MAVOMAVO

Data processing agreement (DPA)

Last updated: September 3, 2025

This Data processing agreement (DPA) is an integral part of the MAVO Terms and Conditions and governs the processing of personal data by S.C. MAVO TECH S.R.L. ("Processor" or "MAVO") on behalf of the Veterinary Clinic ("Data Controller" or "Client").

This DPA applies when MAVO acts as a Data Processor under GDPR, processing medical data and other data entered by the Veterinary Clinic into the MAVO Platform.

1. Definitions

  • Data Controller: The Veterinary Clinic that determines the purposes and means of processing personal data.
  • Data Processor: S.C. MAVO TECH S.R.L., which processes personal data on behalf of the Controller.
  • Personal data: Any information relating to an identified or identifiable natural person (pet owners, patient medical data).
  • Processing: Any operation performed on personal data (collection, recording, organization, storage, consultation, use, deletion).

2. Subject matter and duration of processing

  • Subject matter: Processing of personal data necessary for the provision of MAVO Platform services, including storage, management, and organization of medical data, owner data, and other information entered by the Veterinary Clinic.
  • Duration: This DPA remains in effect for the duration of the subscription contract between Client and MAVO, and until complete deletion of data after contract termination.

3. Nature and purposes of processing

  • Types of data processed:
    • Owner identification data (name, surname, phone, email, address, CNP, ID card)
    • Patient medical data (medical records, diagnoses, treatments, appointments)
    • Animal data (name, species, breed, medical history)
    • Financial data (invoices, payments, reports)
  • Categories of data subjects:
    • Pet owners (Clinic clients)
    • Patients (animals) - their medical data
  • Processing purposes:
    • Provision of management services for the Veterinary Clinic
    • Storage and organization of medical data and patient records
    • Management of appointments and communications with owners
    • Generation of reports and analytics for the Veterinary Clinic

4. Processor obligations (MAVO)

  • Processing in accordance with instructions: MAVO will process personal data only in accordance with the Controller's written instructions and only for the purposes specified in this DPA.
  • Confidentiality: MAVO commits to maintaining data confidentiality and not disclosing it to third parties, except as provided in this DPA or required by law.
  • Security: MAVO implements appropriate technical and organizational measures to protect data against unauthorized access, loss, or destruction.
  • Assistance in exercising rights: MAVO will assist the Controller in fulfilling obligations related to exercising data subject rights (access, rectification, erasure, portability).

5. Sub-processors

  • Authorization: MAVO may engage sub-processors (cloud service providers, IT) for data processing, provided they are bound by similar confidentiality and data protection agreements.
  • Notification: MAVO will inform the Controller of any planned changes regarding sub-processors, providing the opportunity to object.
  • Liability: MAVO remains responsible for the actions of its sub-processors.

6. International transfers

  • Location: Data is stored on servers located in the European Economic Area (EEA).
  • Transfer outside EEA: If a transfer to a third country is necessary, it will be carried out only on the basis of adequate guarantees (e.g., Standard Contractual Clauses approved by the European Commission).

7. Security breach notification

  • Notification obligation: MAVO will immediately notify the Controller of any security breach that may affect personal data processed on behalf of the Controller.
  • Information provided: The notification will include details about the nature of the breach, categories of affected data, estimated number of data subjects, and proposed remedial measures.

8. Return or deletion of data

  • Upon Controller request: MAVO will return or delete all personal data upon Controller request, at any time, except where law requires retention.
  • Upon contract termination: After contract termination, MAVO will retain data for a limited period (90 days) to allow export, after which it will irreversibly delete it.

9. Audit and inspections

  • Right to audit: The Controller has the right to request information about security measures implemented by MAVO and, under certain conditions, to conduct audits, provided it does not affect the confidentiality of other clients.
  • Cooperation: MAVO will cooperate with competent supervisory authorities in case of any inspections or investigations related to data processing.

10. Governing law

  • This DPA is governed by Romanian legislation and the General Data Protection Regulation (GDPR).
  • Any modifications to this DPA will be communicated to the Controller in writing and will enter into effect in accordance with contractual provisions.
MAVO - Data Processing Agreement - Veterinary Practice Software