Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the customer ("Data Controller" or "Controller") and Healthcare with AI ("Data Processor" or "Processor"). This DPA supplements and forms part of the Terms of Service ("Agreement") and applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the Services.

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023, and/or the GDPR as applicable
• "Health Data" means Personal Data related to the physical or mental health of an individual, including the provision of healthcare services, which reveals information about their health status
• "Data Controller" (or "Data Fiduciary" under DPDP Act) means the healthcare provider who determines the purposes and means of processing Personal Data
• "Data Processor" (or "Data Processor" under DPDP Act) means Healthcare with AI, which processes Personal Data on behalf of the Controller
• "Data Subject" (or "Data Principal" under DPDP Act) means the identified or identifiable individual to whom the Personal Data relates -- typically patients
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data

2. Scope of Processing

2.1 Subject Matter

The Processor processes Personal Data to provide the Services as described in the Agreement, including electronic medical records, appointment management, patient communication, billing, AI-powered healthcare automation, and ABDM integration.

2.2 Categories of Data Subjects

• Patients of the Controller's healthcare facility
• Healthcare professionals and staff of the Controller
• Authorized users of the Controller's account

2.3 Types of Personal Data

• Patient identity information (name, age, gender, contact details, ABHA ID)
• Health and medical data (medical history, diagnoses, prescriptions, lab results, imaging records)
• Appointment and consultation records
• Billing and payment information
• Communication records (WhatsApp messages, voice call transcripts)
• Staff and practitioner information

2.4 Duration of Processing

Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 9 (Term & Termination) apply.

3. Data Processing Obligations

3.1 Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 5
• Assist the Controller in fulfilling data subject rights requests
• Assist the Controller in meeting obligations related to security, breach notification, and data protection impact assessments
• Delete or return all Personal Data upon termination of the Agreement, at the Controller's choice
• Make available all information necessary to demonstrate compliance with this DPA

3.2 Controller Obligations

The Controller shall:

• Ensure a valid legal basis exists for the processing of Personal Data
• Obtain all necessary consents from Data Subjects before entering their data into the Platform
• Comply with all applicable data protection laws in their jurisdiction
• Provide documented instructions to the Processor regarding the processing of Personal Data
• Ensure compliance with ABDM consent frameworks when sharing health records through the ABDM network

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall:

• Maintain a list of current sub-processors, available upon request
• Notify the Controller at least 30 days before adding or replacing a sub-processor
• Enter into a written agreement with each sub-processor imposing data protection obligations no less protective than those in this DPA
• Remain fully liable to the Controller for the performance of sub-processor obligations

If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.

4.1 Current Sub-processor Categories

• Cloud infrastructure providers (data hosting and storage)
• AI/ML service providers (natural language processing, voice AI)
• Communication service providers (WhatsApp Business API, SMS gateways)
• Payment processors (billing and subscription management)
• ABDM gateway services (health record exchange)

5. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including but not limited to:

5.1 Technical Measures

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls with principle of least privilege
• Multi-factor authentication for system access
• Network security controls including firewalls, intrusion detection, and VPN
• Regular vulnerability scanning and penetration testing
• Automated backup and disaster recovery procedures
• Comprehensive logging and monitoring of all data access

5.2 Organizational Measures

• Information security policies and procedures
• Employee security training and awareness programs
• Background checks for personnel handling Personal Data
• Confidentiality agreements for all personnel
• Incident response and breach management procedures
• Regular security assessments and audits

5.3 Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach. The notification shall include the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach.

6. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection laws, including:

• Right of access to Personal Data
• Right to correction of inaccurate data
• Right to erasure (subject to healthcare record retention requirements)
• Right to data portability
• Right to withdraw consent
• Right to grievance redressal under the DPDP Act

If the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's authorization, unless legally required to do so.

7. Cross-Border Transfers

Personal Data shall be stored and processed within India unless otherwise specified. If any processing requires transfer of Personal Data outside India, the Processor shall:

• Ensure transfers comply with the DPDP Act and any government notifications restricting cross-border transfers
• Implement appropriate safeguards such as Standard Contractual Clauses (SCCs) for transfers subject to GDPR
• Only transfer data to jurisdictions that provide adequate levels of data protection as determined by applicable regulatory authorities
• Notify the Controller before initiating any cross-border transfer and obtain prior consent where required

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor mandated by the Controller. Specifically:

• The Controller may request an audit with at least 30 days written notice
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations
• The Controller shall bear the cost of audits unless the audit reveals material non-compliance by the Processor
• The Processor may provide SOC 2 reports, ISO 27001 certifications, or third-party audit reports as an alternative to on-site audits, where reasonably sufficient
• Audit frequency shall not exceed once per year, unless triggered by a Personal Data Breach or regulatory requirement

9. Term & Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement:

• The Processor shall, at the Controller's election, delete or return all Personal Data within 30 days and certify such deletion/return in writing
• The Processor may retain Personal Data to the extent required by applicable law, provided such data remains subject to the protections of this DPA
• The Controller shall have 30 days from the effective date of termination to export all data through the Platform's export features
• Obligations related to confidentiality, data protection, and liability shall survive termination of this DPA

Questions

For questions about this DPA or to request a signed copy, please contact: