Data Processing Agreement

Last revision May 15 2026
Effective date: June 14 2026

This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between the legal entity representing a clinic on the Konfidens platform (the “Company“) and Mindcare AS (the “Data Processor“) (together as the “Parties“).

Mindcare AS, Røatoppen 11C, 0756 Oslo, Norway

Country-specific requirements
Where the Controller is established in Norway, the processing of personal health data under this Agreement is also subject to the requirements set out in Schedule 3.

Where the Controller is established in the United Kingdom, the processing of personal data is also subject to the requirements set out in Schedule 4.

WHEREAS (A) The Company acts as a Data Controller (the “Controller”).

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to Mindcare AS, acting as a Data Processor (the “Processor”).

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1  Unless otherwise defined herein, capitalisedterms and expressions used in this Agreement shall have the following meaning:

  • 1.1.1  “Agreement” means this Data ProcessingAgreement and all Schedules;
  • 1.1.2  “Company Personal Data” means any PersonalData Processed by a Contracted Processor on Controller’s behalf pursuant to orin connection with the Principal Agreement;1.1.3
  • 1.1.3  “Contracted Processor” means a Subprocessor;1.1.4
  • 1.1.4  “Data Protection Laws” means EU DataProtection Laws and, to the extent applicable, the data protection or privacylaws of any other country;1.1.5
  • 1.1.5  “EEA” means the European Economic Area;1.1.6
  • 1.1.6  “EU Data Protection Laws” means EU Directive95/46/EC, as transposed into domestic legislation of each Member State and asamended, replaced, or superseded from time to time, including by the GDPR andlaws implementing or supplementing the GDPR;1.1.7
  • 1.1.7  “GDPR” means EU General Data ProtectionRegulation 2016/679;1.1.8
  • 1.1.8  “Data Transfer” means: (i) a transfer ofCompany Personal Data from Controller to a Contracted Processor; or (ii) anonward transfer of Company Personal Data from a Contracted Processor to a Subprocessor, where such transfer would be prohibited by Data Protection Laws;1.1.9
  • 1.1.9  “Services” means the online practicemanagement system Konfidens provided by the Data Processor, including sessionnotes, scheduling, video consultations, and other features as further describedon the Data Processor’s website;1.1.10
  • 1.1.10  “Subprocessor” means any person appointed byor on behalf of Processor to process Personal Data on behalf of the Controllerin connection with the Agreement.

1.2  The terms “Commission”, “Controller”, “DataSubject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”and “Supervisory Authority” shall have the same meaning as in the GDPR.

2. Processing of Company Personal Data

2.1  Processor shall:

  • 2.1.1  comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
  • 2.1.2  not Process Company Personal Data other than on Controller’s documented instructions.

2.2  Controller instructs Processor to process Company Personal Data to provide the Services and related technical support.

2.3  The Controller shall at all times retain full beneficial ownership of and rights over the Company Personal Data. The Processor acquires no independent right to use Company Personal Data for its own purposes, and shall not do so.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Company Personal Data, ensuring that access is strictly limited to those individuals who need to access the relevant data as strictly necessary for the purposes of the Principal Agreement. Processor shall ensure that all such individuals are subject to binding confidentiality obligations, whether contractual or statutory, prior to being granted access. Processor shall maintain records of such confidentiality commitments and make them available to Controller upon request.

4. Security

4.1  Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures referred to in Article 32(1) GDPR.

4.2  In assessing the appropriate level of security, Processor shall take particular account of the risks presented by Processing, especially from a Personal Data Breach.

4.3  Processor shall implement appropriate technical and organisational measures to give effect to data protection principles effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of applicable Data Protection Laws and protect the rights of data subjects (data protection by design and by default), in accordance with Article 25 GDPR.

5. Records of Processing Activities

Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) GDPR. The current record is set out in Schedule 2 of this Agreement and shall be updated as the Services evolve.

6. Subprocessing

6.1  Controller hereby grants Processor general written authorisation, pursuant to Article 28(2) GDPR, to engage Subprocessors for the delivery of the Services. The current list of Subprocessors is set out in Schedule 1 of this Agreement.

6.2  Processor shall notify Controller by email no less than 14 days before adding or replacing a Subprocessor. If Controller reasonably objects to a new Subprocessor on data protection grounds, Controller shall notify Processor in writing within the notice period. If the parties cannot resolve the objection, either party may terminate the Services on written notice. Continued use of the Services after the notice period constitutes acceptance of the change.

7. Data Subject Rights

7.1  Taking into account the nature of the Processing, Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as possible, for the fulfilment of Controller’s obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws.

