MiriConnect Customer Clinic Data Processing Agreement
Version 1 — Click-through acceptance edition
Data Processing Agreement pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)
This Data Processing Agreement (the “DPA”) is entered into by and between:
(1) Archolm ApS, a private limited liability company (anpartsselskab) incorporated under the laws of Denmark, having its registered office in Denmark, trading as MiriConnect (“Archolm”, the “Processor”); and
(2) the Customer Clinic — the healthcare organisation, clinic or other legal entity on whose behalf an authorised Clinic Administrator accepts this DPA through the MiriConnect service (the “Customer Clinic”, the “Controller”).
Archolm and the Customer Clinic are each a “Party” and together the “Parties”.
Conclusion by electronic acceptance. This DPA is concluded by electronic acceptance. By clicking to accept this DPA in MiriConnect, an authorised Clinic Administrator, acting for and on behalf of the Customer Clinic and representing that they have authority to bind the Customer Clinic, enters into this DPA on behalf of the Customer Clinic. Archolm records the identity of the accepting administrator, the Customer Clinic, the version and content hash of the DPA accepted, and the date and time of acceptance. The “Effective Date” of this DPA is the date and time of such acceptance.
Background
(A) Archolm provides MiriConnect, a software service for remote monitoring of MIRI Timelapse embryo incubator systems used by assisted reproductive technology and in vitro fertilisation clinics. The service includes client applications, an administrative dashboard, cloud-hosted identity, audit, notification and operational services, and an on-premises Mini-Server installed at the Customer Clinic’s premises.
(B) The Customer Clinic determines the purposes and means of the Processing of Personal Data relating to its personnel, users and patients, and acts as Controller for such Personal Data.
(C) Archolm Processes certain Personal Data on behalf of the Customer Clinic in connection with the provision, operation, maintenance, security and support of MiriConnect, and acts as Processor for such Personal Data.
(D) This DPA sets out the Parties’ rights and obligations in relation to such Processing and is intended to satisfy the requirements of Article 28 GDPR.
(E) This DPA forms part of the applicable MiriConnect customer subscription agreement, order form, service terms or other customer-facing agreement between the Parties relating to the Customer Clinic’s use of MiriConnect (the “Main Agreement”).
1. Definitions
1.1 GDPR terms
The terms “Controller”, “Processor”, “Processing”, “Personal Data”, “Personal Data Breach”, “Data Subject”, “Sub-processor”, “Supervisory Authority”, “special categories of personal data” and equivalent terms shall have the meanings given to them in Regulation (EU) 2016/679 (the “GDPR”).
1.2 Additional definitions
“Applicable Data Protection Law” means the GDPR, the Danish Data Protection Act, and any other data protection or privacy law applicable to the Processing of Personal Data under this DPA.
“Authorised User” means an individual authorised by the Customer Clinic to access and use MiriConnect.
“Clinic Administrator” means an Authorised User assigned the administrator role for the Customer Clinic in MiriConnect.
“Effective Date” means the date and time at which an authorised Clinic Administrator accepts this DPA on behalf of the Customer Clinic through the MiriConnect service.
“Customer Personal Data” means the Personal Data Processed by Archolm on behalf of the Customer Clinic under this DPA, as further described in Annex 1.
“Medical Data” means clinical, medical, embryological, patient-related or treatment-related data generated by, stored on, transmitted from, or derived from a MIRI Device or the Customer Clinic’s clinical use of MiriConnect, including embryo timelapse images, incubator telemetry, embryo identifiers and embryo developmental-stage analysis results.
“Mini-Server” means the on-premises gateway appliance installed at the Customer Clinic’s premises and used to connect MiriConnect to the Customer Clinic’s MIRI Device.
“MIRI Device” means the MIRI Timelapse embryo incubator system operated by the Customer Clinic.
“Services” or “MiriConnect” means the MiriConnect platform and related services provided by Archolm under the Main Agreement.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, or any successor clauses replacing them.
“Technical and Organisational Measures” or “TOMs” means the technical and organisational security measures set out in Annex 2.
2. Roles and scope
2.1 Roles of the Parties
For the Processing of Customer Personal Data under this DPA, the Customer Clinic acts as Controller and Archolm acts as Processor.
Where Archolm engages Sub-processors, such Sub-processors act as Sub-processors of Archolm in relation to the relevant Processing.
2.2 Scope of this DPA
This DPA applies to the Processing of Customer Personal Data by Archolm on behalf of the Customer Clinic in connection with the Services.
The subject matter, duration, nature and purpose of the Processing, the categories of Data Subjects and the categories of Customer Personal Data are described in Annex 1.
2.3 Personal Data for which Archolm is independent controller
This DPA does not apply to Personal Data that Archolm Processes as an independent controller, including Personal Data relating to Archolm’s own business contacts, supplier relationships, billing administration, legal claims, corporate compliance, internal security administration or marketing communications, except to the extent such Processing is expressly described as Processing on behalf of the Customer Clinic in Annex 1.
2.4 Medical Data
Medical Data is addressed specifically in Section 8.
In the standard operation of the Services, Archolm does not store, cache, archive or retain Medical Data in its cloud infrastructure. Medical Data remains primarily on the Customer Clinic’s premises, on the MIRI Device and/or the Mini-Server, subject to the technical and architectural details set out in Section 8 and Annex 1.
3. Duration
3.1 Term
This DPA takes effect on the Effective Date and remains in force for as long as Archolm Processes Customer Personal Data on behalf of the Customer Clinic.
3.2 Survival
Any provisions that by their nature are intended to survive termination shall continue to apply after termination, including provisions concerning confidentiality, return and deletion, audit evidence, liability, international transfers and any unresolved Personal Data Breach.
4. Processing on documented instructions
4.1 Instructions
Archolm shall Process Customer Personal Data only on documented instructions from the Customer Clinic, unless Archolm is required to do so by EU law, Danish law or other Applicable Law to which Archolm is subject.
Where Archolm is required by law to Process Customer Personal Data other than on the Customer Clinic’s instructions, Archolm shall inform the Customer Clinic of that legal requirement before Processing, unless such law prohibits Archolm from doing so on important grounds of public interest.
4.2 Documented instructions
The Customer Clinic’s documented instructions are constituted by:
(a) this DPA;
(b) the Main Agreement;
(c) any applicable order form;
(d) the Customer Clinic’s configuration choices within MiriConnect;
(e) written support or administration requests submitted by the Customer Clinic; and
(f) any further written instructions agreed by the Parties.
4.3 Standardised service
The Customer Clinic acknowledges that MiriConnect is a standardised service. Archolm is not required to implement any instruction that is not technically supported by the Services, would require custom development, would weaken security, would conflict with Applicable Law, or would adversely affect other customers or the integrity of the Services.
Where Archolm considers that an instruction cannot reasonably be accommodated, Archolm shall inform the Customer Clinic without undue delay.
4.4 Unlawful instructions
Archolm shall inform the Customer Clinic without undue delay if, in Archolm’s opinion, an instruction infringes Applicable Data Protection Law.
5. Confidentiality
5.1 Personnel confidentiality
Archolm shall ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Access limitation
Archolm shall ensure that access to Customer Personal Data is limited to personnel who require such access for the purposes of providing, maintaining, securing or supporting the Services, in accordance with the principle of least privilege.
5.3 Continuing obligation
Confidentiality obligations shall continue after the end of the relevant person’s employment or engagement with Archolm.
6. Security of Processing
6.1 Security obligation
Archolm shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of the Processing, as well as the risk to Data Subjects.
The TOMs implemented by Archolm as of the Effective Date are described in Annex 2.
6.2 Updates to TOMs
Archolm may update the TOMs from time to time, provided that such updates do not materially reduce the overall level of security of the Services.
6.3 No unsupported certification claim
Archolm does not represent that MiriConnect itself is certified under ISO 27001, SOC 2 or any equivalent certification unless expressly stated in writing by Archolm.
Where a Sub-processor listed in Annex 3 holds certifications, such certifications relate to that Sub-processor’s infrastructure or services and not to Archolm or MiriConnect as a whole.
6.4 Customer Clinic responsibilities
The Customer Clinic is responsible for:
(a) managing its Authorised Users;
(b) assigning roles and permissions in accordance with the principle of least privilege;
(c) ensuring that Authorised Users use multi-factor authentication where required;
(d) maintaining the physical security of the Mini-Server on its premises;
(e) maintaining secure local networks, workstations and devices used to access MiriConnect; and
(f) ensuring that Authorised Users do not enter unnecessary Personal Data, Medical Data or patient-identifying information into support tickets, free-text fields or other parts of the Services not intended for such information.
7. Sub-processors
7.1 General authorisation
The Customer Clinic grants Archolm general written authorisation to engage Sub-processors for the Processing of Customer Personal Data.
The Sub-processors engaged as of the Effective Date are listed in Annex 3.
7.2 Sub-processor obligations
Archolm shall enter into a written agreement with each Sub-processor imposing data protection obligations that are, in substance, no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by that Sub-processor.
7.3 Liability for Sub-processors
Archolm remains liable to the Customer Clinic for the performance of the Sub-processor’s data protection obligations to the extent required by Article 28 GDPR.
7.4 Notice of changes
Archolm shall notify the Customer Clinic of any intended addition or replacement of a Sub-processor at least thirty (30) days before such change takes effect, unless a shorter period is required for urgent security, legal, operational or service-continuity reasons.
Notice may be given by email, through the Services, by updating a notified Sub-processor list, or by any other reasonable method made known to the Customer Clinic.
7.5 Objection right
The Customer Clinic may object to an intended addition or replacement of a Sub-processor on reasonable and documented data protection grounds within the applicable notice period.
If the Customer Clinic objects, the Parties shall work in good faith to resolve the objection. If no resolution is reached, the Customer Clinic may terminate the affected Services in accordance with the Main Agreement as its sole and exclusive remedy for the relevant objection.
8. Medical Data, local processing and cloud-storage limitation
8.1 Local architecture
In the standard operation of the Services, Medical Data is processed on the Customer Clinic’s premises, through the MIRI Device and the Mini-Server.
Embryo timelapse images and incubator telemetry are streamed from the MIRI Device through the Mini-Server for display to Authorised Users and are not stored, cached, archived or retained in Archolm’s cloud infrastructure.
8.2 No cloud storage of Medical Data
In the standard operation of the Services, Archolm does not store, cache, archive or retain Medical Data in its cloud infrastructure, including Firebase, Google Cloud Firestore, Cloud Functions or Archolm-hosted application servers.
Operational data transmitted by the Mini-Server to Archolm’s cloud infrastructure, such as heartbeat information, software version, availability status, connectivity state and technical health metadata, is not intended to contain Medical Data.
8.3 Transit through relay gateway
When an Authorised User accesses Medical Data remotely through MiriConnect, encrypted traffic may transit through an Archolm-operated relay gateway hosted on EU/EEA infrastructure.
Such relay gateway is intended to transmit encrypted traffic only and does not store Medical Data.
8.4 Local-key mode and end-to-end encryption
For Customer Clinics operating in local-key mode, Medical Data transmitted from the Mini-Server to client applications is protected by end-to-end encryption using AES-256-GCM before it leaves the Customer Clinic’s premises.
In local-key mode, the relevant encryption key is generated on the Mini-Server and is not transmitted to or stored by Archolm’s cloud infrastructure. For such deployments, Archolm’s cloud infrastructure is not intended to be able to decrypt Medical Data in transit.
8.5 Legacy cloud-key mode
A legacy cloud-key operating mode may exist for historical deployments, in which key material may be stored in Archolm’s cloud infrastructure.
The statements in Section 8.4 regarding Archolm’s inability to decrypt Medical Data do not apply to any Customer Clinic operating in such legacy cloud-key mode.
New Customer Clinics are intended to be provisioned in local-key mode. Archolm shall, upon request, inform the Customer Clinic which operating mode applies to the Customer Clinic’s deployment.
8.6 ML output on the Mini-Server
Where the optional machine-learning feature is enabled, embryo developmental-stage analysis results may be stored in a local database on the Mini-Server at the Customer Clinic’s premises.
Such ML output is not stored in Archolm’s cloud infrastructure as part of the standard operation of the Services.
8.7 No routine access to Medical Data
Archolm has no routine access to the content of Medical Data held on the MIRI Device or Mini-Server.
Archolm’s remote interaction with a deployed Mini-Server is limited to mechanisms such as:
(a) automatic, cryptographically signed software updates;
(b) constrained predefined operational commands, such as restarting MiriConnect service components; and
(c) encrypted diagnostic submissions containing scrubbed system logs and operational metrics.
Such mechanisms are not intended to transmit Medical Data.
8.8 Mini-Server SSH access
The production Mini-Server appliance is intended to be delivered with interactive remote shell access, including SSH, disabled or removed.
This statement applies to the Mini-Server appliance installed at the Customer Clinic’s premises and does not mean that Archolm has no administrative access to Archolm-operated cloud infrastructure, gateway VPSs, hosting environments or other infrastructure used to provide the Services.
9. Machine-learning feature
9.1 Optional feature
The machine-learning feature is optional and disabled by default unless otherwise agreed or configured.
The Customer Clinic may enable or disable the feature subject to the subscription level, technical configuration and available functionality of the Services.
9.2 Local inference
Where enabled in the standard configuration, machine-learning inference runs locally on the Mini-Server.
Embryo images are not transmitted to Archolm’s cloud infrastructure for inference as part of the standard operation of the Services.
9.3 ML notifications
Where the machine-learning feature detects or updates a review item, the cloud component of MiriConnect may receive or send a generic notification signal indicating that updated review data is available.
Such notification signal is not intended to include embryo images, patient identifiers, embryo identifiers or ML analysis content.
9.4 Informational use
Machine-learning outputs are informational and advisory only.
They are intended to be reviewed and validated by qualified embryologists or clinicians acting on behalf of the Customer Clinic.
Archolm does not represent that the machine-learning feature constitutes, or has been approved or certified as, a medical device, diagnostic tool, treatment recommendation system or autonomous clinical decision-making system, unless Archolm expressly states otherwise in writing.
9.5 No ML training under this DPA
Use of Customer Personal Data or Medical Data for training, fine-tuning, benchmarking, evaluating or improving machine-learning models is not part of the standard Processing covered by this DPA.
Archolm shall not use Customer Personal Data or Medical Data for such purposes unless the Parties enter into a separate written agreement addressing, as applicable, legal basis, patient information, consent or other authorisation, pseudonymisation, anonymisation, approved infrastructure, Sub-processors, international transfers, retention, deletion and security controls.
10. International transfers
10.1 General transfer restriction
Archolm shall not transfer Customer Personal Data to a country outside the EU/EEA unless such transfer is carried out in compliance with Chapter V GDPR and this DPA.
10.2 Processing locations
As of the Effective Date:
(a) Google Cloud Firestore, the primary cloud datastore used by MiriConnect, is located in europe-north2 (Stockholm, Sweden — EU/EEA);
(b) Google Cloud Functions used by MiriConnect currently run in us-central1 (United States), meaning that Customer Personal Data processed by such functions may be processed in the United States;
(c) Firebase Cloud Messaging and Apple Push Notification service may process device tokens and generic notification payloads through global provider infrastructure;
(d) Hetzner-hosted infrastructure used for hosting, update distribution and gateway relay functions is located within the EU/EEA; and
(e) one.com email infrastructure used for outbound transactional email is located within the EU/EEA.
10.3 Transfer mechanism
Where Customer Personal Data is transferred outside the EU/EEA, Archolm shall ensure that an appropriate transfer mechanism is in place, such as:
(a) the Standard Contractual Clauses;
(b) a valid adequacy decision;
(c) a provider data processing agreement incorporating appropriate transfer terms; or
(d) another transfer mechanism permitted under Chapter V GDPR.
10.4 Provider transfer terms
The Parties acknowledge that certain transfer mechanisms depend on the applicable terms, data processing addenda and transfer documentation maintained by the relevant Sub-processor.
Archolm shall make reasonable efforts to maintain appropriate transfer arrangements with relevant Sub-processors and shall provide information reasonably necessary for the Customer Clinic to assess such transfers, subject to confidentiality, security and provider-imposed restrictions.
10.5 Planned infrastructure changes
Archolm may migrate backend processing, hosting or infrastructure components to alternative infrastructure, including infrastructure located in the EU/EEA.
Where such migration materially changes Processing locations, Sub-processors or transfer mechanisms, Archolm shall update Annex 3 and notify the Customer Clinic in accordance with Section 7.
11. Assistance with Data Subject rights
11.1 Assistance obligation
Taking into account the nature of the Processing and the information available to Archolm, Archolm shall assist the Customer Clinic by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer Clinic’s obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR.
11.2 Requests received directly by Archolm
If Archolm receives a request from a Data Subject relating to Customer Personal Data Processed on behalf of the Customer Clinic, Archolm shall not respond substantively to the request unless instructed by the Customer Clinic or required by law.
Archolm shall forward the request to the Customer Clinic without undue delay, where the Customer Clinic can reasonably be identified.
11.3 Medical Data requests
Requests relating to Medical Data, patient records, embryo images, treatment data or other health data held on the MIRI Device or Mini-Server shall be handled by the Customer Clinic as Controller.
Archolm shall provide reasonable assistance to the extent technically possible and to the extent such assistance relates to the Services.
11.4 Self-service and administrative tools
Where available, Archolm may provide functionality, tooling or documentation enabling the Customer Clinic to access, export, correct, restrict or delete relevant Customer Personal Data.
Assistance beyond the standard functionality of the Services may be subject to reasonable fees, unless the assistance is required due to Archolm’s breach of this DPA.
12. Assistance with Articles 32 to 36 GDPR
Taking into account the nature of the Processing and the information available to Archolm, Archolm shall provide reasonable assistance to the Customer Clinic in relation to:
(a) Article 32 GDPR, security of Processing;
(b) Articles 33 and 34 GDPR, Personal Data Breach notification and communication;
(c) Article 35 GDPR, data protection impact assessments; and
(d) Article 36 GDPR, prior consultation with a Supervisory Authority.
Such assistance may include providing relevant documentation, information about TOMs, Sub-processor information, incident information and other reasonably available materials.
Assistance beyond standard documentation and reasonable support may be subject to reasonable fees, unless required due to Archolm’s breach of this DPA.
13. Personal Data Breach
13.1 Notification
Archolm shall notify the Customer Clinic without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
As an operational target, Archolm will aim to provide an initial notification within twenty-four (24) hours after becoming aware of such Personal Data Breach.
13.2 Content of notification
The notification shall, to the extent known to Archolm at the time, include:
(a) the nature of the Personal Data Breach;
(b) the categories and approximate number of affected Data Subjects;
(c) the categories and approximate number of affected Personal Data records;
(d) the likely consequences of the Personal Data Breach;
(e) the measures taken or proposed to address the Personal Data Breach; and
(f) measures proposed to mitigate possible adverse effects.
Where it is not possible to provide all information at the same time, Archolm may provide the information in phases without undue further delay.
13.3 Controller responsibility
The Customer Clinic is responsible for determining whether a Personal Data Breach must be notified to a Supervisory Authority or communicated to Data Subjects.
Archolm shall not notify a Supervisory Authority or Data Subjects on behalf of the Customer Clinic unless expressly instructed by the Customer Clinic or required by law.
13.4 Incident-response procedure
Archolm maintains an incident-response and breach-notification procedure covering detection, triage, containment, escalation, evidence preservation, notification support and post-incident review.
13.5 No admission
Notification of a Personal Data Breach shall not be construed as an admission of fault or liability by Archolm.
14. Return and deletion
14.1 Return or deletion at termination
Upon termination or expiry of the Main Agreement, and at the Customer Clinic’s choice, Archolm shall delete or return Customer Personal Data Processed on behalf of the Customer Clinic, unless EU law, Danish law or other Applicable Law requires continued storage.
14.2 Export period
Where the Services provide export functionality, the Customer Clinic shall use such functionality within the export period specified in the Main Agreement or otherwise agreed by the Parties.
If no export period is specified, Archolm shall provide a reasonable period for export before deletion, unless immediate deletion is required by law or requested by the Customer Clinic.
14.3 Retention during the term
During the term, Archolm applies retention limits to relevant categories of Customer Personal Data.
Unless otherwise stated in the Main Agreement, Archolm’s then-current retention configuration is:
| Data category | Retention period |
|---|---|
| Audit logs | 6 years |
| Support tickets and support messages | 3 years after closure |
| Contact-form submissions | 12 months, unless converted into an active customer or commercial relationship |
| Account-deletion request records | 3 years after completion |
| Operational fleet-alert records | 2 years |
| Account and profile data | For as long as the account is active, then deleted upon account or clinic deletion subject to legal retention |
| Mini-Server ML output | Default 12 months locally on the Mini-Server, unless configured otherwise or retained by the Customer Clinic |
14.4 Backups and legal retention
Archolm may retain Customer Personal Data in backups until such backups expire in the ordinary course of backup retention.
Archolm may also retain Customer Personal Data where required by law or where necessary for the establishment, exercise or defence of legal claims.
Any retained Customer Personal Data shall remain subject to confidentiality and shall not be actively Processed for other purposes.
14.5 Mini-Server return and secure erasure
Upon termination or expiry, the Mini-Server shall be returned or handled in accordance with the Main Agreement.
Where a Mini-Server is returned to Archolm, Archolm shall apply a secure erasure, re-imaging or decommissioning procedure appropriate to the nature of the data and device, before the device is reused, redeployed or disposed of.
14.6 Confirmation
Upon written request from the Customer Clinic, Archolm shall provide written confirmation of deletion or return of Customer Personal Data, subject to any lawful retention.
15. Audits and demonstration of compliance
15.1 Documentation
Archolm shall make available to the Customer Clinic information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA.
Such information may include this DPA, the TOMs, Sub-processor information, security summaries, incident-response documentation, transfer information and other relevant documentation.
15.2 Audit right
Archolm shall allow for and contribute to audits, including inspections, conducted by the Customer Clinic or an auditor mandated by the Customer Clinic, subject to this Section 15.
15.3 Audit conditions
Audits shall:
(a) be limited to what is necessary to verify compliance with this DPA and Article 28 GDPR;
(b) be requested with at least thirty (30) days’ prior written notice, except where shorter notice is required by a Supervisory Authority or following a confirmed Personal Data Breach affecting the Customer Clinic;
(c) take place during normal business hours;
(d) not unreasonably disrupt Archolm’s operations;
(e) be subject to appropriate confidentiality obligations;
(f) not compromise the security, confidentiality, availability or integrity of the Services;
(g) not require disclosure of source code, trade secrets, detailed vulnerability information, information relating to other customers, or security-sensitive information that could increase risk to the Services; and
(h) be limited to once in any twelve (12) month period, unless required by a Supervisory Authority or following a confirmed Personal Data Breach affecting the Customer Clinic.
15.4 Documentation-based audit
Archolm may satisfy an audit request, in whole or in part, by providing documentation reasonably sufficient to demonstrate compliance, including summaries of TOMs, security testing, Sub-processor documentation, provider certifications, and relevant policies or procedures.
15.5 Audit costs
Each Party shall bear its own costs in connection with an audit, unless otherwise agreed.
If an audit materially exceeds the scope reasonably required under Article 28 GDPR, Archolm may charge reasonable fees for time and resources spent supporting the audit.
16. Controller obligations
16.1 Lawfulness
The Customer Clinic warrants that:
(a) it has a valid legal basis under Article 6 GDPR for all Processing of Customer Personal Data instructed under this DPA;
(b) where special categories of Personal Data are involved, it has a valid condition under Article 9 GDPR;
(c) it has provided all notices and obtained all consents, approvals or authorisations required under Applicable Law;
(d) its instructions to Archolm comply with Applicable Data Protection Law; and
(e) it is entitled to make Customer Personal Data available to Archolm for Processing.
16.2 Customer Clinic systems and users
The Customer Clinic is responsible for:
(a) the accuracy, quality and legality of Customer Personal Data provided to Archolm;
(b) the configuration of its MiriConnect environment;
(c) management of Authorised Users;
(d) ensuring that Authorised Users comply with applicable security requirements;
(e) local device, workstation and network security;
(f) the physical security of the Mini-Server;
(g) operation and maintenance of the MIRI Device; and
(h) handling Medical Data, patient records and clinical records in accordance with Applicable Law.
16.3 No unnecessary sensitive data in support channels
The Customer Clinic shall ensure that Authorised Users do not include unnecessary Medical Data, patient-identifying information or special categories of Personal Data in support tickets, emails, contact forms or free-text fields that are not intended for such information.
17. Distributor and third-party involvement
17.1 Distributor not automatically authorised
Where the Customer Clinic was introduced, onboarded, supported or managed by a distributor, reseller, implementation partner or other third party, such third party is not authorised by this DPA to Process Customer Personal Data on behalf of Archolm or the Customer Clinic unless expressly agreed in writing.
17.2 Separate data documentation
If a distributor or other third party Processes Personal Data on behalf of Archolm or the Customer Clinic, such Processing must be governed by appropriate written data protection documentation.
17.3 Requests received by third parties
Archolm shall use reasonable efforts to require authorised distributors or implementation partners to forward to Archolm or the Customer Clinic any privacy-related request, complaint, inquiry or Personal Data Breach notification they receive in connection with the Services.
18. Liability
18.1 Main Agreement limitation
Each Party’s liability arising out of or relating to this DPA shall be subject to the limitations and exclusions of liability set out in the Main Agreement, except to the extent such limitations or exclusions are not permitted under Applicable Law.
18.2 Article 82 GDPR
Nothing in this DPA limits any liability towards Data Subjects that cannot be limited under Article 82 GDPR or other Applicable Law.
18.3 Allocation between the Parties
As between the Parties, liability shall be allocated taking into account each Party’s responsibility for the event giving rise to the damage, in accordance with Article 82 GDPR and Applicable Law.
19. Changes to this DPA
19.1 Legal changes
If Applicable Data Protection Law, Supervisory Authority guidance, court decisions or changes to the Services require amendment of this DPA, the Parties shall cooperate in good faith to agree appropriate amendments.
19.2 Updates to annexes
Archolm may update the annexes to this DPA to reflect changes in TOMs, Sub-processors, Processing activities, retention periods, infrastructure or transfer mechanisms, provided that such updates comply with this DPA and do not materially reduce the level of protection for Customer Personal Data.
Sub-processor changes are subject to Section 7.
20. Order of precedence
20.1 Relationship with Main Agreement
This DPA forms part of the Main Agreement.
20.2 Conflict
In the event of conflict between this DPA and the Main Agreement regarding the Processing of Customer Personal Data, this DPA shall prevail.
In all other respects, the Main Agreement shall prevail.
20.3 SCC precedence
Where the Standard Contractual Clauses apply to a transfer of Personal Data, the Standard Contractual Clauses shall prevail over any conflicting provision of this DPA to the extent required by Applicable Law.
21. Governing law and jurisdiction
21.1 Governing law
This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to conflict-of-law rules.
21.2 Jurisdiction
Disputes arising out of or in connection with this DPA shall be subject to the jurisdiction and dispute-resolution provisions of the Main Agreement.
If the Main Agreement contains no such provisions, the Parties submit to the jurisdiction of the Danish courts.
Acceptance
This DPA is accepted electronically. By clicking “Accept” in MiriConnect, an authorised Clinic Administrator confirms, for and on behalf of the Customer Clinic, that:
(a) they have read and understood this DPA;
(b) they are authorised to bind the Customer Clinic to this DPA;
(c) the Customer Clinic accepts and agrees to be bound by this DPA; and
(d) this DPA, in the version identified at the time of acceptance, takes effect between the Parties as of the Effective Date.
Archolm records, as evidence of acceptance, the accepting Clinic Administrator’s identity, the Customer Clinic, the accepted version of this DPA, the content hash of the accepted document, and the acceptance timestamp. A copy of the accepted DPA remains available to the Customer Clinic through MiriConnect and on request to legal@miriconnect.com.
This DPA is made available and maintained by Archolm ApS as part of MiriConnect. No physical signature is required for this DPA to be binding on the Parties.
Annex 1 — Details of Processing
1. Subject matter
The subject matter of the Processing is the Processing of Customer Personal Data necessary for Archolm to provide, operate, maintain, secure and support MiriConnect for the Customer Clinic.
2. Duration
The Processing continues for the duration of the Main Agreement and for any additional period required for lawful retention, export, deletion, audit, backup expiry, dispute handling or legal compliance.
3. Nature of Processing
The Processing may include collection, recording, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure and deletion of Customer Personal Data, to the extent necessary for the purposes described in this Annex.
4. Purposes of Processing
Archolm Processes Customer Personal Data for the following purposes:
(a) creating and managing Customer Clinic user accounts;
(b) authenticating Authorised Users;
(c) enabling and verifying multi-factor authentication;
(d) managing Customer Clinic membership, roles and permissions;
(e) maintaining audit logs of administrative and security-relevant actions;
(f) operating Mini-Server provisioning, heartbeat, update and health-status functionality;
(g) delivering push notifications and email notifications;
(h) providing support and responding to support requests;
(i) maintaining the security, integrity and availability of the Services;
(j) detecting, investigating and mitigating misuse, errors, security incidents and operational issues;
(k) handling account deletion or data subject requests; and
(l) complying with legal obligations applicable to Archolm as Processor.
5. Categories of Data Subjects
Customer Personal Data may relate to:
(a) Authorised Users, including embryologists, clinic administrators, clinic IT staff and other personnel authorised by the Customer Clinic;
(b) Customer Clinic administrators and technical contacts;
(c) billing, commercial and support contacts;
(d) individuals submitting support requests, contact forms or account deletion requests; and
(e) distributor or implementation partner personnel, where such persons interact with the Services or support processes on behalf of the Customer Clinic.
Patients of the Customer Clinic are not intended to be Data Subjects of Customer Personal Data stored in Archolm’s cloud infrastructure. Patient-related Medical Data is addressed in Section 8 of the DPA.
6. Categories of Customer Personal Data
Customer Personal Data may include:
6.1 Account and identity data
Name, display name, email address, user ID, account status, clinic membership, role, permissions, account creation time, last login time and account lifecycle information.
6.2 Authentication and security data
Authentication identifiers, password-related records held by the identity provider, multi-factor authentication status, encrypted TOTP secrets, session-related metadata, refresh-token revocation status, device public keys, device fingerprints and security-relevant identifiers.
6.3 Device and notification data
Device identifiers, platform information, push notification tokens, notification delivery metadata and generic notification payload metadata.
6.4 Audit data
Records of administrative actions, including timestamp, acting user, affected resource, action type, result codes and relevant security or operational metadata.
6.5 Support and communication data
Support tickets, support messages, contact-form submissions, account deletion requests, descriptions of issues, screenshots or attachments submitted by users, correspondence, contact details and related free-text content.
6.6 Operational and telemetry data
Mini-Server hostname, heartbeat status, software version, update status, connectivity status, gateway status, error logs, health metrics, availability state, IP addresses, user-agent strings, rate-limit records and similar technical information.
6.7 Commercial and administrative contact data
Customer Clinic contact names, email addresses, titles, roles and billing or administrative contact information, to the extent Processed on behalf of the Customer Clinic in connection with the Services.
7. Special categories of Personal Data
Archolm does not intend to Process special categories of Personal Data in its cloud infrastructure on behalf of the Customer Clinic as part of the standard operation of MiriConnect.
Medical Data, including patient health data, embryo images, incubator telemetry and embryo developmental-stage analysis results, is processed locally on the MIRI Device and/or Mini-Server and is not stored in Archolm’s cloud infrastructure as part of the standard operation of the Services.
Support tickets and free-text fields are not intended for Medical Data or patient-identifying information. If Authorised Users include such information in free-text support communications, it may be Processed as part of support data.
8. Processing frequency
Processing is continuous for the duration of the Customer Clinic’s use of the Services.
9. Sub-processors
Sub-processors are listed in Annex 3.
Annex 2 — Technical and Organisational Measures
This Annex describes the TOMs implemented by Archolm in relation to the Services as of the Effective Date.
Archolm may update these TOMs from time to time, provided that the overall level of security is not materially reduced.
1. Encryption in transit
External communications with the Services use HTTPS/TLS where technically applicable.
Communication between the Mini-Server and client applications is protected by end-to-end encryption using AES-256-GCM for clinics operating in local-key mode.
Connections from the Mini-Server to the local MIRI Device use encrypted communication, and certificate pinning is used where the relevant MIRI Device certificate has been captured and configured.
2. Encryption at rest
Sensitive Mini-Server configuration values are encrypted at rest using AES-256-GCM with keys derived from device-specific material.
Multi-factor authentication secrets are encrypted before storage in the cloud datastore, with legacy values migrated to encrypted storage on next successful use where applicable.
Cloud-hosted data is protected by provider-managed encryption at rest.
3. Key management
For local-key mode deployments, the end-to-end encryption key is generated on the Mini-Server and is not transmitted to Archolm’s cloud infrastructure.
Key access is restricted in accordance with the principle of least privilege.
Where technically supported, key rotation may be triggered following relevant privilege or account changes.
4. Access control
Access to Customer Personal Data is governed by role-based access control enforced server-side.
Administrative access is restricted to authorised roles.
Protected fields may be written only through trusted server-side functions.
5. Authentication and MFA
Authentication is provided through managed identity services.
Multi-factor authentication using time-based one-time passwords is required for privileged administrative actions and administrative accounts where applicable.
Authentication endpoints are protected by rate limiting and lockout mechanisms.
Sessions and refresh tokens may be revoked on account disablement, deletion or suspected compromise.
6. Network security
Mini-Servers connect to Archolm-operated infrastructure through outbound encrypted connectivity.
The production Mini-Server appliance is intended to expose no inbound ports to the public internet.
Archolm’s relay and hosting infrastructure are protected by conventional cloud network security controls.
7. Mini-Server hardening
Mini-Server services run under constrained service accounts and are intended to operate with least-privilege permissions.
Production Mini-Server appliances are intended to be delivered with interactive remote shell access disabled or removed.
The Mini-Server is designed for unattended operation and controlled update delivery.
8. Software update integrity
Mini-Server updates are cryptographically signed and integrity-checked before installation.
Unsigned or tampered update packages are rejected.
The update system uses health checks and rollback mechanisms designed to restore the last known-good version if an update fails.
9. Logging and monitoring
Security-relevant administrative actions are recorded in audit logs.
Mini-Server heartbeat and operational health data are collected for availability, troubleshooting and security monitoring.
Access to logs is restricted to personnel with a legitimate need.
10. Retention controls
Retention controls are implemented for relevant cloud collections and Mini-Server ML output as described in Section 14 of the DPA.
Where a record lacks a required retention anchor timestamp or where deletion cannot safely be determined, Archolm may retain the record until it can be assessed or lawfully deleted.
11. Backups and resilience
The primary cloud datastore is located in europe-north2 (Stockholm, Sweden — EU/EEA).
Point-in-time recovery and scheduled backups are enabled for the cloud datastore where supported by the provider.
