Data Processing Agreement (Annex — Article 28 GDPR)
> DRAFT — pending legal review. This document is a draft. It does not apply and must not be published or signed until reviewed and confirmed by qualified Croatian legal counsel and until all items marked [PLACEHOLDER] are completed. > > Courtesy translation. The Croatian version is the sole binding version; this English translation is provided for convenience only.
1. Parties and status of this document
1.1. This Data Processing Agreement (the "DPA") forms an integral part of, and an annex to, the Clinic Subscription Terms (the "Main Agreement") and is entered into between:
- The Controller: the healthcare institution, company, or private practice that has entered into the Main Agreement (the "Clinic"), and
- The Processor: [ legal entity name and form], with its registered seat at [ registered address], registered with [ court of registration and MBS number], OIB (personal identification number): [ OIB], represented by [ representative name] ("MEDKIT"), the operator of the platform available at medkit.ltd (the "Platform").
1.2. MEDKIT's contact for data protection matters: privacy@medkit.ltd. Data Protection Officer (if appointed): [ DPO name and contact, if appointed].
1.3. By concluding or accepting the Main Agreement, the Clinic also accepts this DPA. In the event of a conflict between this DPA and the Main Agreement, this DPA prevails in matters of personal data protection.
2. Definitions
2.1. The terms "personal data", "processing", "controller", "processor", "data subject", "personal data breach", "special categories of personal data" and "supervisory authority" have the meanings given in Regulation (EU) 2016/679 (the General Data Protection Regulation; the "GDPR").
2.2. "Subprocessor" means another processor engaged by MEDKIT to carry out specific processing activities on behalf of the Clinic.
2.3. The supervisory authority in the Republic of Croatia is the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.
3. Roles of the parties and scope
3.1. MEDKIT as processor — the subject of this DPA. For the Platform's agenda and patient-records module — that is, for the personal data that the Clinic and its authorised staff enter, view, and process within the Clinic's account (the Clinic's patient list; appointments, including bookings entered manually or by phone by staff; appointment confirmations and no-show flags; the Clinic's waitlist — whereby the public sign-up of patients to the waitlist through the public form is governed by Section 3.2; the internal staff duty roster) — the Clinic is the controller and MEDKIT processes those data exclusively as a processor within the meaning of Article 28 GDPR. This DPA governs that processing only.
3.2. Public booking flow (marketplace). For the public booking process on the Platform — the collection of data through the public forms designed by MEDKIT (the appointment booking form and the waitlist sign-up form), the transmission of the booking or sign-up to the Clinic, and the sending of transactional emails to the patient (appointment confirmation with a cancellation link; waitlist notification that a slot has become available) — MEDKIT and the Clinic act as separate (independent) controllers, each for its own purposes. Platform security and the Platform's security and audit records (audit log) are MEDKIT's own responsibility as controller under Section 3.3. The allocation of responsibilities for that part is governed by the data-protection roles clause in the Main Agreement. That clause is drafted so that, should a competent authority or the parties conclude that the shared booking transaction constitutes joint controllership, it serves as the arrangement under Article 26 GDPR, the essence of which is made available to data subjects through the Platform's Privacy Notice.
3.3. MEDKIT's sole controllership (outside this DPA). For the public directory of healthcare providers (including unclaimed listings originating from the public registry), claim and removal requests concerning directory listings, Platform-level staff user accounts (authentication), and the Platform's security and audit records, MEDKIT is the sole controller. That processing is not the subject of this DPA and is described in the Platform's Privacy Notice.
4. Subject matter, nature, purpose, and duration of processing
4.1. Subject matter: hosting and operating the Platform's agenda and patient-records module for the Clinic.
4.2. Nature of processing: storage, structuring, retrieval, consultation, use, alteration, restriction, and erasure of personal data in the Platform's information system, in accordance with the actions that the Clinic's authorised staff perform through the Platform's functionality.
4.3. Purpose: to enable the Clinic to manage its appointment schedule and the related patient records (booking, confirming and cancelling appointments, recording no-shows, managing the waitlist, and internal organisation of staff duty shifts).
4.4. Duration: for the term of the Main Agreement and, after its termination, until the return or deletion of data is completed in accordance with Section 11 of this DPA.
5. Types of personal data and categories of data subjects
5.1. Categories of data subjects: (a) the Clinic's patients, including persons on the Clinic's waitlist; (b) the Clinic's staff (team members with access to the Platform, to the extent their data appears in agenda records).
5.2. Types of patient personal data: full name; email address; phone number (if entered — not a mandatory field); communication language; appointment data (date and time, location/practice, selected healthcare practitioner, appointment type, appointment status — including cancelled and no-show — and booking source); free-text reason for visit (if entered — an optional field); the record of acceptance of the booking terms at online booking (a single consent entry, tagged with the version of the accepted terms; the Platform does not maintain granular per-purpose consent records); waitlist entries (name and email address).
5.3. Special categories of personal data (data concerning health). The fact of an appointment with a named healthcare practitioner of a given specialty, and the optional reason for visit, may reveal data concerning health within the meaning of Article 4(15) and Article 9 GDPR. The parties acknowledge that processing within the agenda module includes health data. The Clinic, as a healthcare provider bound by professional secrecy, warrants that it has a valid legal basis for that processing, including the basis under Article 9(2)(h) in conjunction with Article 9(3) GDPR and applicable Croatian healthcare law; MEDKIT processes those data exclusively on the Clinic's instructions.
5.4. Types of Clinic staff personal data: duty roster entries (practitioner, shift times, note). Appointment records do not record which staff member entered, confirmed, or cancelled a given appointment; only the booking source (online / manual / phone) is recorded with the appointment. Separately, the Platform's security audit log, which MEDKIT maintains as an independent controller (Section 3.3), records the acting user account for those actions where such logging is implemented.
5.5. The Platform does not maintain medical records or patient health files; only the booking-related data listed above are processed.
6. MEDKIT's obligations as processor
6.1. Documented instructions. MEDKIT processes the personal data referred to in Section 5 only on documented instructions from the Clinic, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Croatian law to which MEDKIT is subject; in that case, MEDKIT informs the Clinic of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Main Agreement, this DPA, and the actions performed by the Clinic's authorised staff through the Platform's functionality constitute documented instructions.
6.2. Unlawful instructions. MEDKIT immediately informs the Clinic if, in its opinion, an instruction infringes the GDPR or other Union or Croatian data protection provisions.
6.3. Confidentiality. MEDKIT ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The parties acknowledge that MEDKIT's personnel are not bound by medical professional secrecy within the meaning of healthcare legislation; the confidentiality obligation of MEDKIT's personnel is contractual in nature.
6.4. Access limitation. Access to the Clinic's data is restricted by the technical measures in Section 7 (database-level isolation of data between clinics) and by the principle of least privilege.
7. Security measures (Article 32 GDPR)
7.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects, MEDKIT implements the following technical and organisational measures, which reflect the actually implemented state of the Platform:
- storage of all production personal data in the European Union: Supabase database (PostgreSQL) on AWS infrastructure in region eu-west-1 (Ireland);
- encryption in transit: TLS (HTTPS) across the entire Platform, with HSTS;
- encryption at rest: the standard infrastructure encryption of the service provider (AWS/Supabase);
- isolation of data between clinics (multi-tenant): Row Level Security (RLS) enabled and forcibly applied (FORCE) on all database tables, with per-clinic isolation and automated isolation tests;
- database-level integrity: constraints preventing double-booking of the same slot and triggers preventing one clinic's data from being written into another clinic's records;
- role-based access control for Clinic staff (administrator, reception, practitioner) on a least-privilege basis;
- patient access without user accounts, exclusively via unguessable capability tokens delivered by email, with a Referrer-Policy protecting tokens from leaking to third parties;
- isolation of server credentials: the privileged service key is available exclusively to the server environment, with a programmatic guard against use in the browser;
- an audit log of booking and administrative actions (actor, action, entity, time);
- strict security HTTP headers and a Content-Security-Policy that prevents loading of third-party scripts;
- secrets (access keys and similar) are kept out of the source code, in protected environment variables.
7.2. MEDKIT may change and improve the measures in Section 7.1, provided the overall level of security is not thereby reduced.
7.3. Statement of current state. The list in Section 7.1 reflects the measures actually implemented as at the date of this draft. Formalised backup and disaster-recovery procedures, independent penetration testing, and documented organisational measures (e.g. an access-management policy, a staff training programme) are not separately documented as at the date of this draft and must be established or documented before this DPA is signed.
8. Subprocessors
8.1. General authorisation. The Clinic gives a general written authorisation for the engagement of subprocessors. The subprocessors engaged as at the date of this document are:
| Subprocessor | Service | Processing location | Third-country transfer note |
|---|---|---|---|
| Supabase, Inc. (USA) | database and authentication (storage of all Platform data) | AWS, region eu-west-1 (Ireland, EU) | storage in the EU; US-headquartered company — the transfer mechanism (DPF/Standard Contractual Clauses) must be confirmed by legal counsel |
| Vercel, Inc. (USA) | web hosting, CDN, DNS, and serverless functions | serverless functions in EU region fra1 (Frankfurt, Germany); CDN/edge network global | US-headquartered company, global CDN/edge network — see Section 10; the transfer mechanism must be confirmed by legal counsel |
| Resend (transactional email; sending from AWS region eu-west-1) | sending of transactional email (appointment confirmations with a calendar file and a cancellation link; waitlist notifications; messages contain the patient's name and appointment details) | sending region eu-west-1 (EU) | [ confirm Resend legal entity, corporate seat, and transfer mechanism] — the transfer mechanism must be confirmed by legal counsel |
8.2. Change notice and right to object. MEDKIT notifies the Clinic of any intended change (addition or replacement) of subprocessors at least [ subprocessor change notice period, e.g. 30 days] in advance, in writing (including by email to the Clinic administrator's address). The Clinic may raise a reasoned objection within that period. If the parties cannot resolve the objection in good faith, the Clinic may terminate the Main Agreement with respect to the service affected by the change, without an early-termination charge for that part.
8.3. Flow-down of obligations. MEDKIT imposes on each subprocessor, by contract, data protection obligations that are in substance the same as those in this DPA, in particular the provision of sufficient guarantees to implement appropriate technical and organisational measures. Where a subprocessor fails to fulfil its data protection obligations, MEDKIT remains fully liable to the Clinic for the performance of those obligations.
9. Assistance to the Clinic and personal data breaches
9.1. Assistance with data subject requests. Taking into account the nature of the processing, MEDKIT assists the Clinic by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Clinic's obligation to respond to requests for exercising data subject rights under Chapter III GDPR (Articles 12–23). The parties acknowledge that, as at the date of this draft, the Platform does not include self-service tools for exporting, rectifying, or erasing individual patient records; until such tools are established, MEDKIT provides this assistance manually, upon the Clinic's request sent to privacy@medkit.ltd, within a timeframe that reasonably enables the Clinic to comply with statutory deadlines.
9.2. Forwarding of direct requests. If a data subject contacts MEDKIT directly in connection with the processing under Section 3.1, MEDKIT forwards the request to the Clinic without undue delay and does not respond on the merits without the Clinic's instruction, unless required to do so under Union or Croatian law.
9.3. Assistance with Articles 32–36. MEDKIT assists the Clinic in ensuring compliance with the obligations under Articles 32–36 GDPR (security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to MEDKIT.
9.4. Personal data breach. MEDKIT notifies the Clinic without undue delay after becoming aware of a personal data breach concerning the data referred to in Section 5. The notification includes, to the extent the information is available: a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and records concerned), the likely consequences, the measures taken or proposed, and a contact point for further information; the information may be provided in phases. For the processing under Section 3.1, the decision on notifying the supervisory authority (AZOP) or the data subjects rests with the Clinic as controller.
10. Transfers to third countries (Chapter V GDPR)
10.1. The personal data referred to in Section 5 are stored in the European Union (Supabase, AWS region eu-west-1, Ireland).
10.2. Possible transfers. As set out in the table in Section 8.1: (a) Vercel's serverless functions — in which the Platform's application logic executes, including processing of booking data in memory and in request logs — run in EU region fra1 (Frankfurt, Germany), while Vercel's CDN/edge network for content delivery is global; (b) Vercel and Supabase are US-headquartered companies, and for the Resend service the provider's corporate seat and transfer mechanism must be confirmed by legal counsel; transfers to third countries connected with the provision of those services are therefore possible.
10.3. MEDKIT does not transfer the personal data referred to in Section 5 to third countries beyond the scope set out in Section 10.2 without a documented instruction from the Clinic or an obligation under Union or Croatian law.
10.4. Every transfer to a third country is carried out under a valid Chapter V GDPR mechanism — an adequacy decision (including the EU–US Data Privacy Framework for certified organisations) or Standard Contractual Clauses, with supplementary measures where needed. The status of each individual vendor (DPF certification or concluded Standard Contractual Clauses) must be verified and confirmed by legal counsel before this DPA is signed.
11. Deletion and return of data after termination of the Main Agreement
11.1. After termination of the Main Agreement, MEDKIT is obliged, upon the Clinic's written request and at the Clinic's documented choice, to return to the Clinic all personal data referred to in Section 5 in a structured, commonly used, machine-readable format (e.g. CSV/JSON export from the database) and/or to delete them, unless Union or Croatian law requires further storage (in which case MEDKIT retains the data only to the necessary extent and under restriction of processing).
11.2. The Clinic may submit the written request for return of data during a period of [ post-termination export window, e.g. 30 days] from termination of the Main Agreement. MEDKIT fulfils the return request, or completes deletion, within [ deletion completion period, e.g. 30 days] of receiving the request, or of the expiry of the stated period if no request is submitted.
11.3. Statement of current state. Return and deletion are manual procedures that MEDKIT performs at the database level; the Platform does not include automated export tools or automated deletion. [ deletion tooling pending — manual process] MEDKIT will request that subprocessors delete residual copies in accordance with their data processing agreements.
11.4. Upon the Clinic's written request, MEDKIT confirms that deletion has been carried out.
12. Audits and demonstration of compliance
12.1. MEDKIT makes available to the Clinic all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.
12.2. The Clinic has the right to conduct audits, including inspections, itself or through an authorised auditor that is not a competitor of MEDKIT. Given the multi-tenant nature of the Platform, audits are as a rule conducted: (a) by review of documentation, descriptions of technical and organisational measures, and available subprocessor reports and certifications; (b) only where that is not reasonably sufficient, by inspection upon prior written notice of at least [ audit notice period, e.g. 30 days], during regular business hours, in a manner that does not jeopardise the security of the Platform and without access to other clinics' data.
12.3. Each party bears its own audit costs, unless the audit establishes a material breach of this DPA by MEDKIT.
13. Liability
13.1. The parties' liability is governed by the Main Agreement and Article 82 GDPR. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.
14. Term, amendments, and final provisions
14.1. This DPA enters into force upon conclusion of the Main Agreement and remains in force for as long as the processing under Section 3.1 continues, including the return and deletion period under Section 11.
14.2. Amendments to this DPA are valid only in written form, including the electronic form provided for in the Main Agreement.
14.3. This DPA is governed by the law of the Republic of Croatia; the competent court is determined in accordance with the Main Agreement.
14.4. If any provision of this DPA is void or unenforceable, this does not affect the validity of the remaining provisions; the parties will replace the void provision with a valid one that comes closest to its purpose.
14.5. Governing language. The Croatian language version of this document is the sole binding version; translations into other languages are provided for convenience only.
---
Last updated: [ date]