Data Processing Agreement

Article 1

Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The clinic or healthcare professional ("you", "Controller") who has subscribed to Klinica and processes personal data of their patients.
Data Processor: Klinica SAS / Klinica (operator of the klinica.space platform), acting as the processor of personal data on behalf of the Controller.

For the purpose of this DPA, the following definitions apply:

"Personal Data" — Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
"Processing" — Any operation performed on personal data, including storage, retrieval, use, disclosure, or erasure.
"Data Subject" — Patients, employees, or any natural person whose personal data is processed through the Klinica platform.
"Services" — The clinic management platform, online booking system, patient management, and scheduling tools provided by Klinica.

Article 2

Subject Matter and Duration

Klinica processes personal data solely to provide the contracted Services to the Controller. The categories of data processed include:

Patient identifiers (name, date of birth, contact details)
Appointment and scheduling data
Medical notes and clinical records entered by the Controller
Authentication credentials (hashed passwords) of clinic staff
Billing contact information (name, email) — payment details are not stored and are handled exclusively by Paddle.com (our payment processor)

The DPA is effective for the duration of your active subscription to Klinica. Upon termination, data retention and deletion obligations as described in Article 10 apply.

Principle of data minimization: Klinica only processes personal data that is strictly necessary to deliver the Services. We never sell, rent, or use your patient data for advertising or profiling purposes.

Article 3

Obligations of Klinica (Processor)

As your data processor, Klinica commits to:

Process personal data only on documented instructions from the Controller (i.e., using the platform as intended).
Ensure that all personnel with access to personal data are bound by confidentiality obligations.
Implement and maintain appropriate technical and organizational security measures (see Article 6).
Assist the Controller in fulfilling obligations regarding data subject rights (Article 7).
Delete or return all personal data upon termination of services (Article 10).
Provide all information necessary to demonstrate compliance with Article 28 GDPR obligations.
Notify the Controller without undue delay upon becoming aware of a personal data breach (Article 8).
Not transfer personal data to third parties except authorized sub-processors listed in Article 5.

Article 4

Obligations of the Data Controller

By using Klinica, you as the Data Controller confirm that:

You have a lawful basis for processing your patients' personal data (e.g., consent, legitimate interest, or legal obligation under applicable healthcare law).
You will provide a privacy notice to data subjects (your patients) that discloses the use of Klinica as a data processor.
You are responsible for the accuracy and lawfulness of the personal data you enter into the platform.
You will promptly inform Klinica of any changes to processing instructions that may affect our compliance obligations.
You are responsible for configuring appropriate access controls for your clinic staff.

Article 5

Sub-Processors

Klinica uses the following authorized sub-processors. All sub-processors are required to meet equivalent data protection standards:

Sub-Processor	Purpose	Location	Certification
Hetzner Online GmbH	Cloud infrastructure & data hosting	Germany / EU	ISO 27001, ISO 9001, GDPR compliant
Paddle.com	Subscription billing & payments (Merchant of Record)	UK / EU	PCI-DSS Level 1, GDPR compliant, UK GDPR
Transactional Email Provider	System notifications & reminders	EU	GDPR compliant

You will be notified at least 14 days in advance of any changes to the sub-processor list. You have the right to object to the addition of new sub-processors.

Article 6

Technical & Organizational Security Measures

Klinica implements the following technical and organizational measures (TOMs) in accordance with Article 32 GDPR to ensure an appropriate level of security:

01

Data Encryption

All data is encrypted at rest using AES-256 encryption. All data in transit is protected using TLS 1.3. Database backups are also encrypted.

02

Tenant Isolation

Each clinic operates in a completely separate, isolated database. There is zero possibility of cross-tenant data leakage by design.

03

ISO 27001 Certified Infrastructure

All data is hosted on Hetzner Online GmbH servers located in Germany. Hetzner is certified under ISO 27001 and ISO 9001 and is fully GDPR compliant.

04

Access Control

Role-based access control (RBAC) is enforced. Staff accounts are scoped to their clinic only. Passwords are hashed using bcrypt.

05

Audit Logging

All sensitive operations (patient record access, modifications, deletions) are logged with timestamps and user identifiers for accountability.

06

Automated Backups

Databases are backed up automatically. Backups are retained for 30 days and are stored in an encrypted format in a separate geographic location.

07

Vulnerability Management

Dependencies are regularly updated. Security patches are applied within 48 hours of disclosure for critical vulnerabilities. We follow responsible disclosure.

08

Penetration Testing

The platform undergoes periodic security assessments. All identified vulnerabilities are tracked and remediated according to severity.

Article 7

Data Subject Rights

Klinica will assist the Controller in responding to data subject requests under Articles 15–22 GDPR, including:

Right of Access (Art. 15): Patients may request access to their personal data held in Klinica.
Right to Rectification (Art. 16): Inaccurate data may be corrected.
Right to Erasure (Art. 17): Data may be deleted upon request, subject to legal retention obligations applicable to healthcare records.
Right to Portability (Art. 20): Patient data can be exported in structured, machine-readable formats.
Right to Object (Art. 21): Data subjects may object to certain processing activities.

As the Controller, you remain the primary point of contact for data subject requests. Klinica will support you technically in fulfilling these obligations.

Article 8

Data Breach Notification

In the event of a personal data breach, Klinica will:

Notify the affected Controller within 72 hours of becoming aware of the breach, without undue delay.
Provide details including: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
Cooperate fully with the Controller's obligations to notify the competent supervisory authority under Article 33 GDPR.

Notifications will be sent to the email address associated with your Klinica account.

Article 9

International Data Transfers

Personal data is primarily stored and processed within the European Union (Germany). In cases where sub-processors are based outside the EEA (such as certain payment processors), appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Adequacy decisions where applicable.
Binding Corporate Rules where relevant.

Primary data residency: Germany (EU). Your patient data never leaves the European Union unless explicitly required by a sub-processor with appropriate SCCs in place.

Article 10

Data Deletion and Return

Upon termination of your Klinica subscription:

You have 30 days from the termination date to export your data in full.
After this 30-day window, all personal data associated with your clinic will be permanently deleted from our systems, including backups.
Klinica will provide a written confirmation of deletion upon request.
Certain anonymized or aggregated statistical data (which cannot be used to identify any individual) may be retained for platform improvement purposes.

Article 11

Liability and Indemnification

Each party is responsible for ensuring their own compliance with applicable data protection laws. In the event of a data protection violation:

If the violation is attributable to the Controller's instructions or failure to comply with their obligations, the Controller bears the associated liability.
If the violation is attributable to Klinica's failure to fulfil its obligations as Processor, Klinica bears the associated liability.
Klinica's maximum liability is limited to the total fees paid by the Controller in the 12 months preceding the event giving rise to the claim.

Article 12

Contact and Data Protection Officer

For any questions related to this DPA, data protection, or to exercise your rights, please contact:

Klinica — Data Protection Enquiries
Email: privacy@klinica.space
Web: klinica.space

We aim to respond to all data protection enquiries within 5 business days.