Data Processing Agreement (DPA)

Last Updated: February 3, 2026

BETWEEN:

2428105 ALBERTA INC. (dba Wug Note)
(the "Service Provider", "Information Manager", or "Processor")

AND

The individual or entity identified in the Service registration process
(the "Customer", "Custodian", or "Controller")

(Collectively, the "Parties")

1. PREAMBLE AND DEFINITIONS

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service ("Agreement") between the Service Provider and the Customer. It applies to the processing of Personal Health Information (PHI) provided by the Customer to the Service Provider via the Wug Note platform.

• "Personal Health Information" (PHI): Means identifying information about an individual in oral or recorded form, representing the mental or physical health of the individual, as defined in applicable Canadian privacy laws (e.g., PHIPA, HIA, PIPA).
• "Services": The AI-assisted clinical documentation and transcription services provided by Wug Note.
• "Security Incident": Means any unauthorized access, use, disclosure, modification, or destruction of PHI that compromises its security, privacy, or integrity, including but not limited to: (a) unauthorized system access; (b) malware affecting PHI; (c) accidental disclosure to unauthorized parties; or (d) loss of devices containing PHI where the data is not rendered unintelligible by encryption (i.e., loss of an encrypted device where the encryption key is not compromised is not a Security Incident, provided such exclusion is permitted by applicable law).

2. ROLES AND COMPLIANCE

2.1 Role of Parties: The Customer is the "Health Information Custodian" or "Data Controller" and retains all ownership and control of the PHI. Wug Note is the "Electronic Service Provider," "Information Manager," or "Agent" acting solely on the instructions of the Customer. Wug Note acknowledges that, where applicable, it has independent statutory obligations as an Electronic Service Provider (or equivalent) under applicable health privacy legislation (including PHIPA) and agrees to comply with those obligations in addition to the contractual obligations set out in this DPA.

2.2 Compliance: Wug Note agrees to handle PHI in accordance with applicable Canadian privacy laws, including PIPEDA and The Privacy Act (Federal), PHIPA (Ontario), HIA (Alberta), PIPA (BC/Alberta), and PHIA (Manitoba/Nova Scotia).

2.3 Quebec Exclusion:
(a) Scope & Warranty: The Service is not intended for use in relation to personal information of residents of Quebec. By using the Service, you represent and warrant that you will not upload, process, or store the personal information of Quebec residents. If you choose to do so contrary to this warranty, you acknowledge that you are solely responsible for ensuring compliance with Quebec Law 25 and any obligations or regulatory consequences that may arise. Nothing in these Terms/DPA/Privacy Policy limits or waives obligations imposed by applicable law.
(b) Technical Controls: Wug Note may, at its discretion, implement technical measures (such as IP-based blocking or account verification) to restrict access from Quebec. The Customer acknowledges that these measures are supplementary and do not relieve the Customer of their warranty obligations under Section 2.3(a).

3. CUSTOMER OBLIGATIONS & WARRANTIES

3.1 Consent & Authority: The Customer warrants that they have the lawful authority to collect the PHI and have obtained all necessary consents from individuals (clients/patients) to upload such PHI to the Service.

3.2 Cross-Border Processing: The Customer acknowledges that while all persistent data storage remains in Canada, the Services utilize state-of-the-art AI models (via AssemblyAI and Google Vertex AI) that require transient processing in the United States to ensure maximum transcription accuracy and clinical safety. The Customer warrants that they have informed their clients/patients of this transient cross-border processing or obtained necessary consent prior to uploading audio.

3.3 Institutional Authority: Where the Customer is an individual practitioner using the Services in the context of their employment or engagement with a third-party organization (e.g., a hospital, health authority, or clinic), the Customer warrants that:
(a) Their use of the Services to process PHI is permitted by such organization's internal privacy policies and terms of employment; and
(b) They possess the necessary custody or control over the PHI to lawfully upload it to the Services.
Wug Note assumes no liability for the Customer’s use of the Services in violation of their employer’s or contracting organization’s internal regulations.

4. PROCESSING AND USE OF DATA

4.1 Limited Purpose: Wug Note shall process PHI strictly for the purpose of generating transcripts, summaries, and clinical notes as requested by the Customer.

4.2 Prohibited Uses: Wug Note shall not:

• Use PHI for its own independent purposes, marketing, or advertising.
• Sell, lease, barter, or otherwise monetize PHI.
• Use PHI to train, fine-tune, or improve its own Artificial Intelligence models or those of its sub-processors.

5. SECURITY AND CONFIDENTIALITY

5.1 Technical Safeguards: Wug Note shall maintain industry-standard security measures, including:

• Encryption:

• Transmission & Storage: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Field-Level Encryption: Highly sensitive data elements—specifically client names, dates of birth, session notes, transcriptions, and generated summaries—are protected via application-level encryption. These fields are encrypted prior to persistence, ensuring they are never stored in plaintext within the Service Provider’s database.

• Access Control: Strict Row-Level Security (RLS) and Multi-Factor Authentication (MFA) for administrative access.
• Restricted Access / Break-Glass: Service Provider personnel shall not access Customer PHI except as strictly necessary to (i) provide support requested by Customer, (ii) maintain security, or (iii) comply with law. Any such access is time-limited, role-based, and documented with a justification. All access to clear-text PHI is logged with user identity, timestamp, and reason; logs are protected from alteration and retained for at least twelve (12) months. Upon written request in connection with a confirmed Security Incident or annual audit, Service Provider will make relevant access logs available to the Customer.

5.2 Confidentiality: Wug Note ensures that its personnel engaged in the processing of PHI are informed of the confidential nature of the data, have received appropriate privacy training, and are subject to confidentiality agreements.

5.3 Audit Rights: Upon reasonable written notice (minimum 14 days), the Customer or its authorized third-party auditor may audit Wug Note's compliance with this DPA, limited to once annually. In the event of a confirmed Security Incident, the Customer’s audit rights shall be satisfied by the provision of Wug Note’s post-incident forensic report and remediation plan. Such audits shall be conducted during regular business hours, at the Customer's sole expense, and shall not unreasonably interfere with Wug Note's operations.

6. SUB-PROCESSORS AND DATA RESIDENCY

6.1 Authorized Sub-Processors: The Customer grants general authorization to Wug Note to engage the sub-processors listed in Schedule A.

6.2 Data Residency:

• Storage (At Rest): All persistent PHI (database, backups, and file storage) is stored exclusively in Canada.
• Transient Processing: For the limited purpose of generating transcripts and summaries, audio data is processed by sub-processors in the United States. This data is "Transient," meaning it is processed in ephemeral storage during active generation only and is not used to train third-party AI models.

7. RETENTION AND DELETION

7.1 Automated Deletion: In accordance with Wug Note’s data minimization policy:

• Audio Recordings: Deleted from active storage 14 days after upload.
• Recording data, Transcripts & Summaries: Deleted from active storage 14 days after generation.

7.2 Customer Responsibility: It is the Customer's sole responsibility to export clinical notes to their Electronic Medical Record (EMR) system before the retention period expires.

7.3 Termination: Upon termination of the Agreement, Wug Note shall securely delete all Customer data remaining in its possession within 30 days, unless a longer retention period is required by law.

8. SECURITY INCIDENTS

8.1 Notification: If Wug Note discovers a confirmed Security Incident, Wug Note will notify the Customer without unreasonable delay (and in no event later than 48 hours).

8.2 Cooperation: Wug Note will provide the Customer with reasonable assistance regarding the Security Incident, including: (a) forensic details of the incident; (b) affected individual identifiers (where known); (c) technical mitigation steps taken; and (d) documentation required for regulatory reporting. Wug Note provides this assistance at no additional cost to the Customer, unless the Security Incident was caused solely by the Customer's negligence or breach of this DPA.

9. LIABILITY

9.1 Limitation of Liability: Except in cases of Wug Note’s gross negligence or willful misconduct, Wug Note’s total aggregate liability arising out of or related to this DPA (including for claims related to data security or confidentiality) shall not exceed the total amount paid by the Customer to Wug Note in the twenty-four (24) months preceding the incident.

9.2 Indemnification by Customer: The Customer agrees to indemnify, defend, and hold Wug Note harmless against any third-party claims, damages, fines, or penalties arising from the Customer's failure to obtain necessary consents, failure to adhere to employer/institutional policies, or failure to possess the lawful authority to collect and upload the PHI to the Services.

9.3 Indemnification by Wug Note: Wug Note shall indemnify and hold the Customer harmless against third-party claims alleging that the Services infringe intellectual property rights or arising from a confirmed Security Incident caused by Wug Note’s gross negligence or willful misconduct.

10. GENERAL

10.1 Sub-Processor Changes: Wug Note will provide at least 30 days' written notice (via email or in-app notification) of any new sub-processors that will have access to PHI. The Customer may object within 14 days if the change creates unacceptable privacy risks. If the parties cannot resolve the objection, the Customer may terminate the affected Services without penalty.

10.2 Governing Law: This DPA shall be governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein.

10.3 Electronic Acceptance & Counterparts:
The Parties acknowledge and agree that this DPA may be executed by electronic signature, which includes clicking "I Agree," "Sign Up," or a similar affirmation during the Service registration process. Such electronic acceptance shall carry the same legal weight as a handwritten signature. The Customer acknowledges that by creating an account and using the Services, they have read, understood, and agreed to be bound by the terms of this DPA.

Schedule A: Data Mapping & Record of Processing

1. Data Flow & Categories

• Audio Recordings: Sensitive PHI (.webm/.mp4). Used for transcription.
• Transcripts/Summaries: Sensitive PHI (Text/JSON). Clinical documentation.
• Metadata: Technical identifiers (Time/Date/IDs).

2. Core Sub-Processors (Access to PHI)
Wug Note utilizes the following trusted sub-processors for the core delivery of the Service:

3. Operational Sub-Processors (No PHI Access)
These providers support the functionality of the Wug Note application (e.g., login, analytics) but DO NOT have access to PHI.

4. Retention Schedule (Strict Limits)

• Audio Files: Automatically deleted 14 days after upload.
• Recording data: Automatically deleted 14 days after creation.
• Transcripts: Automatically deleted 14 days after creation.
• Summaries: Automatically deleted 14 days after creation.
• Backups: Encrypted database backups retained for disaster recovery up to 30 days (cyclical overwrite).