7.2  Processor shall:

  • 7.2.1 promptly notify Controller if it receives a request from a Data Subject in respect of Company Personal Data; and
  • 7.2.2  ensure that it does not respond to that request except on the documented instructions of Controller or as required by applicable law, in which case Processor shall inform Controller of that legal requirement before responding.

8. Personal Data Breach

8.1  Processor shall notify Controller without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects under applicable Data Protection Laws.

8.2  Processor shall co-operate with Controller and take reasonable steps as directed by Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Controller reasonably considers to be required by Article 35 or 36 GDPR or equivalent provisions of any other applicable Data Protection Law.

10. Deletion or return of Company Personal Data

10.1  Subject to this section 10, Processor shall promptly and in any event within 20 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

10.2  Processor shall provide written certification to Controller that it has fully complied with this section 10 within 20 business days of the Cessation Date.

11. Audit rights

11.1  Processor shall make available to Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Controller or an auditor mandated by Controller.

11.2  Information and audit rights of Controller only arise under section 11.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

12. Data Transfer

12.1  The Processor may not transfer or authorise the transfer of Data to countries outside the United Kingdom, the EU, the European Economic Area (EEA), and/or any country subject to an adequacy decision under Article 45 GDPR, without the prior written consent of Controller. Where such transfers do occur, the Parties shall, unless agreed otherwise, rely on Norwegian- and/or EU-approved standard contractual clauses for the transfer of personal data.

13. General Terms

13.1  Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; or (b) the relevant information is already in the public domain.

13.2  Notices

All notices and communications given under this Agreement must be in writing and will be sent by email. Controller shall be notified at the address related to its use of the Service under the Principal Agreement. Processor shall be notified at: aleksander@konfidens.com

14. Governing Law and Jurisdiction

14.1  This Agreement is governed by Norwegian law.

14.2  Any dispute arising in connection with this Agreement which the Parties are unable to resolve amicably will be submitted to the exclusive jurisdiction of the courts of Oslo, Norway.

15. Amendments

15.1  Processor may update this Agreement from time to time to reflect changes in applicable law, regulatory guidance, or the Services. Processor shall notify Controller by email at least 30 days before any material changes take effect.

15.2  Continued use of the Services after that date constitutes acceptance of the updated Agreement. If Controller does not accept the changes, Controller may terminate the Services by written notice before the changes take effect.

15.3  The updated Agreement will be made available to Controller upon request and will apply to all processing carried out from the date the changes take effect.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

Mindcare AS (Processor)

Signature ___________________

Name: Aleksander Erichsen

Title: CEO

Date Signed: 05.09.2023

Company / Controller

Signature ___________________

Name ______________________

Title _______________________

Date Signed ________________

Schedule 1:

Description of Processing

1. Subject-matter and nature of processing

The Processor provides a practice management system for mental health professionals, including session notes, scheduling, video consultations, secure messaging, appointment reminders, and payment processing. Processing is carried out by automated means on infrastructure operated by the Processor and its sub-processors.

2. Purpose and duration

Processing is carried out for the purpose of delivering the Services as defined in the Principal Agreement. Processing continues for the duration of the Principal Agreement and ceases in accordance with Section 10 of this Agreement.

3. Categories of data subjects

  • Patients and clients of the Controller

4. Types of personal data

The following categories of personal data are processed on behalf of the Controller:

Category Examples
Health data (Article 9 GDPR) Session notes, diagnoses, treatment history, questionnaire responses, uploaded files
Identity data Name, date of birth, national identity number, next of kin and other relevant information
Contact data Email address, phone number, address
Appointment data Booking history, calendar entries
Payment data Billing information, transaction history
Technical data Login identifiers, access logs, IP address (for sensitive actions)

Note on AI Scribe: The AI Scribe feature processes audio recordings and text transcriptions of therapy sessions, which constitute health data under Article 9 GDPR. This feature is activated at the discretion of the Controller. The Controller is responsible for ensuring that any necessary consent or other valid legal basis under applicable law has been obtained from the patient prior to activating AI Scribe.

5. Sub-processors

The Processor uses the following sub-processors to deliver the Services. The Processor shall notify the Controller of any planned changes in accordance with Section 6 of this Agreement.

Sub-processor Purpose Location
Amazon Web Services (AWS EMEA SARL) Hosting and data storage Frankfurt, Germany
Microsoft Azure AI Scribe – text processing and summarisation Norway
Speechmatics AI Scribe – speech-to-text transcription United Kingdom
Whereby Video consultations EU/EEA
Adyen Payment processing EU/EEA
GatewayAPI SMS authentication Germany, Finland, Denmark
Brevo Transactional email Germany, Belgium, Ireland
Criipto BankID authentication (Norway only) Norway
Chargebee Subscription billing EU/EEA
Google Workspace / Intercom Support communications EU/EEA
hCaptcha Bot and fraud detection EU/EEA

All sub-processors are contractually required to process data solely for theirspecified purpose and in compliance with applicable data protection law.

