This Data Processing Agreement ("DPA") governs the processing of personal data and protected health information carried out by Azlo, CVR no. 43143778, Sundvej 10, 2. th, DK-8700 Horsens, Denmark, operating the SmokingTracker platform ("the Processor"), on behalf of the Customer ("the Controller") in connection with use of SmokingTracker. The DPA forms an integral part of the Terms of Service and is entered into automatically upon account creation.
As an EU-based company, Azlo is subject to GDPR. For US-based treatment centers subject to HIPAA and 42 CFR Part 2, the Processor operates in the role of a Business Associate with respect to Protected Health Information (PHI). A separate HIPAA Business Associate Agreement (BAA) is available to any clinical account that requires one — contact [email protected] to execute one.
The Processor processes personal data on behalf of the Controller for the purpose of delivering the SmokingTracker platform in accordance with the Terms of Service. The DPA runs concurrently with the underlying service agreement and terminates upon its termination.
Processing consists of hosting, storing, backing up, and providing access to client data for the purpose of supporting substance use disorder treatment, Measurement-Based Care, and clinical follow-up carried out by the Controller's staff.
The Processor processes the following categories of personal data on behalf of the Controller:
Client data constitutes sensitive health information — specifically substance use records subject to heightened protection under HIPAA, 42 CFR Part 2, and GDPR Article 9 (special categories of personal data). The Processor treats all client data accordingly.
Data subjects are clients whom the Controller has invited to use the SmokingTracker platform for substance use disorder tracking and clinical support.
The Processor processes personal data only on documented instructions from the Controller, unless required to do so by applicable law. Instructions are established at the time the Terms of Service are entered into; further written instructions may be issued during the term of the agreement.
The Processor shall promptly inform the Controller if, in its view, an instruction would infringe applicable data protection or health privacy law.
SmokingTracker is built on a Privacy by Design architecture. Clients own their data and control what they share with their clinician through granular, revocable consent toggles. The platform is designed so that:
The Processor implements appropriate technical and organisational security measures, including:
For a full description of security practices, see our Security page.
The Controller grants general authorisation for the Processor to engage sub-processors necessary for platform operation. The Processor currently uses the following categories of sub-processors:
The Processor shall notify the Controller in writing at least 30 days before adding new or replacing existing sub-processors. The Controller may object to a change within the notice period.
All sub-processors are bound by data processing agreements providing at least the same level of data protection as this DPA.
The Processor is headquartered in the EU (Denmark) and is subject to GDPR. Where client data is transferred to or processed by sub-processors outside the EU/EEA, the Processor ensures an appropriate transfer mechanism is in place (such as Standard Contractual Clauses) in accordance with GDPR Chapter V.
For US-based treatment centers, client substance use records processed through SmokingTracker may constitute records subject to 42 CFR Part 2. The Processor acknowledges that such records may not be disclosed without client consent except as permitted by 42 CFR Part 2. The Controller is responsible for ensuring that client invitations and consent flows meet the requirements of applicable federal and state law. The Processor's platform design — specifically the granular client-controlled consent model — is intended to support the Controller's compliance obligations under 42 CFR Part 2.
The Processor makes available all information reasonably necessary to demonstrate compliance with this DPA. The Controller or an authorised auditor may request an audit with reasonable prior written notice. The Processor is entitled to reimbursement of documented costs associated with on-site audits.
The Processor shall notify the Controller of a confirmed personal data breach within 72 hours of becoming aware of it. The notification shall include, to the extent known at the time: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or planned to address the breach.
For US treatment centers, the Controller remains responsible for any breach notification obligations to clients, regulators, or HHS under HIPAA and applicable state law.
Upon termination of the agreement, the Processor deletes all personal data belonging to the Controller within 30 days, unless the Controller has requested a data export before termination takes effect. Exports are provided in a machine-readable format. The Processor issues written confirmation of deletion upon request.
This DPA is governed by Danish law. As an EU-based processor, Azlo is subject to GDPR, which provides a recognised international framework for data protection. Disputes shall be resolved by Copenhagen City Court as the court of first instance.
For US-based treatment centers, the Processor acknowledges applicable US federal and state health privacy requirements, including HIPAA and 42 CFR Part 2, as they apply to the Controller's obligations.
Questions regarding this DPA may be directed to [email protected].