Back to Home

Data Processing Agreement

Last updated: April 17, 2026

Who this applies to

This Data Processing Agreement ("DPA") governs the processing of Personal Data by Wiebe Consulting Inc. on behalf of clients established in the European Union, the European Economic Area, the United Kingdom, or Canada. Contact ben@wiebe-consulting.com to execute a signed DPA including the applicable Standard Contractual Clauses.

Consulting engagements only. This DPA covers Wiebe Consulting's consulting and Sprint services. If you are a subscriber to Clinic OS Pro (our SaaS platform), a separate DPA is available at clinicospro.com/legal/dpa and governs SaaS data processing.

1. Applicability

This DPA supplements the consulting services agreement (the "Agreement") between Wiebe Consulting Inc. ("Processor," "Wiebe," "we") and the client identified in the signed signature page ("Controller," "Client," "you"). It applies when Wiebe processes Personal Data on behalf of Controller and that processing is subject to:

  • Regulation (EU) 2016/679 (the "GDPR");
  • The UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 ("UK GDPR");
  • The Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and applicable provincial equivalents.

2. Definitions

Terms used but not defined have the meanings given in GDPR Article 4. For convenience:

  • "Controller" means the natural or legal person determining the purposes and means of Processing of Personal Data.
  • "Processor" means the natural or legal person that Processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, consultation, disclosure, and erasure.
  • "Sub-processor" means any Processor engaged by Wiebe to Process Personal Data on behalf of Controller.
  • "Standard Contractual Clauses" or "SCCs" means the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK IDTA" means the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs, as applicable.

3. Roles of the Parties

In relation to Controller's Personal Data, Controller acts as the controller and Wiebe acts as the processor. Each party is responsible for its own compliance with applicable Data Protection Laws.

4. Processing Instructions

Wiebe shall Process Personal Data only on documented instructions from Controller, including with regard to transfers to third countries, unless required to do so by Union, Member State, UK, or Canadian law. The Agreement and this DPA constitute Controller's complete and final instructions to Wiebe at the time of signature. Any additional or alternative instructions must be agreed in writing.

5. Confidentiality

Wiebe shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is granted on a need-to-know basis.

6. Security Measures (GDPR Article 32)

Wiebe shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 where supported by the underlying service).
  • Role-based access controls, unique user IDs, multi-factor authentication, and least-privilege principles.
  • Regular backups and tested restoration procedures.
  • Periodic testing, assessment, and evaluation of the effectiveness of security measures.
  • Workforce training on data protection and security.
  • A documented incident response plan.

7. Sub-processors

Controller provides general authorization for Wiebe to engage Sub-processors subject to the conditions of this Section. Wiebe imposes data protection terms on each Sub-processor that are no less protective than those in this DPA. Wiebe remains liable to Controller for the performance of each Sub-processor.

Current Sub-processors are listed at wiebe-consulting.com/subprocessors and include, without limitation: Zoom (video meetings), Google Workspace (email, docs, calendar), Vercel (hosting), Resend (transactional email), OpenAI and Anthropic (AI tooling, non-PHI only).

Wiebe shall provide at least thirty (30) days' prior notice of any intended additions or replacements of Sub-processors. Controller may object on reasonable data protection grounds within the notice period. If the objection cannot be resolved, Controller may terminate the affected portion of the Agreement without penalty. Such termination shall be Controller's sole and exclusive remedy for objections to a new Sub-processor.

Controller is responsible for ensuring that any Personal Data (including special categories such as health data) it instructs Wiebe to process with AI tooling is lawful and consistent with this DPA. Wiebe will not intentionally use special-category data in AI tools that are not explicitly designated for that purpose in writing.

8. International Data Transfers

8.1 EU and EEA (GDPR)

Where Personal Data is transferred from the EU or EEA to a country not the subject of an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and shall govern the transfer. Docking clauses, dispute resolution, and governing law provisions are populated in Appendix 2 of the executed DPA.

8.2 United Kingdom (UK GDPR)

For transfers subject to UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (issued by the UK ICO under section 119A of the Data Protection Act 2018) is incorporated and shall govern. Canada is the subject of a UK adequacy regulation, so transfers to Wiebe in Canada do not require the Addendum, but the Addendum applies to any onward transfers to Sub-processors in non-adequate jurisdictions.

