Effective Date: July 3, 2026
Last Updated: July 3, 2026
Version: 2.0
Introduction
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the agreement for services between MHC Information Services, LLC ("MHCIS," "we," "us") and the customer that accepts it ("Customer," "you") (the "Agreement"). This DPA governs the Processing of Personal Data that MHCIS performs on your behalf in connection with the services described in the Agreement (the "Services").
Where MHCIS Processes Personal Data on your behalf, you act as the Controller (or Business) and MHCIS acts as the Processor (or Service Provider). This DPA reflects the requirements of the applicable data protection laws described below and sets out the parties' respective obligations.
If there is a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls.
Purpose
This DPA:
- Identifies the roles of the parties and the applicable data protection laws
- Defines the nature, purpose, and duration of Processing
- Specifies the types of Personal Data and categories of Data Subjects
- Sets out MHCIS's obligations when acting as a Processor and Service Provider
- Establishes terms for subprocessors, international transfers, security, breach notification, and the return or deletion of Personal Data
Applicability
This DPA applies when:
- You engage the Services and make Personal Data available to us
- We Process Personal Data on your behalf under the Agreement
- The Processing is subject to one or more Data Protection Laws described below
Definitions
Capitalized terms not defined here have the meaning given in the applicable Data Protection Laws or the Agreement.
- "Data Protection Laws": All laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the GDPR as incorporated into the law of the United Kingdom ("UK GDPR") together with the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection ("FADP"); the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and other U.S. state privacy laws, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, in each case to the extent applicable.
- "Controller": The entity that determines the purposes and means of the Processing of Personal Data. Under the CCPA/CPRA, this corresponds to a "Business."
- "Processor": The entity that Processes Personal Data on behalf of the Controller. Under the CCPA/CPRA, this corresponds to a "Service Provider." MHCIS acts as the Processor and Service Provider under this DPA.
- "Personal Data": Any information relating to an identified or identifiable natural person, and any "personal information" or "personal data" as defined under applicable Data Protection Laws, that is Processed by MHCIS on your behalf under the Agreement.
- "Processing": Any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or deletion.
- "Data Subject": The identified or identifiable natural person to whom Personal Data relates. Under the CCPA/CPRA, this corresponds to a "Consumer."
- "Subprocessor": Any third party engaged by MHCIS to Process Personal Data on your behalf.
- "Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by MHCIS.
- "Standard Contractual Clauses" or "SCCs": The standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision 2021/914.
- "Sell," "Share," "Sale," and "Sharing": Have the meanings given in the CCPA/CPRA.
Roles of the Parties
For the Processing performed under the Agreement:
- You are the Controller (Business), and MHCIS is the Processor (Service Provider).
- Where you Process Personal Data as a Processor on behalf of a third-party Controller, MHCIS acts as a subprocessor, and you are responsible for the authorizations and instructions required from that Controller.
- Each party is responsible for complying with its own obligations under Data Protection Laws.
Scope and Documented Instructions
Nature and Purpose of Processing
MHCIS Processes Personal Data on your behalf only to provide and support the Services, which may include:
- Hosting and operating the Services and storing associated Personal Data
- Delivering security and software engineering services described in the Agreement
- Providing technical support and responding to service requests
- Maintaining, securing, and improving the Services consistent with your instructions
- Performing backups and disaster recovery
Documented Instructions
MHCIS Processes Personal Data only on your documented instructions, including as set out in this DPA and the Agreement, unless required to do otherwise by applicable law. Your documented instructions consist of:
- This DPA and the Agreement
- Configuration settings and choices you make within the Services
- Written instructions provided through the contacts identified in the Agreement
If MHCIS believes an instruction infringes Data Protection Laws, MHCIS will inform you without undue delay. If MHCIS is required by law to Process Personal Data beyond your instructions, MHCIS will inform you of that legal requirement before Processing, unless the law prohibits such notice.
Duration
MHCIS Processes Personal Data for the term of the Agreement and for any additional period expressly authorized by you or required by applicable law, after which the return and deletion provisions of this DPA apply.
Confidentiality
MHCIS ensures that personnel authorized to Process Personal Data are bound by appropriate obligations of confidentiality and are granted access to Personal Data on a least-privilege basis.
