Legal

Therapist Data Processing Agreement

Template — requires legal review before use

This Data Processing Agreement (“DPA”) is entered into between the therapist (“Therapist” or “Data Recipient”) and the Be Candid user (“Client” or “Data Subject”) who has granted portal access, with Be Candid (Be Candid LLC) acting as the technology platform (“Data Processor”).

1. Purpose

This DPA governs the Therapist’s access to and use of Client data made available through the Be Candid Therapist Portal. The purpose of data sharing is to support the therapeutic relationship by providing the Therapist with structured client self-report data between sessions.

2. Data Shared

The Therapist receives read-only access to the following data categories, each independently controlled by the Client through consent toggles:

  • Journal Entries: Client’s written reflections, including freewrite text, guided prompt responses, mood ratings, and tags. Entries are decrypted by the platform and served to the Therapist portal in real time.
  • Mood Timeline: Aggregated mood data from journal entries and check-ins.
  • Focus Streaks: Streak history, milestone achievements, and trust point totals.
  • Conversation Outcomes: Client’s self-ratings and feeling words from accountability conversations.
  • Pattern Analysis: Time clustering, frequency data, and vulnerability window information.

The Therapist does not receive: raw screen activity events, URLs, screenshots, partner information, push notification content, or data from any user other than the consenting Client.

3. Consent and Revocation

Data access is initiated by the Client’s explicit invitation and governed by five independent consent toggles the Client controls at all times. The Client may modify or revoke any consent toggle at any time from their Settings page. Revocation takes effect immediately — the Therapist loses access to the revoked data category on their next portal request.

4. Therapist Obligations

The Therapist agrees to:

  • Access Client data only for the purpose of supporting the therapeutic relationship.
  • Not share, copy, export, print, or transmit Client data to any third party without the Client’s written consent, except as required by law or mandatory reporting obligations.
  • Maintain the confidentiality of portal access credentials.
  • Comply with all applicable professional ethics codes and licensing regulations regarding client data.
  • Notify Be Candid immediately if their portal access credentials are compromised.
  • Delete any locally stored or cached Client data within 30 days of the Client revoking access.

5. Be Candid’s Obligations

Be Candid agrees to:

  • Enforce consent toggles at the API level, serving only data the Client has explicitly consented to share.
  • Encrypt data at rest and in transit using industry-standard methods (AES-256-GCM, TLS 1.2+).
  • Log all Therapist portal access for audit purposes.
  • Not use Client data shared through the Therapist portal for any purpose other than serving it to the authorized Therapist.
  • Promptly revoke Therapist access when the Client requests it.

6. Data Retention

Data is retained per the Client’s retention settings (configurable 30-365 days). Data purged by the Client is no longer available through the Therapist portal. Be Candid does not maintain separate copies of data for the Therapist portal.

7. Mandatory Reporting

Nothing in this DPA limits the Therapist’s obligations under mandatory reporting laws. If the Therapist is required by law to report information obtained through the portal (e.g., imminent danger to self or others, child abuse), they may do so in accordance with their professional and legal obligations.

8. Limitation of Liability

Be Candid provides the Therapist portal as a technology platform. Be Candid is not a party to the therapist-client relationship and bears no liability for clinical decisions made using portal data, the Therapist’s use or misuse of Client data, or any breach of confidentiality by the Therapist.

9. Term and Termination

This DPA is effective upon the Client’s invitation and the Therapist’s acceptance. It terminates when: the Client revokes access, the Therapist’s account is deleted, or the Client’s account is deleted. Upon termination, the Therapist must delete any locally stored Client data within 30 days.

10. Contact

For questions about this DPA: legal@becandid.io