Data Processing Agreement

This page is a template of the Data Processing Agreement (DPA) that becomes part of every CareHubOS customer contract. It governs the relationship between you (the customer, acting as the data controller) and CareHubOS (acting as the data processor) for personal data processed through the platform on your behalf.

The signed version of this DPA is provided as part of your master subscription agreement. Material differences between this template and the version you sign will only ever be in your favour (additional protections, jurisdiction-specific clauses, etc.); we will not remove rights you would otherwise have.

The customer is the data controller. CareHubOS is the data processor. Where CareHubOS uses sub-processors (see Annex A), those parties act as sub-processors to CareHubOS.

CareHubOS processes personal data on behalf of the customer for the duration of the master subscription agreement, plus any data retention period specified by the customer for compliance reasons (typically 7 years for clinical records, longer for some jurisdictions).

The platform processes the following categories on the customer's behalf:

• Patient demographics: name, MRN, DOB, gender, contact information, identifiers (national ID where applicable).
• Clinical data: visits, SOAP notes, vitals, problems, allergies, medications, lab orders and results, imaging studies and reports.
• Administrative data: appointments, admissions, transfers, discharges, bed assignments.
• Financial data: charges, invoices, payments, insurance claims (including NHIS scheme membership data where applicable).
• Staff data: clinicians, pharmacists, nurses, receptionists, administrators — name, role, contact, branch assignments, audit trail.

CareHubOS will:

• Process personal data only on the customer's documented instructions, including with regard to transfers across borders.
• Ensure all personnel with access to personal data are bound by confidentiality obligations at least as strict as those in this DPA.
• Implement appropriate technical and organisational measures (see Annex B) to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
• Assist the customer with data-subject requests (access, rectification, erasure, etc.) within the timelines required by applicable law.
• Notify the customer without undue delay (and within 72 hours where required) of any personal-data breach affecting their data.
• Make available to the customer all information necessary to demonstrate compliance with this DPA, including audit rights.

The customer authorises CareHubOS to engage sub-processors for specific service functions (hosting, email delivery, error monitoring). The current list is in Annex A. We will notify customers at least 30 days before adding a new sub-processor; customers may object on reasonable grounds.

Where personal data is transferred outside the customer's jurisdiction (e.g., to a hosting region in a different country), appropriate safeguards apply — Standard Contractual Clauses, adequacy decisions, or jurisdiction-specific equivalents — as set out in the signed DPA.

At the end of the master subscription agreement, CareHubOS will either return all personal data to the customer or delete it (customer's choice, expressed in writing), unless retention is required by law. Backups are deleted within 90 days of contract termination.

The current list of sub-processors:

• {{ Hosting provider }} — primary cloud hosting for product infrastructure (region per customer choice).
• {{ Email delivery provider }} — transactional email (password resets, notifications, demo confirmations).
• {{ Error / observability provider }} — application error reporting and performance monitoring.

The signed DPA carries the live list with names, locations, and the specific data each sub-processor processes.

CareHubOS implements at minimum the following measures:

• Encryption at rest (database, backups) and in transit (TLS 1.3 minimum) for all personal data.
• Branch-scoped access control with the principle of least privilege; permission overrides logged with reason.
• JWT-based authentication with short-lived access tokens and revocable refresh tokens.
• Comprehensive audit logging on every PHI access, dispense override, and administrative action.
• Regular security testing (penetration tests, vulnerability scans) with remediation timelines tied to severity.
• Personnel security: background checks, NDAs, role-based access to production systems, mandatory security training.
• Incident-response plan with defined notification windows and forensic preservation procedures.

For DPA-specific questions or to start the signing process, email [email protected].