Mini-Server software updates use rollback mechanisms for resilience against failed updates.
No specific recovery time objective or recovery point objective is guaranteed unless expressly agreed in the Main Agreement.
12. Incident response
Archolm maintains an incident-response and breach-notification procedure covering incident triage, escalation, containment, evidence preservation, notification support and post-incident review.
13. Secure development
Archolm applies secure development practices that may include code review, pre-commit secret scanning, security-focused tests, dependency review and documented security assessments.
Archolm does not represent that it performs continuous automated security scanning, formal third-party penetration testing on a fixed schedule, SAST on every change, or maintains any specific security certification unless expressly stated in writing.
14. Personnel controls
Personnel with access to Customer Personal Data, production systems or security-sensitive information are subject to confidentiality obligations.
Access is assigned on a need-to-know basis.
15. Client credential storage
Client applications use platform-appropriate secure storage mechanisms for credentials and sensitive tokens, such as iOS/macOS Keychain, Android Keystore or Windows DPAPI-based storage, where technically applicable.
Annex 3 — Sub-processors and International Transfers
This Annex lists the Sub-processors engaged by Archolm as of the Effective Date.
| # | Sub-processor | Service / role | Personal Data Processed | Processing location | Transfer mechanism |
|---|---|---|---|---|---|
| 1 | Google LLC / Google Ireland Ltd. | Firebase Authentication | Account email, authentication records, MFA-related records and identity data | Google global infrastructure | Google data processing terms and applicable SCCs / transfer mechanisms |
| 2 | Google LLC / Google Ireland Ltd. | Google Cloud Firestore | Account data, clinic data, audit logs, support data, notification tokens and operational metadata; no intended storage of Medical Data | europe-north2 — Stockholm, Sweden, EU/EEA | EU/EEA processing for stored data |
| 3 | Google LLC / Google Ireland Ltd. | Google Cloud Functions | Backend application processing of Customer Personal Data in transit / in process | us-central1 — United States | SCCs or other Chapter V GDPR transfer mechanism |
| 4 | Google LLC / Google Ireland Ltd. | Firebase Cloud Messaging | Device tokens and generic notification payloads; no intended Medical Data | Google global infrastructure | Google data processing terms and applicable SCCs / transfer mechanisms |
| 5 | Apple Inc. | Apple Push Notification service | APNs device token and generic notification payloads; no intended Medical Data | Apple global infrastructure | Apple data processing terms and applicable transfer mechanisms |
| 6 | Hetzner Online GmbH | Hosting of dashboard, update server, relay gateway VPS and DNS | Account/admin data, operational data and encrypted Medical Data in transit only through relay gateway; no intended storage of Medical Data | Germany and Finland, EU/EEA | EU/EEA processing |
| 7 | one.com / One.com Group | SMTP email delivery | Recipient names, email addresses and email body content for transactional and support-related emails | EU/EEA | EU/EEA processing |
| 8 | Google LLC / Google Ireland Ltd. | Google Analytics for Firebase, Android app only | App-usage events and device identifiers | Google global infrastructure | Google data processing terms and applicable SCCs / transfer mechanisms |
Notes
-
Archolm does not intend to transmit Medical Data to Sub-processors 1–5, 7 or 8.
-
Hetzner-hosted relay infrastructure may transmit encrypted Medical Data in transit only, without storage.
-
Use of Customer Clinic data for machine-learning model training is not part of the standard Services and is not covered by this Annex unless separately agreed in writing.
-
Archolm shall update this Annex in accordance with Section 7 of the DPA where Sub-processors are added or replaced.
-
The Customer Clinic acknowledges that provider transfer mechanisms may be governed by the relevant provider’s own data processing terms, standard contractual clauses, transfer documentation and region-specific service commitments.
Annex 4 — Standard Contractual Clauses Reference
1. Applicability
Where Customer Personal Data is transferred to a Sub-processor located outside the EU/EEA and no adequacy decision or other valid transfer mechanism applies, the transfer shall be governed by the Standard Contractual Clauses or another lawful transfer mechanism under Chapter V GDPR.
2. Relevant modules
The relevant module of the Standard Contractual Clauses shall be determined by the roles of the Parties and Sub-processors for the relevant transfer.
Where Archolm transfers Customer Personal Data to a Sub-processor outside the EU/EEA, the relevant arrangement will normally be processor-to-processor transfer terms, unless otherwise required by the applicable provider arrangement.
3. Priority
In the event of conflict between this DPA and the Standard Contractual Clauses regarding an international transfer of Customer Personal Data, the Standard Contractual Clauses shall prevail to the extent required by Applicable Law.
4. Supplementary measures
Archolm shall maintain supplementary measures appropriate to the relevant transfer, taking into account the nature of the Personal Data, the processing activity, the recipient, the destination country, the transfer mechanism and the technical and organisational measures applicable to the Services.
Such measures may include encryption in transit, encryption at rest, access control, role-based restrictions, audit logging, minimisation of data in notification payloads, and the architectural separation of Medical Data from Archolm’s cloud infrastructure.
End of MiriConnect Customer Clinic Data Processing Agreement.