Data Processing Agreement

1. Definitions

2. Scope and Purpose

This DPA applies to all processing of Personal Data by PatientPulse on behalf of the Controller. The purposes of processing include:

• Providing medical practice management services
• Maintaining patient records and appointment scheduling
• Processing billing and payment information
• Generating reports and analytics
• Ensuring platform security and compliance
• Providing customer support services

3. Data Processing Details

3.1 Categories of Data Subjects

• Patients of the medical practice
• Healthcare professionals and staff
• Practice administrators and billing personnel
• Emergency contacts and family members

3.2 Categories of Personal Data

• Basic Personal Information: Names, contact details, identification numbers
• Health Information: Medical history, diagnoses, treatments, medications
• Financial Information: Payment details, billing information, insurance data
• Technical Data: IP addresses, login times, usage patterns
• Special Personal Data: Health-related information, biometric data

3.3 Processing Activities

• Collection and storage of patient data
• Data transmission and sharing between authorized users
• Data backup and recovery
• Data analysis and reporting
• Data deletion and anonymization

4. Controller Responsibilities

The Controller agrees to:

• Obtain all necessary consents and authorizations for data processing
• Ensure compliance with POPIA and other applicable laws
• Provide accurate and lawful instructions for data processing
• Implement appropriate security measures for data access
• Report any data breaches to the Information Regulator
• Cooperate with audits and compliance assessments

5. Processor Obligations

PatientPulse agrees to:

• Process Personal Data only in accordance with documented instructions
• Implement appropriate technical and organizational security measures
• Ensure that personnel authorized to process data are bound by confidentiality
• Assist the Controller in responding to data subject rights requests
• Notify the Controller of any data breaches without undue delay
• Cooperate with regulatory audits and inspections
• Delete or return Personal Data at the end of the service term

6. Security Measures

PatientPulse implements the following security measures to protect Personal Data:

6.1 Technical Measures

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all user accounts
• Regular security updates and patch management
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing

6.2 Organizational Measures

• Background checks for employees with data access
• Regular security awareness training
• Access control policies and role-based permissions
• Incident response and breach notification procedures
• Regular audits and compliance assessments

6.3 Physical Security

• Secure data center facilities with 24/7 monitoring
• Restricted access to server rooms and equipment
• Environmental controls and backup power systems

7. Data Subject Rights

PatientPulse will assist the Controller in fulfilling data subject rights under POPIA, including:

• Right to access personal data
• Right to correction of inaccurate data
• Right to deletion ("right to be forgotten")
• Right to object to processing
• Right to data portability
• Right to withdraw consent

8. Data Breach Notification

In the event of a data breach, PatientPulse will notify the Controller without undue delay, but no later than 72 hours after becoming aware of the breach. The notification will include details of the breach, potential impact, and mitigation measures taken.

9. International Data Transfers

Personal Data may be transferred to countries outside South Africa. PatientPulse ensures that such transfers comply with POPIA requirements and implements appropriate safeguards, including standard contractual clauses or adequacy decisions.

10. Audit Rights

The Controller may audit PatientPulse's compliance with this DPA. Audits will be conducted no more than once per year, with reasonable notice, and at the Controller's expense unless a breach is discovered.

11. Sub-Processing

PatientPulse may engage sub-processors to assist with data processing. We maintain an up-to-date list of sub-processors, which includes:

• Cloud hosting providers (AWS, Azure)
• Payment processors (Stripe, PayFast)
• Analytics providers (Google Analytics)
• Customer support platforms (Intercom, Zendesk)

We will notify the Controller of any new sub-processors and provide an opportunity to object.

12. Data Deletion and Return

Upon termination of the Services or at the Controller's request, PatientPulse will delete or return all Personal Data, including backups, within 30 days. We will certify the deletion in writing upon request.

13. Liability and Indemnification

Each party indemnifies the other against losses arising from their breach of this DPA. Liability is limited to the amount specified in the main Terms of Service. PatientPulse's liability for data breaches is capped at twice the annual service fees.

14. Governing Law

This DPA is governed by South African law and the parties submit to the exclusive jurisdiction of the South African courts.

15. Contact Information

For data protection inquiries or to exercise data subject rights:

For POPIA-related complaints, contact the Information Regulator: www.justice.gov.za/inforeg/