DATA PROCESSING AGREEMENT (DPA)
- Home
- DATA PROCESSING AGREEMENT (DPA)
DATA PROCESSING AGREEMENT (DPA)
Last updated: November 2025
Parties
1. Data Controller (“Clinic”, “Controller”)
The medical institution that uses the ClinicsPlus platform and determines the purposes and means of processing patient data.
2. Data Processor (“ApexNova”, “Processor”)
ApexNova Digital LLC
30 N Gould St, STE R
Sheridan, WY 82801
United States
privacy@apexnovadigital.com
ApexNova processes personal data on behalf of the Clinic as described in this Agreement.
1. Definitions
This Agreement follows GDPR terminology:
• “Personal Data” — any information relating to an identified or identifiable natural person.
• “Processing” — any operation performed on personal data (collection, storage, transmission).
• “Controller” — the Clinic determining purposes of processing.
• “Processor” — ApexNova Digital LLC.
• “Sub-processor” — third-party service provider engaged by the Processor.
• “Data Subject” — patients or clinic staff whose data is being processed.
2. Subject of the Agreement
The Processor provides software services (ClinicsPlus), including:
• booking management
• service listings
• schedules
• patient account verification
• notifications
• platform analytics
• hosting
The Processor processes Personal Data strictly on behalf of the Clinic and only according to Clinic instructions.
3. Types of Data Processed
3.1 Patient Data (minimal)
• name
• phone number (OTP verified)
• booked service
• appointment time
• notifications preferences
ClinicsPlus does not request medical records, diagnoses, or test results.
If the Clinic enters such data into the system, the Clinic is responsible for compliance.
3.2 Clinic Staff Data
• administrator names
• phone number
• email
• communication IDs (Telegram, WhatsApp)
4. Processor Obligations (ApexNova)
4.1 Process data only under Clinic instructions
Processor will not process data for any purpose other than providing the platform.
4.2 Maintain confidentiality
All persons authorized to process data are bound by strict confidentiality obligations.
4.3 Security measures
Processor must implement:
• encryption in transit and at rest
• secure authentication
• firewalls
• intrusion detection
• role-based access
• regular backups
• physical security of data centers
4.4 Assist the Clinic with compliance
Including:
• responding to data access/deletion requests
• incident notifications
• cooperation with audits
4.5 Notify breaches
In case of a data breach, ApexNova will notify the Clinic without undue delay.
4.6 Delete or return data
Upon request or termination, ApexNova will delete or return patient data unless law requires retention.
5. Controller Obligations (Clinic)
5.1 Ensure legal basis for processing patient data
Clinic is responsible for compliance with:
• local healthcare laws
• GDPR (if applicable)
• data minimization
• lawful, transparent processing
5.2 Provide accurate and lawful data
Clinic must ensure:
• phone numbers, names, and bookings are accurate
• no unnecessary medical data is entered into the system
5.3 Manage patient rights
The Clinic is responsible for:
• responding to patient data requests
• ensuring accuracy
• obtaining consents when required
5.4 Not misuse ClinicsPlus
Including:
• storing medical records beyond intended scope
• exporting or sharing patient data unlawfully
6. Sub-Processors
ApexNova may use sub-processors, including:
• cloud hosting providers
• SMS gateway providers
• analytics services
• security monitoring tools
A list is available upon request.
Processor ensures sub-processors provide adequate safeguards.
Clinic may object to any sub-processor on reasonable grounds.
7. International Transfers
Because ApexNova is a U.S. company, data may be transferred internationally.
We use:
• Standard Contractual Clauses (SCCs)
• encrypted transfer
• vetted third-party providers
8. Data Breach Notification
In case of a breach, ApexNova will:
1. Notify the Clinic without undue delay
2. Provide known details
3. Assist in investigation and mitigation
4. Help fulfill legal obligations (if applicable)
9. Term & Termination
This DPA remains valid as long as the Clinic uses ClinicsPlus.
Upon termination:
• Clinic may request data deletion
• ApexNova will delete or return data within 60 days
• Backups will be deleted according to the retention schedule
10. Liability
Each party is liable for compliance with its own obligations:
• Clinic is fully responsible for medical data, clinical actions, and accuracy of patient information.
• ApexNova is responsible for secure processing and system operation.
ApexNova’s liability is limited as described in ClinicsPlus Terms & Conditions.
11. Governing Law
This Agreement is governed by:
State of Wyoming law, USA
and applicable international data protection frameworks.
12. Contact
For data protection questions:
ApexNova Digital LLC
privacy@apexnovadigital.com
30 N Gould St, STE R
Sheridan, WY 82801
United States