Data Processing Agreement

This agreement lays out the mandatory protections every processor or business associate must contractually accept before being granted access to Qlinniq personal data or protected health information (PHI). Vendor onboarding must produce a counter-signed copy filed with the Qlinniq compliance team.

1. Definitions & roles

Qlinniq is the controller(for UK and EU/EEA patient data under UK GDPR / GDPR) and, for US patients’ PHI, a covered entity / business associate under HIPAA. The vendor is the processor (under GDPR) and, where it handles US PHI, a business associate (under HIPAA). Terms used in this agreement have the meanings assigned to them in GDPR Art. 4 and, for US PHI, in 45 CFR § 160.103. The processor must process personal data only on documented instructions from Qlinniq.

2. Subject matter, duration, nature, and purpose(GDPR Art. 28(3) opening clauses)

• Subject matter: the service named in the order form (notification delivery / error monitoring / video session relay / hosting / etc.).
• Duration: for the term of the underlying service agreement and any wind-down period agreed in writing.
• Nature and purpose: as set out in the service description; processor may not repurpose the data.
• Types of personal data / PHI: as defined in the order form’s data schedule.
• Categories of data subjects: patients (including minors), providers, and administrators of the controller.
• Obligations and rights of the controller: as set out in this agreement and the order form.

3. Processor obligations(GDPR Art. 28(3)(a)–(h); HIPAA 45 CFR § 164.504(e))

• Process personal data / PHI only on documented instructions from Qlinniq, including with respect to international transfers (GDPR Art. 28(3)(a); HIPAA § 164.504(e)(2)(i)).
• Ensure personnel with access are under binding confidentiality obligations (GDPR Art. 28(3)(b); HIPAA § 164.504(e)(2)(ii)(C)).
• Implement technical and organisational measures meeting GDPR Art. 32 and, for US PHI, the HIPAA Security Rule administrative, physical, and technical safeguards (Art. 28(3)(c)).
• Engage no sub-processor without Qlinniq’s prior specific or general written authorisation (GDPR Art. 28(2)/28(3)(d)). Where general authorisation is given, processor must notify Qlinniq of any intended changes, giving Qlinniq the opportunity to object.
• Assist Qlinniq with appropriate technical and organisational measures, insofar as possible, to respond to data subject rights requests (GDPR Art. 28(3)(e)) and HIPAA individual rights requests (§ 164.524, 164.526, 164.528).
• Assist Qlinniq in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIA, prior consultation) and the HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D) (Art. 28(3)(f)).
• At the controller’s choice, delete or return all personal data / PHI after the end of the provision of services, and delete existing copies unless retention is required by applicable law (GDPR Art. 28(3)(g); HIPAA § 164.504(e)(2)(ii)(J)).
• Make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, by Qlinniq or another auditor mandated by Qlinniq (GDPR Art. 28(3)(h); HIPAA § 164.504(e)(2)(ii)(H)).

4. Security controls (GDPR Art. 32; HIPAA Security Rule)

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• Role-based access; no shared service accounts.
• Access audit logs retained ≥180 days, producible on request within 5 business days.
• Independent SOC 2 Type II and/or ISO 27001 attestation refreshed annually.
• Secure SDLC, dependency review, and vulnerability management with documented patching SLAs.
• Annual penetration testing; remediation of high/critical findings within 30 days.
• For US PHI: documented risk analysis and risk management programme meeting HIPAA § 164.308(a)(1).

5. Sub-processing

Processor must obtain Qlinniq’s written consent before engaging sub-processors and must contractually flow down equivalent protections (GDPR Art. 28(4)). Processor maintains an up-to-date list of sub-processors and notifies Qlinniq at least 30 days in advance of any intended addition or replacement. Qlinniq’s current contracted sub-processors are published at /legal/subprocessors. Where any sub-processor will handle US PHI, a signed Business Associate Agreement (BAA) must be in place between the processor and each such sub-processor prior to disclosure.