8.3 Canada (PIPEDA)

Wiebe is established in Canada and processes Personal Data in compliance with PIPEDA and applicable provincial statutes (Quebec Law 25, Alberta PIPA, British Columbia PIPA). Where Personal Data is transferred to Sub-processors located in other jurisdictions (e.g., the United States), Wiebe relies on contractual safeguards that provide a comparable level of protection, consistent with Principle 4.1.3 of PIPEDA Schedule 1 and OPC guidance on accountability for transferred data.

9. Assistance with Data Subject Rights

Taking into account the nature of the Processing, Wiebe shall assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (access, rectification, erasure, restriction, portability, and objection). Wiebe shall provide reasonable assistance within ten (10) business days of a written request from Controller.

10. Data Breach Notification

Wiebe shall notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Controller's Personal Data. The notification shall include, to the extent known:

  • The nature of the Breach, categories, and approximate number of Data Subjects and records concerned.
  • The likely consequences of the Breach.
  • The measures taken or proposed to address the Breach and mitigate its possible adverse effects.
  • Contact details of the Wiebe point of contact handling the incident.

Wiebe shall reasonably cooperate with Controller's investigation and any required notification to supervisory authorities and Data Subjects.

11. Audits

Wiebe shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA. Controller may, on thirty (30) days' prior written notice and no more than once per calendar year (except where required by a supervisory authority or following a Personal Data Breach), conduct an audit either directly or through an independent third-party auditor bound by confidentiality. Audits shall be conducted during business hours and shall not unreasonably interfere with Wiebe's operations. Controller bears its own audit costs.

12. Deletion or Return of Personal Data

On termination of the Agreement or earlier at Controller's written request, Wiebe shall, at Controller's choice, return or delete all Personal Data Processed on behalf of Controller, and delete existing copies, within ninety (90) days, unless retention is required by Union, Member State, UK, or Canadian law. Wiebe shall provide written certification of deletion on request.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement and the Wiebe Terms of Service. Any reference to "liability" in those documents, whether denominated "aggregate" or not, includes liability under this DPA. Nothing in this DPA (including the SCCs and any UK Addendum) is intended to increase either party's liability beyond the limits set out in the Agreement and Wiebe Terms of Service, except to the minimum extent required by applicable law.

14. Governing Law

This DPA shall be governed by the laws of Canada, except that the SCCs and any UK Addendum shall be governed by their respective mandated governing laws. Nothing in this clause shall affect the rights of Data Subjects or supervisory authorities under applicable Data Protection Laws.

15. Order of Precedence

In the event of a conflict between (a) the SCCs or UK Addendum, (b) this DPA, and (c) the Agreement, the order of precedence shall be (a), then (b), then (c).

Appendix 1 — Description of Processing

Subject Matter and Duration

Subject matter: Provision of revenue, retention, operations, and marketing consulting services to physical therapy clinics. Duration: The term of the Agreement plus any post-termination period required for return or deletion of Personal Data.

Nature and Purpose of Processing

Nature: consultation, analysis, benchmarking, marketing copy review, SOP drafting, reporting, and meeting facilitation. Purpose: to help Controller grow revenue and retention in its clinic(s).

Categories of Data Subjects

  • Controller's personnel and contractors (e.g., clinic owner, front desk, PTs).
  • Controller's patients and prospective patients (where de-identified or where a BAA is in place).

Categories of Personal Data

  • Contact data: name, email, phone, business address.
  • Business data: role, revenue figures, clinic performance metrics.
  • Communications: meeting recordings, transcripts, emails, chat messages.
  • Patient data: only where a separate Business Associate Agreement has been executed and only to the minimum extent necessary.

Special Categories of Data

Health data (special category data under GDPR Article 9) may be Processed only where (a) Controller has provided a valid legal basis under applicable Data Protection Laws and documented instructions in writing, and (b) for US HIPAA-covered clients, where a separate Business Associate Agreement (BAA) is in place. No other special categories of data are Processed by Wiebe without specific written instructions.

Retention

Personal Data is retained for the duration of the Agreement plus up to twelve (12) months for record-keeping, after which it is deleted or returned per Section 12. Financial records required by tax or regulatory authorities may be retained for longer periods as required by law.

Contact

Wiebe Consulting Inc.
Attn: Ben Wiebe
Email: ben@wiebe-consulting.com

For the Clinic OS Pro SaaS platform, a separate DPA is available at clinicospro.com/legal/dpa.