Data Processing Agreement

1. Parties & Roles

This Data Processing Agreement (“DPA”) is entered into between the clinic identified in the Billing Goat account (the “Custodian”) and Billing Goat (the “Information Manager” or “Service Provider”). It supplements and forms part of the Terms of Service and Privacy Policy, all of which together constitute the complete agreement between the parties. In the event of any conflict, the following order of precedence applies: this DPA, then the Terms of Service, then the Privacy Policy.

For the purposes of the Alberta Health Information Act (“HIA”) and Personal Information Protection Act (“PIPA”), the Custodian is the custodian of the patient information to which the Billing Goat service relates. Billing Goat acts as the Custodian's Information Manager (HIA s. 66) and service provider under PIPA. The Custodian alone determines the purposes for which information is used in Billing Goat; Billing Goat processes information solely on the Custodian's instructions and behalf.

2. Subject to Change; Mandatory Re-acceptance

Billing Goat may modify this DPA at any time and from time to time. The version of the DPA in force is identified by the version tag at the top of this page. Billing Goat will attempt to give reasonable advance notice of material changes to clinic administrators, but is not obligated to do so, and any failure to provide notice does not affect the validity of the revised DPA.

When the version tag changes, each clinic's previously recorded acceptance is superseded. The Custodian's clinic administrator must review and re-accept the current version of the DPA before the Custodian may continue using the Billing Goat service. Billing Goat may, at its sole discretion, suspend access to the service or any part of it until re-acceptance is recorded. No refund, credit, or service-level remedy is owed to the Custodian for any such suspension.

3. Scope of Information

This DPA applies to:

• Encounter Data — de-identified clinical information entered by Custodian users to generate visit notes and billing codes (patient age and gender, clinical findings, billing-relevant details, diagnosis selections, etc.). The Custodian warrants that Encounter Data entered into Billing Goat does not, and shall not, contain direct patient identifiers. If any identifying information is nonetheless entered, this DPA applies to that information for the limited period it is retained; any consequences of such entry are the Custodian's sole responsibility.
• Account Records — the Custodian's clinic name and contact details, each authorized user's email, display initials, role, and subscription billing details.
• Security Logs — authentication events (timestamp, IP address, user agent) used solely for security monitoring.

4. Permitted Use & No Secondary Use

Billing Goat may use Encounter Data solely to provide the service described in the Terms — namely, to generate visit notes and billing output for the Custodian's review. Billing Goat will not use Encounter Data for any other purpose, including (without limitation) selling, renting, advertising, profiling patients, or training artificial-intelligence models. Aggregated, de-identified usage statistics that contain no clinical content may be generated for product improvement and internal analytics.

5. No Third-Party AI Processing

Billing Goat does not transmit Encounter Data to any third-party artificial-intelligence provider as part of the standard charting workflow. Note generation, billing calculation, and live note preview are performed deterministically within the Billing Goat system. Any change to this position requires an amendment to this DPA accepted by the Custodian.

6. Safeguards

Billing Goat maintains the following safeguards on a commercially reasonable, best-efforts basis:

• Administrative — documented access controls; staff access restricted to those with a need to know; confidentiality obligations for personnel with system access.
• Technical — encryption in transit (TLS) and at rest; hosting in Canada on infrastructure (Supabase, ca-central-1) contractually bound to data-protection standards; row-level security to isolate each clinic's data; password-protected user accounts with session management.
• Physical — data-center physical security provided by the Canadian cloud infrastructure provider.
• Operational — automated daily hard-deletion of Encounter Data by a job that runs each day at approximately 2:00 a.m. Mountain Time (see Section 7 for details); security logs retained only for authentication monitoring purposes.

Billing Goat may, at its sole discretion, modify, add, or remove technical and operational safeguards as the product evolves, provided that any such change does not materially reduce the overall protection afforded to Encounter Data.

7. Retention & Deletion

Encounter Data is automatically deleted from Billing Goat's production systems by an automated job that runs each day at approximately 2:00 a.m. Mountain Time. Individual encounters are retained for no more than approximately 24 hours from entry (worst case: an encounter entered shortly after the daily purge persists until the following day's purge). Billing Goat does not retain Encounter Data beyond this window and accepts no obligation to preserve, back up, export, or otherwise make available any Encounter Data beyond the period during which it is present in the service. The Custodian is solely responsible for copying or exporting any output of the service to the Custodian's own records before the daily purge.

Account Records are retained for the duration of the subscription and a reasonable period after cancellation for legal, accounting, and dispute-resolution purposes. On written request following termination, Account Records will be deleted except as required for those purposes.

Security Logs are retained only as needed for authentication monitoring and are not linked to Encounter Data.

DPA Acceptance Records — the version accepted, the date of acceptance, the identity of the accepting administrator, and a hash of the DPA text (see Section 24) — are retained indefinitely as proof of consent. Stripe subscription and payment records are retained by Stripe in accordance with Stripe's policies (typically ten (10) years). Aggregated usage counts (charts created, edited, and copied, summarized by user and day, with no clinical content and no patient information) are retained for billing reconciliation, usage audit, and the Custodian's own staff reporting; these records are designed to contain no patient information and no Encounter Data.

