Legal · Data processing
Data Processing Agreement
Version 1.0.0 · Published 2026-05-26
between
Controller: The practice as entered during the online onboarding (the "Controller" within the meaning of Art. 4(7) GDPR)
and
Processor: Mosaic Medical UG (haftungsbeschränkt), Stubbenhof 16, 21147 Hamburg, Germany, represented by Viktor Kessler, operating under the brand "Dermalia" (the "Processor" within the meaning of Art. 4(8) GDPR)
§ 1 Subject and Term
(1) The subject of this agreement is the processing of personal data by the Processor on behalf of the Controller in the context of the service "Dermalia 3D skin report".
(2) The processing comprises retrieving scan raw data from the Controller's Isemeco 3D skin scanner, storing it, transforming it into a visual skin report, and sending the report link to patients by email.
(3) This agreement enters into force upon electronic acceptance during the practice onboarding and applies for the duration of the Controller's use of the service.
§ 2 Nature, Purpose and Scope of Processing
(1) Type of data: - Facial scan images and 3D geometry from the Isemeco device - Algorithmic measurements of skin characteristics (wrinkles, pores, pigmentation, redness, hydration proxy) - Patient first name (optional) and email address (optional) - Capture date, measurement algorithm version, device serial number
(2) Purpose: Creation and delivery of a visual 3D skin report to the patient and provision of the report in the practice dashboard.
(3) Data subjects: Patients who undergo a 3D skin scan at the Controller's practice.
(4) Scope: Limited to the minimum required dataset. No date of birth, medical history, insurance or billing data is processed.
§ 3 Obligations of the Processor
The Processor undertakes to
(1) process personal data only on the documented instructions of the Controller (Art. 28(3)(a) GDPR);
(2) ensure that persons authorised to process the personal data have committed themselves to confidentiality (Art. 28(3)(b) GDPR);
(3) implement appropriate technical and organisational measures (TOM) pursuant to Art. 32 GDPR, as described in Annex 1;
(4) assist the Controller in fulfilling its obligations under Art. 32 to 36 GDPR (Art. 28(3)(f) GDPR);
(5) support the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability and objection through appropriate technical and organisational measures (Art. 28(3)(e) GDPR);
(6) notify the Controller of any personal data breach without undue delay, at the latest within 24 hours of becoming aware (Art. 33 GDPR);
(7) maintain a written record of all categories of processing activities (Art. 30(2) GDPR);
(8) at the choice of the Controller, delete or return all personal data after the end of the provision of services (Art. 28(3)(g) GDPR).
§ 4 Obligations of the Controller
The Controller remains responsible under the GDPR for the lawfulness of the processing, in particular for
(1) obtaining valid consent from patients or otherwise securing a lawful basis under Art. 6 and 9 GDPR before transmitting the scan to Dermalia;
(2) informing patients pursuant to Art. 13 GDPR about the use of Dermalia as a processor;
(3) issuing written instructions to the Processor for any processing beyond what is contractually agreed.
§ 5 Sub-processors
(1) The Processor may use the following sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Vercel Inc. | USA / EU (FRA1) | Web hosting + serverless compute (EU region Frankfurt) |
| Neon Inc. | EU (eu-central-1, Frankfurt) | PostgreSQL database |
| Resend Inc. | EU region | Transactional email delivery |
| Cloudflare | Global / EU region | DNS + DDoS protection |
| Meiquc / Isemeco | China (data fetched from EU Aliyun region) | Source of scan raw data |
(2) Sub-processing outside the EU/EEA only takes place under the EU Standard Contractual Clauses (2021/914).
(3) The Processor informs the Controller of any intended changes concerning the addition or replacement of sub-processors (Art. 28(2) GDPR).
§ 6 Data Location and Transfer
(1) Patient data and scan raw data are processed and stored in data centres within the EU (primary region: Frankfurt am Main).
(2) Transfers to third countries take place only insofar as required by the architecture of the Isemeco source system (Aliyun, EU region), under appropriate safeguards via the EU Standard Contractual Clauses.
§ 7 Erasure and Retention
(1) Patient reports are retained for 24 months from creation and then automatically deleted, unless the Controller instructs a longer or shorter period in writing.
(2) The Controller may at any time request immediate erasure of individual reports or the entire dataset.
(3) Upon termination of the contract, all data of the Controller will be erased or returned within 30 days of the end of the contract.
§ 8 Audit Rights of the Controller
(1) The Controller has the right to verify compliance with the agreed technical and organisational measures after prior notice.
(2) Upon request, the Processor will provide the Controller with the current TOM documentation and any existing certifications.
§ 9 Liability
(1) For damages caused by the processing of personal data, the parties are liable pursuant to Art. 82 GDPR.
(2) The civil liability of the Processor for contractual and non-contractual claims remains unaffected.
§ 10 Final Provisions
(1) Amendments and supplements to this agreement require text form (including electronic). A new version takes effect through electronic acceptance in the practice dashboard.
(2) If any provision of this agreement is or becomes invalid, this shall not affect the validity of the remaining provisions.
(3) German law applies. Place of jurisdiction is Hamburg.
Annex 1 — Technical and Organisational Measures (TOM)
The applicable TOM are available in their current version at https://dermalia.de/sicherheit/tom and form part of this agreement.
Version 1.0.0 · Published on 2026-05-26