Signed business associate agreement

Note:
A subprocessor is a third‑party service provider engaged by a Data Processor (Business Associate) to process Protected Health Information (PHI) on behalf of, and under the instructions of, the Data Controller (Covered Entity). In the context of this Agreement, any cloud, integration, or transformation service that stores, transmits, or otherwise handles PHI under our direction is classified as a subprocessor.
Title
Title
Title
Service
Role in Our Architecture
Why It Qualifies as a Subprocessor
Google Cloud Platform (GCP)
Provides managed infrastructure—Cloud Run (application hosting) and Cloud SQL for PostgreSQL (data storage).
Hosts and processes PHI on our behalf, making it a downstream processor of PHI.
Fivetran, Inc.
Extracts and loads data from source systems into GCP databases.
Temporarily processes PHI during transit/loading operations under our instructions.
dbt Labs, Inc.
Performs data modelling & transformation jobs inside GCP.
Executes transformation queries that touch PHI stored in Cloud SQL, thus pr
﻿
GCP works as subprocessor or third party
Draft is Ready
Change dates, real names etc.
Review
Data Processing Agreement (Subprocessor Exhibit)
Document Title: Subprocessor Data Processing Agreement (DPA) Evidence﻿Prepared For: HIPAA Compliance & Audit Review﻿Prepared By: [Your Organization Name] Compliance & Legal Team﻿Effective Date: [Insert Date]
﻿
1. Parties
This Subprocessor Data Processing Agreement ("Agreement") is entered into by and between:
Data Controller / Covered Entity: [Your Organization Name], with principal place of business at [Address].
Data Processor / Business Associate: Google Cloud Platform (GCP), operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Note: GCP is shown here as a representative subprocessor. DPAs with additional subprocessors Fivetran and dbt Labs are accepted under identical terms and are referenced in Appendix B.
﻿
2. Purpose & Scope of Processing
GCP will process Protected Health Information (PHI) strictly for the purpose of providing managed cloud infrastructure services—including compute (Cloud Run) and managed relational databases (Cloud SQL for PostgreSQL)—to enable the Data Controller’s healthcare application.
Processing activities are limited to storage, retrieval, transmission, and transformation of PHI under the instructions of the Data Controller.
﻿
3. Categories of Data & Data Subjects
Title
Title
Category
Examples
Patient Identifiers
Name, MRN, email/phone, IP address
Clinical Data
Lab results, medication lists, appointment notes
Operational Logs
Access logs containing user IDs & timestamps
Data Subjects: Patients, authorised clinicians, support staff.
﻿
4. Legal & Regulatory Framework
Complies with HIPAA (45 CFR Parts 160 & 164) – Privacy, Security & Breach Notification Rules.
Supports GDPR Art. 28 (processor obligations) via Google’s Cloud Data Processing Addendum (CDPA).
Incorporates HITECH and relevant state privacy laws.
Link to execute GCP CDPA:  https://cloud.google.com/terms/data-processing-addendum ﻿
﻿
﻿
5. Technical & Organisational Measures (TOMs)
Title
Title
Control Area
Measures Implemented by GCP
Access Control
IAM roles & least‑privilege; MFA for console & API; VPC‑SC for boundary control
Encryption
AES‑256 at rest (default); TLS 1.2+ in transit; CMEK supported
Network Security
Private Service Connect; firewall rules; DDoS & intrusion protection
Monitoring & Logging
Cloud Audit Logs, Cloud Logging, Cloud Monitoring with real‑time alerts
Physical Security
Tier III/IV data centres, biometric access, CCTV, 24×7 guards
Incident Response
24×7 SRE & Security teams; documented IRP; breach notice ≤72 hours
Business Continuity
Multi‑zone replication, automated backups, point‑in‑time recovery
Compliance Audits
SOC 2 Type II, ISO 27001, HITRUST, FedRAMP Moderate
﻿
﻿
6. Subprocessor Management
GCP may engage its own subprocessors (e.g., Google Ireland Ltd.). All such entities are bound by written agreements ensuring equivalent protections and are listed at  https://cloud.google.com/terms/subprocessors .
The Data Controller retains audit and termination rights per Section 7.
﻿
7. Rights & Responsibilities
Assistance with Data Subject Rights – GCP provides tooling (Cloud DLP, Access Transparency) to support access, amendment, and accounting requests.
Breach Notification – GCP will notify the Data Controller without undue delay and, at most, within 72 hours after becoming aware of a breach involving PHI.
Data Return/Deletion – Upon termination, PHI will be exported or securely wiped per NIST SP‑800‑88 standards within 60 days.
Audit Rights – The Data Controller may review SOC 2 Type II or equivalent reports and conduct on‑site audits with 30 days’ notice.
﻿
﻿
8. Term & Termination
This Agreement remains in force for the duration of services provided by GCP. Either party may terminate for material breach with 30 days’ written notice.
﻿
﻿
9. Signatures
Title
Title
[Your Organization Name]
Google LLC (GCP)
Name: ______________________
Name: ______________________
Title: _____________________
Title: _____________________
Date: ______________________
Date: ______________________
﻿
﻿
﻿
Appendix A – HIPAA Mapping Matrix
Title
Title
HIPAA Safeguard
GCP Control Reference
164.308(a)(1) Risk Analysis
Google Security & Privacy Whitepaper Section 5
164.312(a)(2)(iv) Encryption
Encryption at Rest & In Transit Documentation
164.312(b) Audit Controls
Cloud Audit Logs
164.310(a)(1) Facility Access
Data Centre Security Overview
﻿
﻿
﻿
Appendix B – Additional Subprocessor DPAsz
﻿
https://www.getdbt.com/dbt-assets/cloud/dpa
Add a caption...
Title
Title
Title
Subprocessor
Service Provided
DPA / BAA Link
Fivetran, Inc.
Data extraction & ELT pipelines
 https://www.fivetran.com/legal/data-processing-addendum 
dbt Labs, Inc.
Data modelling & transformation
 https://www.getdbt.com/dbt-assets/cloud/dpa 
Auth0 (Okta, Inc.)
Authentication & authorization (OAuth 2.0, OpenID Connect)
﻿﻿﻿
The Data Controller has reviewed and accepted the above agreements (signature records on file).
﻿