You are the controller.
Loki is the processor.
Both sides on the same record, by contract.

Controller: the veterinary clinic or partner organisation that uses the Loki vet surface to ingest and process pet records.

Processor: wait, what. — Tobias Temmen, Zürich, operator of Loki (see the Imprint for full entity details).

The caregiver remains the controller of the pet records they author in their own account. When a caregiver grants a vet read or write access, the vet becomes a co-controller for the data they receive, scoped to the consent grant.

This DPA covers all processing of personal data carried out by Loki on behalf of the Controller in connection with the vet surface, the PMS-integration endpoints (Provet, VetXML, CSV), and the SOAP-generation service powered by KAI.

The DPA is in force for as long as Loki provides services to the Controller and survives termination to the extent necessary to satisfy retention obligations under the Privacy policy.

Categories of data subjects:

• Caregivers (pet owners and household co-caregivers)
• Pet patients (animals — out of GDPR scope but in scope of caregiver data)
• Veterinary staff (the Controller’s own users)

Categories of personal data:

• Contact identifiers (caregiver email, vet staff email)
• Pet record content (clinical notes, medications, attachments)
• Consent and audit data (who shared what with whom, when)
• Operational logs (request IPs, user agents, session timestamps)

Loki, as processor, undertakes to:

• Process personal data only on documented instructions from the Controller, including for transfers outside the EU/EEA (no such transfers occur today — see Section 8).
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement the technical and organisational measures set out in /security: row-level security on every read, AES-256 at rest, TLS 1.3 in transit, audit log on consent changes.
• Engage subprocessors only with prior general authorisation (the list is on /security) and notify the Controller at least 14 days in advance of adding a new one. Controller may object.
• Assist the Controller in responding to data-subject requests (access, rectification, deletion, portability, restriction, objection) within 14 days.
• Notify the Controller of a personal-data breach without undue delay and within 72 hours of becoming aware, with sufficient information for the Controller to meet its own notification obligations.
• Assist the Controller with data-protection impact assessments and prior consultations with supervisory authorities where required.
• At the choice of the Controller, delete or return all personal data after the end of the services, and delete existing copies unless legally required to retain them (e.g. retention of audit logs under revDPA Art. 12).
• Make available all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, by the Controller or another auditor mandated by the Controller. Reasonable advance notice and confidentiality apply.

The Controller authorises Loki to engage the subprocessors listed at /security for the purposes stated there. Loki ensures each subprocessor is bound by data-protection obligations no less protective than those set out in this DPA.

Loki publishes any change to the subprocessor list on the same page and notifies registered Controllers by email at least 14 days before the change takes effect.

Loki maintains the security controls described in /security:

• Postgres row-level security policies refuse any read without a matching consent row or owner.
• Encryption at rest (AES-256) for the primary database and file storage; encryption in transit (TLS 1.3) for every request between the user and the service.
• Service-role keys never reach the browser; sensitive operations run on the server only.
• Audit log on every consent change, immutable append-only.
• No third-party analytics or session-replay on signed-in surfaces.
• Magic-link authentication; password storage is not applicable (no passwords used).
• Rate-limiting and abuse detection at the API edge.

Loki keeps personal data in the European Union by default (Supabase Frankfurt). The AI-triage feature, when enabled by the caregiver, may invoke a model hosted by Anthropic. As of the date of this DPA, Anthropic offers EU data-plane access under Standard Contractual Clauses (SCCs); for any transfer of data outside the EU/EEA, the SCCs (Module 3: processor-to-processor) apply between Loki and Anthropic and are passed through to the Controller on request.

Each party is liable for damages caused by its own non-compliance with this DPA and the applicable data-protection law. The general liability limits in the Loki Terms of use § 06 apply between Loki and the Controller. Both sides are jointly and severally liable to the data subject for the entire damage in cases where it is determined under GDPR Art. 82 that they are responsible.

This DPA is governed by Swiss law. The courts of Zürich, Switzerland, have exclusive jurisdiction, subject to any mandatory rules of the Controller’s country of establishment.

If you are a clinic or partner organisation that needs a signed DPA, contact hello@loki.vet with your legal entity name, address, and the categories of data you expect to process. We generate a per-clinic PDF from this template with the parties and scope appendix filled in, then sign electronically through a Swiss e-signature provider.