Data Processing Addendum (DPA)
Last updated: December 20, 2025
This Data Processing Addendum (“DPA”) forms part of the Platform Agreement, Order Form, or other written or electronic agreement (the “Agreement”) between Caeli, LLC (“Caeli”) and the entity that is a party to the Agreement (“Customer”).
This DPA reflects the parties’ agreement regarding the Processing of Personal Data in accordance with applicable Data Protection Laws. All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
1. DEFINITIONS
“Customer Data” means Personal Data submitted to, stored in, or processed through the Services by or on behalf of Customer.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed as Customer Data and is subject to applicable Data Protection Laws.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.
“Subprocessor” means any data processor engaged by Caeli to process Personal Data on behalf of Customer.
“Data Protection Laws” means all applicable privacy and data protection laws and regulations, including (where applicable) GDPR, UK GDPR, CCPA/CPRA, and their implementing or successor laws.
2. ROLES OF THE PARTIES
Customer is the Controller (or “Business” under CCPA/CPRA) of Personal Data processed as Customer Data.
Caeli is the Processor (or “Service Provider” under CCPA/CPRA) and processes Personal Data solely on behalf of Customer and in accordance with Customer’s documented instructions as set forth in the Agreement and this DPA.
3. SCOPE AND PURPOSE OF PROCESSING
Caeli shall process Personal Data solely for the purpose of providing, securing, supporting, and improving the Services in accordance with the Agreement, including AI-assisted and automated functionality initiated by Authorized Users.
Caeli shall not sell Personal Data, share Personal Data for cross-context behavioral advertising, or retain, use, or disclose Personal Data for any purpose other than providing the Services, except as permitted by applicable law.
The parties acknowledge that Customer does not provide Personal Data to Caeli in exchange for monetary or other valuable consideration.
4. CUSTOMER INSTRUCTIONS
Customer instructs Caeli to process Personal Data:
- to provide the Services;
- to comply with Customer’s configurations and use of the Services; and
- as otherwise documented in the Agreement.
Customer is responsible for ensuring that its instructions comply with applicable Data Protection Laws.
5. CONFIDENTIALITY AND PERSONNEL
Caeli shall ensure that:
- personnel authorized to process Personal Data are informed of the confidential nature of the data;
- such personnel are subject to confidentiality obligations; and
- access to Personal Data is limited to personnel who require access to perform the Services.
6. SECURITY MEASURES
Caeli shall implement and maintain appropriate administrative, technical, and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
Such measures are further described in the Security Addendum and are consistent with generally recognized industry standards.
Caeli shall not materially reduce the overall security of the Services during the term of the Agreement.
7. DATA SUBJECT REQUESTS
To the extent Customer is unable to independently address a data subject request (including access, correction, deletion, or restriction), Caeli shall provide commercially reasonable assistance to enable Customer to comply with its obligations under Data Protection Laws, to the extent legally permitted.
8. SUBPROCESSORS
Customer authorizes Caeli to engage Subprocessors to process Personal Data on Customer’s behalf.
Caeli shall:
- maintain a current list of Subprocessors available at Caeli Subprocessor List;
- remain responsible for the acts and omissions of Subprocessors to the same extent Caeli would be liable if performing the services directly under this DPA; and
- impose data protection obligations on Subprocessors that are no less protective than those set forth in this DPA.
Caeli may update its Subprocessor List from time to time. Where required by law, Caeli will provide notice and an opportunity to object in accordance with the Data Processing Addendum procedures.
9. INTERNATIONAL DATA TRANSFERS
Where Personal Data is transferred outside its country of origin, Caeli shall implement appropriate safeguards required under Data Protection Laws, including Standard Contractual Clauses or other approved transfer mechanisms.
10. SECURITY INCIDENTS
Caeli shall notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Personal Data.
Caeli shall take commercially reasonable steps to investigate, mitigate, and remediate the Security Incident and to cooperate with Customer’s compliance obligations under applicable law.
11. RETURN OR DELETION OF DATA
Upon termination or expiration of the Agreement, Caeli shall delete or return Customer Data in accordance with the Agreement and applicable law, unless retention is required by law.
12. HEALTH-RELATED DATA AND HIPAA CONTEXT
The parties acknowledge that the Services are designed to support employee benefit education, facilitation, and administration workflows and are not intended to process medical claims or require submission of medical records.
Customer acknowledges that:
- Caeli does not act as a covered entity or business associate under HIPAA; and
- Caeli does not require or request users to submit protected health information (“PHI”) to the Services.
In limited circumstances, users may voluntarily submit information that could be considered health-related or medical in nature. Customer instructs Caeli to process any such information solely as Customer Data in accordance with this DPA and the Agreement.
Caeli maintains security practices aligned with HIPAA-informed design principles, including encryption, access controls, and audit logging, and is actively pursuing HITRUST certification as its product capabilities expand. Nothing in this DPA shall be construed as a representation that Caeli is currently subject to or regulated by HIPAA.
13. AUDIT AND COMPLIANCE INFORMATION
Upon reasonable written request, Caeli shall make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audits or certifications that Caeli generally makes available to customers.
14. LIMITATION OF LIABILITY
Liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.
15. ORDER OF PRECEDENCE
In the event of a conflict between this DPA and the Agreement, this DPA shall control with respect to data protection matters.
16. CONTACT
Privacy inquiries may be directed to:
privacy@caelibenefits.com