Types of Personal Data and Categories of Data Subjects
The Personal Data Processed and the categories of Data Subjects are determined by your use and configuration of the Services and may include:
Types of Personal Data
- Contact and identity data (for example, names, email addresses, phone numbers, job titles, company names)
- Account and authentication data (for example, usernames, credentials, authentication tokens)
- Technical and usage data (for example, IP addresses, device identifiers, browser and operating system information, session information, access logs)
- Support and communication data (for example, support requests and related correspondence)
Categories of Data Subjects
- Your employees, contractors, and personnel
- Your customers and end users, where applicable
- Administrators and other individuals whose Personal Data you make available to us through the Services
You are responsible for ensuring you have a lawful basis to provide such Personal Data to MHCIS. You will not provide special categories of Personal Data unless expressly agreed in writing.
CCPA/CPRA Service Provider Terms
When MHCIS Processes Personal Data that constitutes "personal information" under the CCPA/CPRA, MHCIS acts as a Service Provider and agrees that it will not:
- Sell or Share the Personal Data
- Retain, use, or disclose the Personal Data for any purpose other than the specific business purpose of performing the Services under the Agreement, or as otherwise permitted by the CCPA/CPRA
- Retain, use, or disclose the Personal Data outside the direct business relationship between the parties
- Combine the Personal Data with personal information MHCIS receives from, or on behalf of, another person, or collects from its own interaction with the Consumer, except as permitted by the CCPA/CPRA to perform a business purpose
MHCIS certifies that it understands and will comply with these restrictions. MHCIS will notify you if it determines that it can no longer meet its obligations under the CCPA/CPRA. You may take reasonable and appropriate steps to help ensure that MHCIS uses Personal Data in a manner consistent with your obligations, and to stop and remediate any unauthorized use of Personal Data.
Subprocessors
General Authorization
You provide general written authorization for MHCIS to engage Subprocessors to Process Personal Data in support of the Services, subject to the conditions in this section. A current list of the Subprocessors MHCIS has engaged, including their processing purpose and location, is available on request by contacting MHCIS at contact@mhcis.com.
Subprocessor Obligations
Before a Subprocessor Processes Personal Data, MHCIS enters into a written agreement that imposes data protection obligations substantially the same as those in this DPA, including obligations to implement appropriate technical and organizational measures. MHCIS remains responsible to you for the performance of each Subprocessor's obligations.
Changes and Objection
MHCIS will notify you of any intended addition or replacement of a Subprocessor, giving you the opportunity to object. You may object to a new Subprocessor on reasonable, data-protection-related grounds within 30 days of notice. If you object, the parties will work in good faith to find a commercially reasonable alternative. If no alternative can be agreed, you may terminate the affected Services as your sole remedy, as further described in the Agreement.
International Data Transfers
Where MHCIS Processes Personal Data that is subject to GDPR, UK GDPR, or the FADP and transfers it to a country that has not received an adequacy decision, the parties rely on an appropriate transfer mechanism, including:
- Standard Contractual Clauses: The SCCs are incorporated into this DPA by reference and apply to such transfers, with the parties completing the applicable modules and annexes based on the roles described in this DPA.
- UK Transfers: For Personal Data subject to UK GDPR, the SCCs apply as supplemented by the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office.
- Swiss Transfers: For Personal Data subject to the FADP, the SCCs apply with the adjustments necessary to give effect to Swiss law.
- Adequacy: Where the destination country benefits from an adequacy decision, the parties rely on that decision.
MHCIS's primary Processing locations are in the United States, and its authorized Subprocessors operate in the United States.
Security Measures
MHCIS implements and maintains technical and organizational measures appropriate to the risk. These measures reflect the controls actually implemented for the Services and are described further at https://mhcis.com/security. They include:
Technical Measures
- Encryption in transit: TLS/HTTPS is enforced site-wide, with HTTP Strict Transport Security (HSTS).
- Encryption at rest: Encryption at rest is provided by the underlying cloud infrastructure platforms.
- Application security: A Content Security Policy and modern security response headers are applied.
- Bot mitigation and abuse controls: A managed bot-mitigation challenge protects forms, and server-side rate limiting is in place.
- Data minimization controls: IP addresses are hashed rather than stored raw, analytics are consent-gated and honor Global Privacy Control (GPC), and fonts are self-hosted with no third-party font CDN calls.
- Monitoring: A dedicated error-monitoring service captures application errors and exceptions.
- Access controls: Least-privilege access is applied to systems that handle Personal Data.
Organizational Measures
- A secure software development lifecycle (secure SDLC)
- Infrastructure-as-code for consistent, reviewable configuration
- Dependency review as part of the development process
- Due diligence and written agreements with Subprocessors
MHCIS may update its security measures from time to time, provided that it does not materially reduce the overall level of protection during the term of the Agreement.
Data Subject Request Assistance
Taking into account the nature of the Processing, MHCIS will assist you by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling your obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including the rights of access, rectification, erasure, restriction, data portability, objection, and rights relating to automated decision-making, as well as the corresponding rights under the CCPA/CPRA and other U.S. state privacy laws.
If MHCIS receives a request directly from a Data Subject relating to Personal Data Processed on your behalf, MHCIS will, unless legally prohibited, promptly forward the request to you and will not respond except on your documented instructions. You remain responsible for verifying the identity of Data Subjects and for determining the validity and appropriate response to each request.
MHCIS does not make automated decisions producing legal or similarly significant effects concerning Data Subjects except on your instructions.
Personal Data Breach Notification
MHCIS Obligations
MHCIS will notify you without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed on your behalf. Taking into account the nature of Processing and the information available to MHCIS, the notification will include, to the extent known and as it becomes available:
- The nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and records affected
- The likely consequences of the Personal Data Breach
- The measures taken or proposed to address the breach and mitigate its effects
- A point of contact for further information
MHCIS will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
Your Obligations
You are responsible for assessing whether the Personal Data Breach requires notification to supervisory authorities or Data Subjects, and for making any such notifications within the timeframes required by applicable law.
Audit and Information Rights
MHCIS will make available to you information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits and inspections are subject to reasonable conditions, including:
- Reasonable advance written notice
- A frequency of no more than once per year, unless required by a supervisory authority or following a Personal Data Breach
- A scope reasonably limited to the Processing under this DPA and applicable data protection obligations
- Confidentiality obligations binding on you and any auditor
- Conduct that minimizes disruption to MHCIS's operations, during normal business hours
Where available, MHCIS may satisfy audit requests by providing relevant documentation describing its controls in lieu of an on-site audit.
Return and Deletion of Personal Data
Upon termination or expiry of the Agreement, and at your choice, MHCIS will return the Personal Data to you or delete it, and delete existing copies, unless applicable law requires continued storage.
- Timeline: MHCIS will return or delete Personal Data within 30 days of termination or expiry of the Agreement, or of your earlier request.
- Backups: Personal Data residing in routine backups is deleted in the ordinary course as those backups cycle through their retention periods.
- Legal retention: MHCIS may retain Personal Data to the extent required by applicable law (for example, tax, accounting, or legal-hold obligations). Such Personal Data remains subject to the terms of this DPA and is isolated and protected until deletion is possible.
- Certification: Upon request, MHCIS will confirm in writing that it has completed the return or deletion of Personal Data in accordance with this section.
Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together, except where prohibited by applicable Data Protection Laws.
Term and Termination
This DPA takes effect on the effective date above and remains in force for as long as MHCIS Processes Personal Data on your behalf under the Agreement. Termination of the Agreement terminates this DPA. Provisions that by their nature should survive termination, including confidentiality, the return and deletion obligations, and liability, survive for as long as necessary to give them effect.
Governing Law
This DPA is governed by the laws of the State of South Carolina, United States, and the dispute resolution and jurisdiction provisions of the Agreement, except to the extent that Data Protection Laws require otherwise. Where the SCCs apply, the governing law and forum provisions of the SCCs prevail for matters arising under those clauses. Nothing in this DPA limits a Data Subject's or supervisory authority's rights under applicable Data Protection Laws.
Changes to this DPA
MHCIS may update this DPA to reflect changes in Data Protection Laws, regulatory guidance, or the Services. MHCIS will provide reasonable advance notice of material changes and will obtain your consent where required by applicable law.
Contact Information
For questions about this DPA or our data processing practices:
- Email: contact@mhcis.com
- Phone: +1 (803) 881-3889
- Address: 1325 Park Street, Suite 200, Columbia, SC 29201
Related Policies
- Privacy Policy: Our overall privacy practices
- Terms of Service: General terms of service
- Security Policy: Security controls and vulnerability disclosure
- HIPAA Notice: How we approach the HIPAA Security Rule and Business Associate Agreements
MHC Information Services, LLC, a security and software engineering firm.