Data Processing Agreement (DPA)

1. Purpose and Scope

This Data Processing Agreement (“DPA”) applies to the processing of patient personal information and clinical histories inputted by the subscribing clinic (the Controller) into the modular workspaces of the Klinio clinic management software. This DPA is incorporated into the Klinio Terms of Service.

2. Processor Roles & Processing Instructions

• Controller: The clinic holds sole authority to collect patient records, manage consent, and issue data requests.
• Processor: Klinio processes the database synchronizations, local cache updates, media backups, and AI assistant drafting requests strictly as directed by the clinic.
• Instructions: Klinio will not use, sell, or disclose patient medical data for marketing, product profiling, or third-party usage.

3. Categories of Data

Data categories processed include: Patient contact details, date of birth, medical/treatment plans, odontogram states, body procedure injection logs, session progress summaries, vaccine records, radiology media, invoicing records, and staff access logs.

4. Technical & Organizational Security Measures

The Processor implements and maintains the security protocols detailed in our Security Sheet, including: Row-Level Security (RLS) on cloud database segments, TLS 1.3 in-transit encryption, AES-256 data-at-rest encryption, automated secure database backups, and local-first sandbox architecture.

5. Subprocessors

The Controller authorizes the Processor to engage third-party infrastructure subprocessors to provide core services (database hosting, API endpoints, WhatsApp/SMS routing templates). The Processor ensures that all engaged subprocessors execute data isolation agreements matching these standards.

6. Data Subject Rights & Requests

If a patient submits a request to view, export, correct, or delete their records, Klinio will forward this inquiry to the subscribing clinic. Because Klinio operates local-first, the clinic administrator has direct tools to export or delete patient rows from the local workstation database cache.

7. Breach Notification

In the event of a verified security incident affecting Processor databases or cloud backup segments, Klinio will notify affected clinic administrators without undue delay (within 72 hours of verification) to assist the clinic in meeting their regulatory reporting requirements.

8. International Data Transfers

For cross-border operations, data transfers are covered by Standard Contractual Clauses (SCCs) and regional data isolation measures. The clinic is responsible for verifying that the database region matches their regional legal requirements.