Petra← back to petra
Legal

Data Processing Addendum

Last updated: June 5, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Petra Inc. (“Petra”, “Processor”) and the veterinary clinic identified in the platform account (“Clinic”, “Controller”) for use of the Petra platform described in the Terms of Service. It governs Petra’s processing of personal data on the Clinic’s behalf, including data relating to pet owners and patients the Clinic serves through Petra.

This DPA applies whether the data subjects are located in the United States, the EEA, the UK, Switzerland, or elsewhere. Where the EU GDPR, the UK GDPR, the Swiss FADP, or US state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA) apply, the relevant terms below are read to comply with them.

1. Roles and scope

The Clinic is the controller (or business, under CCPA) of personal data the Clinic enters, uploads, or generates through the platform, including client contact information, patient records, credentials the Clinic issues, and any documents the Clinic uploads. Petra processes this data only on the Clinic’s documented instructions (the use of the platform, plus any specific instructions delivered in writing).

Petra is the controller, separately, for data related to its own relationship with the Clinic (billing, account administration, audit logging required for security). That processing is described in the Privacy Policy, not this DPA.

When an owner uses the Petra intake flow to share data with the Clinic, the owner authorizes Petra to transmit that data to the Clinic. Once the Clinic receives the data and incorporates it into its own records, the Clinic becomes the controller of its copy and Petra processes that copy under this DPA on the Clinic’s instructions. Any copy the owner retains in their Petra account remains the owner’s own data; Petra’s handling of it is governed by the Privacy Policy, not this DPA.

2. Subject-matter, duration, nature, purpose

Subject-matter

Provision of the Petra platform to the Clinic, including credential issuance, patient intake, record storage, and verifier serving.

Duration

For as long as the Clinic uses the platform, plus any post-termination export period described in Section 9.

Nature and purpose

Storage, processing, signing, transmission, OCR-based suggestion extraction, and verification of records and credentials as described in the Terms of Service.

Categories of data subjects

  • The Clinic’s staff (vets, technicians, admins)
  • The Clinic’s clients (pet owners)
  • The Clinic’s patients (animals, not natural persons, but treated as data linked to the owner)
  • Verifiers (anonymous third parties who present a credential for verification)

Categories of personal data

  • Identification and contact data (name, email, phone, address)
  • Professional credentials (license number, USDA accreditation)
  • Pet records and identifiers (microchip, breed, sex, DOB, vaccination history, lab results)
  • Authentication metadata (sign-in time, IP address, session id)
  • Free-text notes the Clinic enters about clients or patients (potentially special-category data under GDPR Art. 9 when the Clinic chooses to record health observations)

3. Petra’s obligations

Petra will:

  • Process personal data only on the Clinic’s documented instructions, including with regard to transfers, unless required to do otherwise by law (in which case Petra will inform the Clinic before processing unless the law forbids that)
  • Ensure persons authorized to process the data are bound by appropriate confidentiality obligations
  • Implement and maintain the technical and organizational measures described in Section 5
  • Use subprocessors only on the terms described in Section 6
  • Assist the Clinic in responding to data-subject rights requests (access, deletion, correction, portability, restriction, objection)
  • Assist the Clinic in fulfilling its security, breach-notification, impact-assessment, and prior-consultation obligations under applicable law
  • At the Clinic’s choice, delete or return the personal data at the end of the relationship
  • Make available to the Clinic the information necessary to demonstrate compliance with this DPA, and allow for audits as described in Section 8

4. Clinic obligations

The Clinic will:

  • Provide accurate, current data and have a lawful basis for the processing carried out through Petra
  • Inform its clients (pet owners) about the use of Petra and obtain any consents required under applicable law
  • Be responsible for the lawfulness of its instructions and for managing data-subject relationships

5. Security

Petra implements and maintains the following technical and organizational measures (the “TOMs”):

  • Encryption. TLS 1.2+ in transit; AES-256 at rest for the production database, file storage, and signing keys
  • Key management. Per-clinic signing keys isolated in AWS KMS; access is gated by IAM and audited
  • Access control. Role-based access on production systems; quarterly access review; MFA required for engineering team sign-in; least-privilege defaults
  • Network security. Production runs in VPC subnets with no public ingress to data planes; egress through audited NAT
  • Logging and monitoring. Audit trails on production systems retained 13 months; alerting on anomalous access patterns
  • Backup and recovery. Encrypted, point-in-time backups retained 30 days; tested recovery procedures
  • Software supply chain. Dependency scanning; peer-reviewed changes; immutable container images
  • Personnel. Background checks for engineers with production access; signed confidentiality agreements; mandatory security training

Petra may update the TOMs over time; updates will not materially reduce the level of security.

6. Subprocessors and network participants

The Clinic provides general authorization for Petra to engage subprocessors. Petra’s current subprocessors are listed in the Privacy Policy (Section 4) and include AWS, Vercel, WorkOS, Amazon SES, and Google Analytics (consented-only). Petra:

  • Imposes data-protection obligations equivalent to those in this DPA on each subprocessor by written contract
  • Remains responsible for the subprocessor’s performance of those obligations
  • Will inform the Clinic of any intended changes to subprocessors at least 30 days in advance, giving the Clinic the opportunity to object for legitimate reasons; if the parties cannot resolve the objection within 30 days, the Clinic may terminate this DPA and the underlying agreement

As described in the Privacy Policy (Section 5) and the Terms of Service (Section 4), the Clinic acknowledges that anonymous credential commitments (cryptographic hashes, never the Clinic’s or its clients’ personal data) may be published to a trust network whose other participants may include credential issuers, registries, and verifiers operated by parties other than Petra. Because these commitments contain no personal data, participants in such a network are not subprocessors with respect to personal data and do not require the Section 6 subprocessor process. If such a network becomes operational, Petra will identify its participants and their roles on the Privacy Policy page and will provide the Clinic with reasonable notice before any configuration change that materially affects Petra’s processing of the Clinic’s data.

7. International transfers

Petra processes data in AWS us-east-1 (Virginia, USA). For transfers from the EEA, the UK, or Switzerland to the US:

  • The parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914) as the transfer mechanism, with Petra as “data importer” (Module Two, Controller-to-Processor), and the UK International Data Transfer Addendum where the UK GDPR applies
  • Petra notifies the Clinic of any government request for the Clinic’s data and challenges the request to the extent legally permitted

8. Audits

Petra will make available to the Clinic information necessary to demonstrate compliance with this DPA, including:

  • The list and locations of subprocessors and an overview of the TOMs
  • Reasonable responses to security questionnaires the Clinic may submit (typically once per calendar year)

The Clinic may conduct an audit of Petra’s processing on reasonable advance notice (at least 30 days), no more than once per calendar year except in case of a material security incident, at the Clinic’s expense, conducted by the Clinic or an independent third-party auditor not in competition with Petra and bound by confidentiality obligations.

9. Deletion and return

On termination of the agreement, Petra will, at the Clinic’s choice, delete or return all personal data to the Clinic in a portable machine-readable format within 30 days. Backups containing personal data will be deleted on their normal rotation schedule (within 30 days of the return/deletion request). Credential revocation status remains available through the verifier surface as required to keep the verifiability promise to third parties.

Anonymous credential commitments previously published to the trust network (Section 6 and Privacy Policy Section 5) are not personal data and are not subject to the deletion obligations of this Section. They remain on the network so that credentials issued by the Clinic stay verifiable for the parties who hold them, which is the central point of issuing them through Petra in the first place.

10. Liability

Each party’s liability under this DPA is subject to the limits in the underlying Terms of Service, except that those limits do not apply to a data subject’s rights against either party under applicable data protection law.

11. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to processing of personal data. If there is a conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail.

12. Contact

Privacy and DPA matters: hello@petraverify.id. We’ll identify a privacy contact in writing on request.