1. Definitions
In this Data Processing Agreement (“DPA”):
- “Controller” means the healthcare provider, clinic, or doctor (“you”) who determines the purposes and means of processing personal data through the ClinicCube platform.
- “Processor” means ClinicCube (“we,” “our,” or “us”), which processes personal data on behalf of the Controller.
- “Data Subject” means the identified or identifiable natural person whose personal data is processed (e.g., a patient).
- “Personal Data” means any information relating to a Data Subject, including health data, contact information, and identifiers.
- “Processing” means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, combination, restriction, erasure, and destruction.
- “Sub-processor” means any third party engaged by ClinicCube to process personal data on behalf of the Controller.
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data, including GDPR, HIPAA, CCPA, and any other relevant legislation.
2. Scope and Purpose
This DPA applies to all personal data that ClinicCube processes on your behalf when you use our healthcare management platform. It supplements our Terms of Service and our Privacy Policy.
We process personal data for the following purposes:
- Providing clinic management and appointment scheduling services
- Maintaining electronic health records and patient profiles
- Facilitating patient-provider communication (chat, notifications, email)
- Processing payments and generating invoices
- Generating analytics and reports for your practice
- Hosting and serving your public clinic website
- Sending appointment reminders and notifications on your behalf
3. Categories of Data Processed
3.1 Patient Data
- Full name, date of birth, gender, and contact information
- Medical history, diagnoses, treatment plans, prescriptions, and vitals
- Appointment history and scheduling data
- Insurance and billing information
- Documents, lab results, and uploaded health records
- Communication records (chat messages, consultation notes)
3.2 Provider and Staff Data
- Professional credentials, licence numbers, and qualifications
- Contact information and biographical details
- Account credentials and activity logs
- Schedule and availability information
4. Obligations of the Processor
ClinicCube, as Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that all personnel with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and regular security testing
- Not engage a Sub-processor without prior written authorization from the Controller (general or specific)
- Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law
- Assist the Controller in ensuring compliance with data breach notification obligations
- Delete or return all personal data upon termination of the agreement, at the Controller's choice, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
5. Obligations of the Controller
You, as Controller, shall:
- Ensure that you have a lawful basis for processing personal data and that all necessary consents have been obtained from Data Subjects
- Provide clear processing instructions to ClinicCube
- Comply with all applicable data protection legislation in relation to your use of the Service
- Maintain appropriate records of processing activities
- Notify ClinicCube promptly if any processing instructions violate applicable data protection law
6. Sub-processors
ClinicCube uses the following categories of Sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|
| Cloud Infrastructure Provider | Hosting, data storage, and computing | United States / EU |
| Email Delivery Service | Transactional and notification emails | United States |
| Payment Processor | Payment processing and fraud detection | United States / EU |
| Object Storage Provider | File and document storage | United States |
| CDN Provider | Content delivery and DDoS protection | Global |
We will notify you before adding or replacing Sub-processors. If you object to a new Sub-processor on reasonable data protection grounds, you may terminate the affected service without penalty.
7. Security Measures
ClinicCube implements the following technical and organizational security measures:
- Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
- Access Control: Role-based access control (RBAC), multi-factor authentication, and the principle of least privilege
- Network Security: Firewalls, intrusion detection, DDoS protection, and web application firewalls
- Data Isolation: Multi-tenant architecture with strict logical separation of tenant data
- Monitoring: Continuous security monitoring, audit logging, and anomaly detection
- Incident Response: Documented incident response procedures with defined escalation paths
- Business Continuity: Automated backups, disaster recovery planning, and geographic redundancy
- Employee Security: Background checks, security training, and confidentiality agreements for all staff
8. Data Breach Notification
In the event of a personal data breach, ClinicCube will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient detail about the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Cooperate with the Controller in investigating and remediating the breach
9. Data Subject Rights
ClinicCube will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including the right to:
- Access: Obtain confirmation of whether personal data is being processed and, if so, access to that data
- Rectification: Have inaccurate personal data corrected
- Erasure: Have personal data deleted (“right to be forgotten”), subject to legal retention requirements
- Restriction: Restrict the processing of personal data in certain circumstances
- Portability: Receive personal data in a structured, commonly used, machine-readable format
- Objection: Object to processing based on legitimate interests or direct marketing
Where technically feasible, ClinicCube provides self-service tools within the platform for Controllers to manage Data Subject requests directly.
10. International Data Transfers
If personal data is transferred outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, ClinicCube ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Supplementary technical measures such as encryption and pseudonymization
11. Data Retention and Deletion
ClinicCube retains personal data for the duration of the agreement plus any period required by applicable law. Upon termination:
- You may request export of all your data in a machine-readable format within 30 days
- After the export period, all personal data will be securely deleted or anonymized within 90 days
- Data required for legal, regulatory, or compliance purposes may be retained for the minimum period required by law
- Backups containing personal data will be overwritten within the normal backup rotation cycle
12. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify ClinicCube's compliance with this DPA. ClinicCube will:
- Provide requested compliance documentation and certifications
- Permit audits upon reasonable notice, during normal business hours, and at the Controller's expense
- Make available relevant third-party audit reports (e.g., SOC 2 Type II) as an alternative to on-site audits
13. Term and Termination
This DPA takes effect when you start using the ClinicCube Service and remains in force until all personal data has been deleted or returned. The obligations set forth in this DPA survive termination of the underlying agreement to the extent necessary to fulfil their purpose.
14. Governing Law
This DPA shall be governed by the same law that governs our Terms of Service, unless otherwise required by applicable data protection law.
15. Contact Us
For questions about this Data Processing Agreement or to request a signed copy, please contact our Data Protection Officer: