Residual Data Processing Agreement — Citt.ai

Version: 2.1
Last updated: 2026-04-22

Important. The operative agreement for the four clinical-AI flows in the Citt.ai product — managed patient records and the patient claim journey, patient messaging and AI support, assessments and check-ins, and session recording with transcription and AI-assisted notes — is the Joint Controller Agreement. Those flows are joint controllership arrangements, not processor processing.

This Residual Data Processing Agreement applies only where Citt.ai processes personal data solely on your documented instructions and does not determine essential means (for example a bespoke migration or other narrow technical task where you specify the full processing arrangement). No production flow is classified that way today; this agreement is a binding fallback for any future qualifying engagement. If, in practice, Citt.ai determines essential means (models, vendors, safety architecture, retention architecture, or its own purposes), the Joint Controller Agreement applies instead.

Electronic acceptance in the product records your agreement to this fallback, alongside the Joint Controller Agreement and other legal documents presented at onboarding or on material update.

1. Parties

Citt.ai as Processor for the residual scope in clause 2 only.
Controller — you, the therapist or clinic, for that residual scope only.

For joint-controllership processing, the Joint Controller Agreement applies exclusively.

2. Purpose and scope

The Processor processes personal data only to deliver the specific documented instructions agreed in writing (including email or ticket) for the residual engagement. If the engagement expands so that Citt.ai exercises essential-means discretion, the parties document that shift and apply the Joint Controller Agreement.

Typical examples that may fall here if ever offered: one-off data import/export you fully specify; a technical migration executed verbatim to your written runbook.

3. Processor commitments

The Processor will:

process personal data only on documented instructions from the Controller, except where EU or UK law requires otherwise;
ensure persons authorised to process data are bound by confidentiality;
implement appropriate technical and organisational security measures;
assist the Controller with data subject requests where reasonable;
notify the Controller of personal data breaches without undue delay after becoming aware;
delete or return data at the end of the services unless law requires retention;
make available information reasonably necessary to demonstrate compliance.

4. Sub-processors

The Controller authorises use of sub-processors listed in the Trust Center unless a separate signed statement lists different vendors for the specific residual project. The Processor imposes data-protection terms on sub-processors and notifies the Controller of material changes where the parties agree notice is required.

5. International transfers

Transfers outside the UK, EEA, or other relevant areas rely on lawful mechanisms (adequacy, standard contractual clauses, UK addenda, or other approved tools) documented for the specific processing.

6. Security

Measures include, where appropriate: encryption in transit and at rest; access control; logging; vendor oversight; and incident response aligned with the Trust Center description.

7. Data subject rights

The Processor assists the Controller with requests, taking into account the nature of the processing. The Controller decides how to respond under applicable law.

8. Breach notification

The Processor notifies the Controller without undue delay after becoming aware of a breach affecting data processed under this Agreement, with reasonable detail to support the Controller’s own notifications.

9. Audit and information

The Processor provides reasonable compliance information (questionnaires, summaries, certifications). Any on-site audit is only as explicitly agreed in writing.

10. Term and deletion

This Agreement lasts for the duration of the qualifying residual processing. On completion, the Processor deletes or returns data per instructions, except where law requires retention.

Annex A — Processing description (complete for each residual project)

The signed or ticketed instruction should specify:

Subject matter and duration of the processing.
Nature and purpose (for example “one-off export of patient identifiers and session metadata to CSV per Controller runbook dated …”).
Categories of data subjects (patients, therapists, staff, etc.).
Categories of personal data (identity, contact, health data, etc.).
Special-category data involvement and documented basis.
Ongoing flows reminder: managed records, patient AI messaging, assessments, session AI, and related clinical-AI features remain under the Joint Controller Agreement, not this Annex.

Annex B — Security summary

Attach or link the then-current Trust Center summary or a project-specific security appendix if required.

Annex C — Transfer mechanisms

List SCC modules, UK addendum, or other mechanisms relied on for the residual project.