8. Sub-processors

Billing Goat engages the following sub-processors, each contractually bound to protect information they handle on our behalf and to use it only to provide services to Billing Goat:

• Supabase (hosted in Canada, ca-central-1) — authentication and encrypted data storage.
• Stripe — subscription billing and payment processing; receives billing contact and payment details only, never Encounter Data.
• Vercel — application hosting and content delivery.

Cross-border processing. Stripe processes billing contact and payment details from the United States. Vercel's application hosting may cause Encounter Data to transit servers located outside Canada (primarily in the United States) during request handling, although encrypted persistent storage of Encounter Data remains in Canada (Supabase ca-central-1). By accepting this DPA, the Custodian acknowledges and consents to this cross-border processing, and is responsible for making any corresponding disclosures to its patients as required under applicable privacy legislation, including PIPA s. 13.1.

Changes to sub-processors. Billing Goat may add, change, or remove sub-processors from time to time. Where a new sub-processor will handle Encounter Data, Billing Goat will update the list above and give the Custodian at least thirty (30) days' prior notice by email to the clinic administrator or by banner within the application before that sub-processor begins processing Encounter Data. The Custodian's sole remedy for objection is to terminate the subscription before the change takes effect; Billing Goat has no obligation to forgo a sub-processor change to accommodate a single Custodian's objection.

9. Custodian Warranties & Responsibilities

The Custodian warrants and covenants that:

• Each user accessing Billing Goat on the Custodian's behalf is authorized by the Custodian and is trained to enter only de-identified information.
• The Custodian will not enter, and will take commercially reasonable measures to prevent its users from entering, direct or contextual patient identifiers into the service. Direct identifiers include, without limitation, a patient's name, date of birth, home or business address, phone number, email address, Alberta Health number or other health identifier, medical record number, and any free-text combination sufficient to identify an individual patient.
• The Custodian has obtained all consents, notices, and legal authorities required for the Custodian's use of the service, including any consent of patients to the Custodian's use of an external documentation tool, where such consent is required.
• The Custodian will review and verify every generated note and billing output before use; all clinical and billing decisions are the Custodian's alone.
• The Custodian is solely responsible for the accuracy, legality, and compliance of any claim submitted to Alberta Health or any payer based on Billing Goat's output.

10. Confidentiality

Billing Goat will treat all Encounter Data and Account Records as confidential. Personnel and sub-processors with access are bound by written confidentiality obligations. These obligations survive termination of this DPA.

11. Breach Notification

If Billing Goat becomes aware of a confirmed unauthorized access, disclosure, or loss of Encounter Data or Account Records, Billing Goat will notify the affected Custodian's clinic administrator without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident. The notice will describe the nature of the incident, the information involved, steps being taken to mitigate harm, and contact information for further inquiry. Billing Goat will cooperate reasonably with the Custodian's own breach-response obligations under HIA and PIPA. Billing Goat's obligations under this section are limited to notice and reasonable cooperation; all regulatory and patient-facing response obligations remain the Custodian's.

12. Custodian Rights & Patient Access

The Custodian remains solely responsible for responding to patient requests for access, correction, or complaints about patient information. Because Billing Goat does not retain Encounter Data overnight, patient-specific records are not available from Billing Goat after the daily wipe. On reasonable request, Billing Goat will provide the Custodian with such information from Account Records or Security Logs as is necessary to support the Custodian's response to a patient or regulator.

13. Security Inquiries

On reasonable request and no more than once every twelve (12) months, Billing Goat will provide the Custodian with a written summary of its security controls and sub-processor list, and respond to reasonable security questionnaires. Any formal on-site or third-party audit must be arranged separately in a written, signed amendment on mutually agreed terms, subject to a reasonable confidentiality framework, at the Custodian's sole expense, and with a requirement that the auditor not disrupt Billing Goat's operations or other clinics' data. Billing Goat may decline any audit request that it reasonably determines would compromise the security, integrity, or confidentiality of any other clinic's information.

14. Return or Destruction on Termination

On termination of the Custodian's subscription, Encounter Data is already subject to the daily wipe and will no longer be present in Billing Goat systems. Account Records will be retained only as required for legal and accounting purposes and will be deleted on written request following such retention period. Billing Goat is not obligated to provide any export of Encounter Data on or after termination.

15. Restrictions on Billing Goat

Billing Goat will not: (a) disclose Encounter Data or Account Records to any person except as required to provide the service or as required by law; (b) transfer Encounter Data outside Canada for persistent storage during the term of this DPA, it being understood that request handling and payment processing may transit non-Canadian infrastructure as described in Section 8; or (c) use Encounter Data to train artificial-intelligence models, whether Billing Goat's own or a third party's.

16. Compliance with Law

The parties will comply with applicable privacy legislation, including the Alberta Health Information Act and the Personal Information Protection Act. If Billing Goat receives a legal demand (subpoena, court order, regulatory request) for Custodian information, Billing Goat will, where lawful, notify the Custodian before responding and afford a reasonable opportunity for the Custodian to seek a protective order or object, but is not required to contest or resist any such demand.

17. Service “As Is”; No Warranties

The Billing Goat service is provided “AS IS” and “AS AVAILABLE.” To the maximum extent permitted by law, Billing Goat disclaims all warranties, express, implied, or statutory, including without limitation any warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, availability, uninterrupted operation, error-free operation, security, and any warranties arising from a course of dealing, usage, or trade practice. Billing Goat does not warrant that the service will produce correct billing codes, that generated notes will be accepted by Alberta Health or any other payer, or that the service will be available at any particular time. No oral or written information provided by Billing Goat creates a warranty not expressly stated in this DPA.

18. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, BILLING GOAT'S TOTAL AGGREGATE LIABILITY TO THE CUSTODIAN ARISING OUT OF OR IN CONNECTION WITH THIS DPA, THE TERMS, THE PRIVACY POLICY, OR THE BILLING GOAT SERVICE — WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE — IS LIMITED TO THE FEES ACTUALLY PAID BY THE CUSTODIAN TO BILLING GOAT IN THE THREE (3) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, BILLING GOAT IS NOT LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOST PROFITS, LOST REVENUE, LOST OR DENIED CLAIMS, LOST DATA, BUSINESS INTERRUPTION, REGULATORY FINES, OR COSTS OF SUBSTITUTE SERVICES, EVEN IF BILLING GOAT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The limitations in this section apply whether or not any limited remedy fails of its essential purpose and are an essential element of the bargain between the parties.

19. Indemnification by the Custodian

The Custodian shall indemnify, defend, and hold harmless Billing Goat and its officers, directors, employees, contractors, and sub-processors from and against any and all claims, demands, actions, investigations, losses, damages, liabilities, fines, penalties, costs, and expenses (including reasonable legal fees on a full-indemnity basis) arising out of or in connection with: (a) the Custodian's breach of this DPA, the Terms, or the Privacy Policy; (b) the Custodian's entry of patient identifiers or any other information into Billing Goat in violation of this DPA; (c) any billing submission made by the Custodian to Alberta Health or any payer, regardless of whether the submission was based on Billing Goat's output; (d) any claim by a patient, a regulator, or a third party that the Custodian's use of Billing Goat violated applicable law, professional obligations, or the rights of any person; and (e) the Custodian's violation of any applicable law, including HIA and PIPA.

20. Suspension & Termination

Billing Goat may suspend or terminate the Custodian's access to the service at any time, with or without notice, including (without limitation): for non-payment, for suspected breach of this DPA or the Terms, for failure to re-accept an updated DPA, for the protection of other clinics or the integrity of the service, or as required by law. Billing Goat is not liable for any consequences of such suspension or termination, and the Custodian waives any claim for damages or service-level remedies in connection with them.

21. No Service-Level Commitment

No service-level agreement, uptime guarantee, or maintenance window is offered under this DPA or otherwise unless Billing Goat expressly agrees to one in a separate written amendment signed by both parties. Billing Goat may alter, suspend, or discontinue any feature of the service at any time, without notice, and without liability.

22. Governing Law & Venue

This DPA is governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein, without regard to conflict of laws principles. The courts of Alberta have exclusive jurisdiction to resolve any dispute arising out of or in connection with this DPA. The Custodian irrevocably submits to the jurisdiction and venue of those courts and waives any objection based on forum non conveniens.

23. Miscellaneous

Entire agreement. This DPA, together with the Terms and Privacy Policy, is the entire agreement between the parties on its subject matter and supersedes all prior agreements and understandings.

No waiver. No failure or delay by Billing Goat in exercising any right under this DPA is a waiver of that right.

Severability. If any provision of this DPA is held invalid or unenforceable, the remainder remains in full force and effect.

Assignment. The Custodian may not assign this DPA without Billing Goat's prior written consent. Billing Goat may assign this DPA at any time, including in connection with a merger, acquisition, reorganization, or sale of assets, without the Custodian's consent.

Survival. The provisions of sections 9 (Custodian Warranties), 10 (Confidentiality), 15 (Restrictions), 17 (As Is), 18 (Limitation of Liability), 19 (Indemnification), 22 (Governing Law), and this section survive termination or expiration of this DPA.

24. Acceptance

The Custodian's clinic administrator accepts this DPA by clicking “I accept” in the Billing Goat application or by electronically signing a copy of this DPA. The version accepted, the date of acceptance, the identity of the accepting administrator, and a hash of the DPA text are recorded in the Billing Goat system and constitute conclusive evidence of acceptance. Use of the Billing Goat service by any user of the Custodian following such acceptance constitutes the Custodian's continued acceptance of the then-current version of this DPA.

25. Contact

DPA notices and security inquiries can be directed to Billing Goat via the contact page.