6. International transfers

UK and EU/EEA patient data is stored in AWS eu-west-2 (London); US patient PHI is stored in AWS us-east-1 (United States). Patient data must remain within the United Kingdom/EEA or the United States for primary storage unless Qlinniq has approved a specific cross-border transfer in writing.

Where a transfer of UK/EU personal data to a processor located outside the UK/EEA is approved, the processor must rely on a valid transfer mechanism:

• UK transfers: the UK International Data Transfer Agreement (IDTA) or, where applicable, an addendum to the EU SCCs approved by the ICO.
• EU/EEA transfers: the EU 2021 Standard Contractual Clauses (Module 2 or 3 as applicable, Commission Decision 2021/914).
• In both cases, the processor must provide Qlinniq with a completed Transfer Impact Assessment (TIA) within 14 days of execution.

Onward transfers within the processor’s corporate group are treated as third-country transfers if they cross the UK/EEA boundary. US PHI is not transferred outside the United States except as permitted under HIPAA and with Qlinniq’s prior written consent.

7. Breach notification

Processor must notify Qlinniq of any actual or suspected personal-data breach or HIPAA security incident without undue delay and in any event within 24 hoursof becoming aware — so that Qlinniq can meet the GDPR 72-hour notification window to the supervisory authority (GDPR Art. 33) and the HIPAA Breach Notification Rule requirements (45 CFR § 164.410). Notification must include scope, root cause, categories and approximate number of individuals and records affected, containment status, and a contact for ongoing coordination. Processor must cooperate fully with Qlinniq’s investigation and any subsequent regulatory notification obligations.

Supervisory authorities: in the UK, the Information Commissioner’s Office (ICO); in the EU/EEA, the relevant lead supervisory authority; in the US, the HHS Office for Civil Rights (OCR).

8. Data subject rights (GDPR) and individual rights (HIPAA)

Processor must support Qlinniq in fulfilling the following rights within 7 calendar days of a forwarded request:

• GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21).
• HIPAA: right of access (§ 164.524), right to amend (§ 164.526), right to an accounting of disclosures (§ 164.528), and right to request restrictions (§ 164.522).

9. Records of processing & demonstrability

Processor maintains records of processing activities under GDPR Art. 30(2) and produces them on request. Processor cooperates with Qlinniq’s Data Protection Impact Assessments (GDPR Art. 35), any prior consultation with a supervisory authority (GDPR Art. 36), and any HIPAA risk analysis or audit required under 45 CFR Part 164.

10. Termination + return / deletion

On termination, processor must purge all Qlinniq personal data and PHI within 30 days unless a legal obligation requires retention, and provide a written certificate of destruction. Backups must be deleted on their normal rotation schedule and processor must confirm completion in writing. For US PHI, destruction must render the PHI unreadable, indecipherable, and unable to be reconstructed in accordance with NIST SP 800-88 or equivalent guidance.

11. Liability

Each party’s liability under this agreement is subject to the limitation of liability provisions in the underlying service agreement, except for: (i) breach of confidentiality; (ii) wilful misconduct; and (iii) liability to data subjects arising from GDPR Art. 82 (individual right to compensation) or HIPAA (civil money penalties under 45 CFR Part 160 Subpart D), which is allocated in proportion to each party’s fault.

12. Governing law

For UK patient data, this agreement is governed by the laws of England and Wales. For EU/EEA patient data, this agreement is governed by the law of the Member State of the lead supervisory authority designated by Qlinniq (or, in the absence of such designation, the laws of England and Wales, to the extent compatible with EU law). For US patient PHI, the relevant provisions are governed by applicable US federal law (HIPAA) and the law of the state in which the relevant clinic operates.

Active processors

The current list of contracted processors / business associates and their DPA or BAA execution dates is published at /legal/subprocessors. To request a copy of the transfer clauses applicable to any cross-border transfer, or for any other query about this agreement, contact our Data Protection Officer at dpo@qlinniq.com.