Capra Health — capra+
Book a demo

Data Processing Agreement

Last updated: June 8, 2026

Overview & Scope

This Data Processing Agreement (“DPA”) describes how Capra Health, Inc. (“Capra Health,” “we,” “us,” or “our”) processes personal data and the commitments we make when doing so. It is intended to support compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data-protection laws. Where a separate, negotiated data-processing agreement is executed with a customer, that agreement governs the processing of data within the capra+ product; this page provides a general description of our approach.

Roles of the Parties

The role we play depends on the data in question:

  • Processor: for personal data that our customers manage within the capra+ product application, the customer is the controller and Capra Health acts as a processor, handling that data on the customer’s documented instructions.
  • Controller: for personal data collected through this marketing website (for example, demo requests and contact inquiries), Capra Health acts as the controller and determines the purposes and means of processing.

Subject Matter & Duration of Processing

The subject matter of processing is the personal data submitted to or generated by the relevant service. As a processor, we process customer data for the duration of the applicable subscription or service relationship and for any limited period thereafter needed to return or delete the data. As a controller for marketing-site data, we process personal data for as long as necessary to fulfil the purpose for which it was collected, subject to applicable retention obligations.

Nature & Purpose of Processing

Processing is carried out to provide, maintain, secure, and improve our services. As a processor, the nature and purpose of processing are limited to delivering the capra+ product functionality on behalf of the customer. As a controller, we process marketing-site data to respond to inquiries, schedule demonstrations, and communicate about our services.

Categories of Data & Data Subjects

The categories of personal data and data subjects depend on the service:

  • Marketing site: contact details such as name, work email, organisation, role, and the contents of any message, relating to prospective customers and website visitors.
  • Product application: data determined and supplied by the customer as controller, which may include information about the customer’s staff and the individuals they serve. The specific categories are defined in the customer’s agreement and instructions.

Sub-processors

We engage carefully vetted third parties to help us deliver our services, and we enter into written contracts that require each sub-processor to provide data-protection commitments consistent with this DPA. We use sub-processors in categories such as:

  • Cloud hosting and infrastructure: Microsoft Azure provides the cloud platform on which our services run.
  • Email delivery: a transactional email provider (such as Microsoft Azure Communication Services) delivers messages generated by our services.

We remain responsible for our sub-processors’ performance of their data-protection obligations. Where required, we will make information about current sub-processors available and provide a mechanism to notify customers of changes.

Data Subject Rights & Assistance

Where we act as a processor, we will provide reasonable assistance to the controller in responding to requests from data subjects exercising their rights under applicable law (such as access, correction, deletion, restriction, portability, and objection), taking into account the nature of the processing. Where we act as a controller, individuals may exercise their rights directly by contacting us.

International Data Transfers

Where personal data is transferred across borders, including to the United States, we put in place appropriate safeguards as required by applicable law, such as Standard Contractual Clauses or other recognised transfer mechanisms, together with supplementary measures where necessary to protect the data.

Security Measures

We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. For a description of these measures, please see our Security page.

Data Breach Notification

We maintain procedures to detect, investigate, and respond to security incidents. In the event of a personal-data breach affecting data we process, we will notify the affected controller without undue delay after becoming aware of it, and provide the information reasonably needed to meet their own notification obligations under applicable law.

Return & Deletion of Data

Upon termination of the relevant service, and at the controller’s choice, we will return or delete the personal data we process on their behalf, unless applicable law requires us to retain it. Deletion is carried out in accordance with our standard data-retention and disposal practices.

Contact

For questions about this Data Processing Agreement or our data-protection practices, please contact us at:

Capra Health, Inc.
Email: info@capra.health