Back to Home

Data Processing Agreement

Last updated: March 9, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Shift Warden LLC d/b/a ClinicWarden ("Data Processor", "we", "us") and the organization using ClinicWarden ("Data Controller", "you", "your").

This DPA applies to the processing of personal data by ClinicWarden on behalf of your organization in connection with the provision of our compliance tracking services.

2. HIPAA-Safe Architecture

ClinicWarden is designed to avoid storing Protected Health Information (PHI). By architecture:

  • No patient names: We store only client identifiers (e.g., "CL-4521"), not patient names or demographic information
  • No clinical content: We store treatment plan dates, statuses, and deadlines — not diagnoses, progress notes, or clinical documentation
  • No PHI in transit: All data transmitted to ClinicWarden should contain identifiers only. Your EHR remains the system of record for all PHI
  • Compliance metadata only: ClinicWarden tracks when things are due, who is responsible, and whether deadlines are met

Important: While ClinicWarden is designed to be HIPAA-safe, it is the responsibility of the Data Controller to ensure that no PHI is entered into the system. ClinicWarden is a compliance tracking tool, not an EHR.

3. Data Categories Processed

Account Data

  • User email addresses and names (for authentication and assignment)
  • Organization name and settings
  • User roles (admin, supervisor, clinician)

Compliance Data

  • Client identifiers (non-PHI identifiers assigned by your organization)
  • Treatment plan deadlines and status
  • Task assignments and completion records
  • Supervisor approval records with timestamps
  • Audit log entries

Technical Data

  • Authentication tokens and session data
  • IP addresses and browser information (for security)
  • Usage analytics (aggregate, anonymized)

4. Data Security Measures

We implement the following technical and organizational measures:

Encryption

  • In transit: All data is encrypted using TLS 1.2+ (HTTPS enforced)
  • At rest: Database encryption via AES-256
  • Passwords: Bcrypt hashing with appropriate cost factor

Access Controls

  • Role-based access control (RBAC) enforced at database level via Row Level Security
  • Multi-tenant data isolation — organizations cannot access each other's data
  • Session management with automatic expiration
  • API key authentication with granular permissions

Infrastructure

  • Hosting: Serverless compute with auto-scaling and DDoS protection
  • Database: Managed PostgreSQL with encryption at rest
  • Region: United States — all data stays in the US
  • Backups: Daily automated database backups with point-in-time recovery

5. Data Retention and Deletion

  • Data is retained for the duration of the subscription
  • Upon account cancellation, data is retained for 30 days, then permanently deleted
  • You may request immediate data deletion by contacting founder@clinicwarden.com
  • You may export all your data at any time using the Reports → Export feature
  • Audit logs are retained for the life of the organization for compliance purposes

6. Sub-processors

We use trusted third-party sub-processors to deliver our services. All sub-processors are contractually obligated to maintain appropriate security protections and are located in the United States.

A detailed list of sub-processors is available upon request. For more information, visit clinicwarden.com/subprocessors or contact founder@clinicwarden.com. Customers who have executed a BAA or DPA will be notified when sub-processors change.

7. Disaster Recovery

  • Backups: Automated daily backups with 30-day retention
  • Point-in-time recovery: Database can be restored to any point within the backup window
  • Infrastructure redundancy: Vercel provides automatic failover across multiple availability zones
  • RTO (Recovery Time Objective): Less than 4 hours for critical service restoration
  • RPO (Recovery Point Objective): Less than 24 hours of data loss in worst case
  • Incident response: Critical incidents are addressed within 1 hour of detection

8. Data Breach Notification

In the event of a data breach affecting your organization's data:

  • We will notify you without unreasonable delay after becoming aware of the breach
  • Notification will include: nature of the breach, categories and volume of data affected, likely consequences, and measures taken
  • We will cooperate with your breach notification obligations

9. Your Rights and Obligations

Your Rights

  • Request access to, correction of, or deletion of your organization's data
  • Export your data at any time via our reporting tools
  • Audit our security practices (with reasonable notice)

Your Obligations

  • Do not enter PHI or patient names into ClinicWarden
  • Maintain appropriate access controls within your organization
  • Notify us immediately of any suspected security incident
  • Ensure your team members are trained on proper data handling

10. Business Associate Agreement (BAA)

If your organization is a HIPAA-covered entity and you require a Business Associate Agreement, we are prepared to execute one. Although ClinicWarden is designed to avoid storing PHI, we understand that some compliance programs require a BAA as part of their vendor management policy.

Our BAA template is available for review at clinicwarden.com/baa. To request an executed BAA, please contact us at founder@clinicwarden.com.

11. Contact

For questions about this DPA or data processing practices:

Email: founder@clinicwarden.com
Company: Shift Warden LLC d/b/a ClinicWarden
Data Protection Contact: founder@clinicwarden.com