Skip to main content
Stillway

Data Processing Agreement

Effective date: March 1, 2026 Last updated: March 1, 2026

This Data Processing Agreement ("DPA") is entered into between Stillway, Inc. ("Stillway" or "Processor") and the entity or individual that has executed a Provider Agreement with Stillway ("Controller"). This DPA forms part of and is incorporated into the Provider Agreement.

1. Definitions

  • "Controller" means the entity that determines the purposes and means of the processing of personal data.
  • "Processor" means the entity that processes personal data on behalf of the Controller (Stillway).
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
  • "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion.
  • "Sub-processor" means any processor engaged by Stillway to assist in fulfilling its obligations under this DPA.
  • "Data Subject" means the natural person to whom personal data relates (typically, the patient).

2. Scope and Nature of Processing

2.1 Subject Matter

Stillway processes personal data on behalf of the Controller for the purpose of operating the Stillway booking platform, including facilitating appointment scheduling, sending notifications, and processing payments.

2.2 Duration

Processing continues for the term of the Provider Agreement and, thereafter, for as long as Stillway retains data in accordance with its retention policies or as required by law.

2.3 Types of Personal Data

  • Patient contact information (name, email, phone number).
  • Appointment details (date, time, service type, notes).
  • Payment information (processed by and stored with Stripe; Stillway processes only transaction metadata).

2.4 Categories of Data Subjects

Patients who book appointments with the Controller through the Stillway platform.

3. Obligations of Stillway (Processor)

Stillway shall:

  1. Process personal data only on documented instructions from the Controller (including as set forth in the Provider Agreement and this DPA), unless required by law.
  2. Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures to protect personal data (see Section 5).
  4. Assist the Controller in responding to data subject rights requests.
  5. Assist the Controller in fulfilling obligations related to security, breach notification, impact assessments, and prior consultations under applicable law.
  6. Delete or return all personal data upon termination of the Provider Agreement, unless retention is required by law.
  7. Provide all information necessary to demonstrate compliance with this DPA and allow audits upon reasonable notice.

4. Sub-processors

4.1 Authorization

By entering into this DPA, the Controller provides general authorization for Stillway to engage sub-processors as listed on our Sub-processors page at stillway.ai/trust/subprocessors.

4.2 Notification

Stillway will provide at least 30 days' advance notice of new sub-processors via email and on the Sub-processors page. If the Controller objects, it must notify Stillway within 14 days; Stillway will work in good faith to resolve the objection.

4.3 Sub-processor Obligations

Stillway imposes data protection obligations on all sub-processors equivalent to those in this DPA.

5. Security Measures

Stillway maintains the following technical and organizational security measures:

  • Encryption: Personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access control: Access to personal data is restricted to personnel with a legitimate need.
  • Monitoring: Systems are monitored for unauthorized access and anomalies.
  • Incident response: A formal incident response process is maintained.
  • Assessments: Regular security assessments and penetration testing are conducted.

A detailed description of our security measures is available at stillway.ai/trust/security.

6. Data Breach Notification

In the event of a personal data breach affecting Controller's data, Stillway will:

  1. Notify the Controller without undue delay, and in any event within 72 hours of becoming aware.
  2. Provide information about the nature, scope, and likely consequences of the breach.
  3. Describe measures taken or proposed to address the breach.

7. Data Subject Rights

Upon the Controller's written request, Stillway will provide reasonable assistance to enable the Controller to fulfill data subject rights requests (access, rectification, erasure, restriction, portability, and objection) within the timeframes required by applicable law.

8. International Transfers

Where Stillway transfers personal data outside the European Economic Area or United Kingdom, it shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or equivalent transfer mechanisms.

9. Term and Termination

This DPA is effective for the term of the Provider Agreement. Termination of the Provider Agreement automatically terminates this DPA. Stillway's obligations under Section 3.6 (return or deletion of data) survive termination.

10. Contact

For data protection inquiries: privacy@stillway.ai

For exercising data subject rights: privacy@stillway.ai