VitalLens API Data Processing Agreement

Data Processing Agreement for VitalLens API

Last updated: 28 Mar 2026

This Data Processing Agreement ("DPA") is an addendum to the VitalLens API Terms of Service ("API Terms") between you ("Customer" or "Data Controller") and Rouast Labs Pty Ltd ("Rouast Labs", "we", or "Data Processor"). By using the VitalLens API to process personal data of individuals in the European Economic Area (EEA), the UK, or Switzerland, you agree to this DPA.

1. Roles and Scope

1.1 You are the Data Controller. You determine why and how the data is collected from your end-users.

1.2 We are the Data Processor. We only process the data to provide the VitalLens API service as outlined in the API Terms and this DPA.

2. Details of Processing

2.1 Subject Matter: Processing low-resolution video frames to estimate physiological waveforms, and optionally deriving vital sign estimates from those waveforms depending on the integration method.

2.2 Categories of Data: Biometric and health-related data, specifically: Video frames of a person's face and upper body (pre-processed to a low resolution), and the resulting estimates.

2.3 Duration and Retention: Processing happens strictly in volatile memory. Input video frames and resulting estimates are deleted immediately after the API returns the result to you. We do not store or retain this data.

3. Your Obligations as the Controller

3.1 You must ensure you have a valid legal basis under the GDPR to process and transfer this data.

3.2 Because the data involves biometrics and health, you warrant that you have obtained explicit, legally valid consent from your end-users before sending their data to the VitalLens API.

3.3 You are responsible for handling any data subject requests (such as requests to delete or access data) from your end-users. Since we do not store the data, we have nothing to delete or provide on our end.

4. International Data Transfers

4.1 The VitalLens API is hosted on Amazon Web Services (AWS) in the United States (Ohio).

4.2 By sending data to the API, you authorize the transfer of this data outside the EEA/UK.

4.3 To ensure this transfer is legal under GDPR, this DPA incorporates by reference the standard contractual clauses (SCCs) adopted by the European Commission. If the SCCs conflict with this DPA, the SCCs prevail.

5. Security

5.1 We implement appropriate technical and organizational measures to ensure data security. This includes enforcing HTTPS/TLS for all data in transit and processing data only in volatile memory so that it is never written to disk.

6. Subprocessors

6.1 You authorize us to use Amazon Web Services (AWS) as our subprocessor to host the API and run the compute processes. We will notify you of any changes to our subprocessors, giving you the opportunity to object.