Schedule 2

Record of Processing Activities

This record ismaintained by Mindcare AS in its capacity as Processor, pursuant to Article30(2) GDPR. It documents the categories of processing activities carried out onbehalf of Controllers using the Konfidens platform.

Note: Thelegal basis stated for each activity reflects the intended basis for theController’s processing of patient data. Controllers remain responsible fordocumenting legal basis in their own records under Article 30(1) GDPR.

1. Patient Information

Purpose To provide healthcare services. Enables the treating practitioner to document and manage information about the patient necessary for the delivery of care.
Legal basis – Norway GDPR Art. 9(2)(h) and Art. 6(1)(c); Helsepersonelloven §§39–40; Pasientjournalloven §6; Pasientjournalforskriften (FOR-2019-03-01-168)
Legal basis – UK UK GDPR Art. 9(2)(h) and Art. 6(1)(c); Data Protection Act 2018, Schedule 1, Part 1, para. 2 (health or social care purposes)
Legal basis – EU/EEA GDPR Art. 9(2)(h) and Art. 6(1)(c)
Data subjects Patients
Personal data Name, national identity number, address, email, phone number, employer and employment status, marital status, children, next-of-kin (name and phone number), GP
Recipients Treating practitioner (Controller); Mindcare AS (Processor)
Retention Retained until deleted by the practitioner. Practitioners are subject to applicable medical records legislation (NO: Pasientjournalforskriften §16 – minimum 10 years after last entry).
Third country transfers Data stored encrypted on servers in Frankfurt, Germany (AWS EMEA SARL). Transfer to Germany is within the EEA; no adequacy assessment required.
Security measures Developed in accordance with Normen guidelines.

2. Clinical notes (session notes)

Purpose To provide healthcare services; documentation of treatment provided, supporting continuity of care and professional obligations.
Legal basis – Norway GDPR Art. 9(2)(h) and Art. 6(1)(c); Helsepersonelloven §§39–40; Pasientjournalloven §6; Pasientjournalforskriften (FOR-2019-03-01-168)
Legal basis – UK UK GDPR Art. 9(2)(h) and Art. 6(1)(c); Data Protection Act 2018, Schedule 1, Part 1, para. 2
Legal basis – EU/EEA GDPR Art. 9(2)(h) and Art. 6(1)(c)
Data subjects Patients
Personal data Documentation of treatment provided, clinical assessment, diagnosis, medical history, and any other information the practitioner deems relevant and necessary for the provision of healthcare
Recipients Treating practitioner (Controller); Mindcare AS (Processor); clinical supervisor where applicable (subject to patient consent)
Retention Retained until deleted by the practitioner. Practitioners are subject to applicable medical records legislation.
Third country transfers Data stored encrypted on servers in Frankfurt, Germany (AWS EMEA SARL). Within the EEA; no adequacy assessment required.
Security measures Developed in accordance with Normen guidelines.

3. Appointment scheduling

Purpose To facilitate appointment booking and management between patient and practitioner.
Legal basis – Norway GDPR Art. 6(1)(b) (performance of contract with patient); Art. 9(2)(h) where health data is incidentally included
Legal basis – UK UK GDPR Art. 6(1)(b)
Legal basis – EU/EEA GDPR Art. 6(1)(b)
Data subjects Patients
Personal data Date, time and location of appointment; type of treatment
Recipients Treating practitioner (Controller); Mindcare AS (Processor)
Retention Retained until deleted by the practitioner.
Third country transfers Data stored encrypted on servers in Frankfurt, Germany (AWS EMEA SARL). Within the EEA.
Security measures Developed in accordance with Normen guidelines.

4. Practitioner profile

Purpose Verification of practitioner identity for patients; presentation of the practitioner in the appointment booking flow; billing and invoicing for use of the Konfidens platform.
Legal basis – Norway GDPR Art. 6(1)(b) (performance of contract with practitioner); Art. 6(1)(f) for publicly displayed profile information
Legal basis – UK UK GDPR Art. 6(1)(b); Art. 6(1)(f) for publicly displayed profile information
Legal basis – EU/EEA GDPR Art. 6(1)(b); Art. 6(1)(f) for publicly displayed profile information
Data subjects Psychologists and other practitioners (Controllers)
Personal data Name, national identity number, address, email, phone number, professional background and description, profile photo, associated business registration number, professional body and registration number
Recipients Profile information (name, professional background, photo) publicly accessible during appointment booking. All other information accessible to the practitioner themselves and Mindcare AS only.
Retention For the duration of the service agreement, plus any statutory retention obligations.
Third country transfers Data stored encrypted on servers in Frankfurt, Germany (AWS EMEA SARL). Within the EEA.
Security measures Developed in accordance with Normen guidelines.

Schedule 3

Norway–Specific Requirements

This Schedule applies where the Controller is established in Norway and processes personal health data using the Konfidens platform. These requirements supplement and do not replace the obligations in the main Agreement.

1. Applicable legislation

In addition to the GDPR, the following Norwegian legislation applies to the processing of personal health data under this Agreement:

Legislation Description
Personopplysningsloven (LOV-2018-06-15-38) Norwegian Personal Data Act, incorporating the GDPR into Norwegian law.
Pasientjournalloven (LOV-2014-06-20-42) Act on the processing of health data in connection with the provision of healthcare. Governs the duties and rights related to patient records.
Helseregisterloven (LOV-2014-06-20-43) Act on health registries and the processing of health data. Applies to systematic collection of health data.
Helsepersonelloven (LOV-1999-07-02-64) Act on health personnel. Sets out mandatory documentation duties, including the duty to maintain patient records (§§39–40).
Pasientjournalforskriften (FOR-2019-03-01-168) Regulation on patient records. Specifies content requirements, access, retention (minimum 10 years from last entry), and deletion.

2. Norm for information security (Normen)

Processor has developed and operates the Konfidens platform in accordance with “Norm for informasjonssikkerhet og personvern i helse- og omsorgssektoren” (Normen), published by the Norwegian Health Directorate (formerly the Norwegian Directorate of eHealth). Normen constitutes the recognised industry standard for information security in the Norwegian health and care sector.

In particular, Processor shall:

  • comply with all relevant requirements in Normen applicable to data processors in the health and care sector;
  • ensure that technical solutions, access controls, logging, and security measures meet the standards set out in Normen;
  • upon request, document to the Controller how the platform satisfies the relevant Normen requirements.

3. Supervisory authority

The competent supervisory authority for the processing of personal data in Norway is Datatilsynet (the Norwegian Data Protection Authority), datatilsynet.no.

4. Patient rights

The Controller, as the party responsible for the patient relationship, is responsible for ensuring compliance with patients’ rights under pasientjournalloven and pasientrettighetsloven. The Processor shall provide reasonable technical assistance to the Controller in facilitating the exercise of such rights.

Schedule 4

United Kingdom–Specific Requirements

This Schedule applies where the Controller is established in the United Kingdom. These requirements supplement and do not replace the obligations in the main Agreement.

1. Applicable legislation

The following legislation applies to the processing of personal data where the Controller is established in the United Kingdom:

Legislation Description
UK GDPR The EU GDPR as retained in UK domestic law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Data Protection Act 2018 (DPA 2018) UK legislation that supplements the UK GDPR. Schedule 1, Part 1, paragraph 2 provides the condition for processing special category health data for health or social care purposes.
Health and Social Care Act 2012 Governs data sharing in health and social care settings, including obligations regarding confidentiality of patient information.

2. Legal basis for processing special category health data

Where the Controller processes health data (special category data under UK GDPR Art. 9) in connection with the provision of health services, the applicable condition for processing under the DPA 2018 is Schedule 1, Part 1, paragraph 2 (“health or social care purposes”), in conjunction with UK GDPR Art. 9(2)(h).

Where explicit consent is relied upon, the Controller is responsible for ensuring that consent is obtained in accordance with UK GDPR Art. 7 and Art. 9(2)(a).

3. Data transfers between the UK and EU/EEA

The United Kingdom currently benefits from adequacy regulations under UK GDPR, meaning that transfers of personal data from the UK to EU/EEA countries (including Germany, where AWS servers are located) do not require additional safeguards. Both Parties acknowledge that this status may change, and Processor shall notify Controller promptly of any material change that affects the lawfulness of data transfers.

Conversely, the EU has adopted an adequacy decision for the UK under GDPR Art. 45, enabling transfers from EU/EEA-based Controllers to Processor’s UK-located sub-processors (including Speechmatics). Both Parties acknowledge that this adequacy decision is subject to periodic review and may be revoked.

4. Supervisory authority

The competent supervisory authority for the processing of personal data in the United Kingdom is the Information Commissioner’s Office (ICO), ico.org.uk.

5. Industry standards

While there is no direct UK equivalent to the Norwegian Normen, the Processor commits to maintaining technical and organisational security measures consistent with recognised information security standards applicable to health and social care data, including relevant ICO guidance on security of health data.