDPR, the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act, and other U.S. state privacy laws as applicable). “Customer Personal Data” means personal data transmitted to or stored by the Service on Customer's behalf. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

15. Notices

Notices required under this DPA must be sent to hello@slateor.com for Provider, and to the email address Customer designated for legal notices in the Agreement.

This DPA borrows structural conventions from the Common Paper DPA Standard Terms (CC BY 4.0) and is provided here as a starting point for the Provider–Customer relationship. For an enterprise contract or any DPA that will be signed by counsel, this template should be reviewed by qualified legal counsel. Adapt the Provider entity designation and governing-law references to the actual jurisdiction of formation.