Data Processing Agreement

Last updated: 2026-04-24

This DPA forms part of the Terms of Service between Carevix ("Processor") and the subscribing clinic ("Controller"). Capitalised terms have the meaning given in applicable data-protection law (DPDP Act 2023 for India, GDPR for EEA customers).

1. Subject matter

Processor will process Personal Data on behalf of Controller to provide the Service, strictly in accordance with Controller's documented instructions.

2. Categories of data and data subjects

• Data subjects: clinic staff, patients, guardians.
• Categories: contact information, appointment records, consent status, clinical notes authored in the platform, billing metadata.
• Special categories: health data, processed for the limited purpose of care coordination.

3. Processor obligations

• Process Personal Data only on documented instructions.
• Ensure personnel authorised to process Personal Data are bound by confidentiality.
• Implement technical and organisational measures: encryption in transit (TLS 1.2+), encryption at rest for database backups, role-based access, audit logging, periodic vulnerability scanning.
• Assist Controller in fulfilling Data Subject requests.
• Notify Controller of a Personal Data breach without undue delay and in any case within 72 hours of becoming aware.

4. Sub-processors

Controller authorises Processor to engage the sub-processors listed in the Privacy Policy. Processor will give 30 days notice of changes. Controller may object on reasonable grounds.

5. International transfers

Where data is transferred outside India / the EEA, Processor will rely on an adequacy decision or on Standard Contractual Clauses as appropriate.

6. Data return & deletion

On termination or on written request, Processor will, within 30 days, return all Personal Data to Controller or delete it, except where retention is required by law.

7. Audits

Controller may, once per year on 30 days' notice, request evidence of Processor's compliance with this DPA (SOC-style report or equivalent summary). On-site audits by mutual agreement.

8. Liability

Liability under this DPA is subject to the limits in the Terms of Service. Nothing limits a party's liability for infringement of the other party's Personal Data protection rights where such limitation is prohibited by law.

9. Contact

Data Protection Officer: dpo@carevix.in