Data Processing Agreement

This agreement lays out the mandatory protections every processor must contractually accept before being granted access to Qlinniq personal data. Vendor onboarding must produce a counter-signed copy filed with the Qlinniq compliance team.

1. Definitions & roles

Qlinniq is the controller(also “Data Fiduciary” under DPDP); the vendor is the processor(also “Data Processor”). Terms used in this agreement have the meanings assigned to them in GDPR Art. 4 and DPDP §2. The processor must process personal data only on documented instructions from Qlinniq.

2. Subject matter, duration, nature, and purpose(Art. 28(3) opening clauses)

• Subject matter: the service named in the order form (notification delivery / error monitoring / video session relay / etc.).
• Duration: for the term of the underlying service agreement and any wind-down period agreed in writing.
• Nature and purpose: as set out in the service description; processor may not repurpose the data.
• Types of personal data: as defined in the order form’s data schedule.
• Categories of data subjects: patients (including minors), providers, administrators of the controller.
• Obligations and rights of the controller: as set out in this agreement and the order form.

3. Processor obligations(Art. 28(3)(a)–(h))

• Process personal data only on documented instructions, including in respect of international transfers (Art. 28(3)(a)).
• Ensure personnel with access are under confidentiality obligations (Art. 28(3)(b)).
• Implement technical and organisational measures meeting Art. 32 (Art. 28(3)(c)).
• Engage no sub-processor without Qlinniq’s prior specific or general written authorisation (Art. 28(2)/28(3)(d)). Where general authorisation is given, processor must notify Qlinniq of any intended changes giving Qlinniq the opportunity to object.
• Assist Qlinniq with appropriate technical and organisational measures, insofar as possible, to respond to data subject rights requests (Art. 28(3)(e)).
• Assist Qlinniq in ensuring compliance with Arts. 32–36 (security, breach notification, DPIA, prior consultation) (Art. 28(3)(f)).
• At the controller’s choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless retention is required by Union or Member State law (Art. 28(3)(g)).
• Make available all information necessary to demonstrate compliance and allow for + contribute to audits, including inspections, by the controller or another auditor mandated by the controller (Art. 28(3)(h)).

4. Security controls (Art. 32)

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• Role-based access; no shared service accounts.
• Access audit logs retained ≥180 days, producible on request within 5 business days.
• Independent SOC 2 Type II / ISO 27001 attestation refreshed annually.
• Secure SDLC, dependency review, vulnerability management with documented patching SLAs.
• Annual penetration testing; remediation of high/critical findings within 30 days.

5. Sub-processing

Processor must obtain Qlinniq’s written consent before engaging sub-processors and must contractually flow down equivalent protections (Art. 28(4)). Processor maintains an up-to-date list of sub-processors and notifies Qlinniq at least 30 days in advance of any intended addition or replacement.

6. International transfers

Personal data must remain within the EEA / India unless Qlinniq has approved a specific cross-border transfer in writing. Where transfer is approved, processor must rely on a valid Art. 46 transfer mechanism (most commonly the EU 2021 Standard Contractual Clauses, Module 2 or 3 as applicable; for transfers from India, the DPDP framework equivalent) and provide Qlinniq with a Transfer Impact Assessment within 14 days of execution. Onward transfers inside processor’s corporate group are treated as third-country transfers if they cross the EEA / India boundary.

7. Breach notification

Processor must notify Qlinniq of any actual or suspected personal-data breach without undue delay and in any event within 24 hours of becoming aware (so Qlinniq can meet the GDPR 72-hour notification window in Art. 33), and where the processor sits outside India, also within 2 hours so Qlinniq can meet the CERT-In 6-hour reporting deadline. Notification must include scope, root cause, containment status, and contact for ongoing coordination.

8. Data subject rights

Processor must support Qlinniq in fulfilling rights of access (Art. 15), rectification (16), erasure (17), restriction (18), objection (21), and portability (20) within 7 calendar days of a forwarded request.

9. Records of processing & demonstrability

Processor maintains records of processing activities under Art. 30(2) and produces them on request. Processor cooperates with Qlinniq’s Data Protection Impact Assessment (Art. 35) and any prior consultation with a supervisory authority (Art. 36).

10. Termination + return / deletion

On termination, processor must purge all Qlinniq personal data within 30 days unless a legal obligation requires retention, and provide a written certificate of destruction. Backups must be deleted on their normal rotation schedule and processor must confirm completion in writing.

11. Liability

Each party’s liability under this agreement is subject to the limitation of liability provisions in the underlying service agreement, except for: (i) breach of confidentiality; (ii) wilful misconduct; and (iii) liability arising from Art. 82 GDPR or DPDP §39 (compensation to data subjects), which is allocated in proportion to fault.

12. Governing law

For data of EU/EEA residents, this agreement is governed by the law of the Member State of the lead supervisory authority designated by Qlinniq, or in the absence of such designation, by Irish law. For all other data, this agreement is governed by the laws of India, with disputes subject to the jurisdiction of the courts at Mumbai.

Active processors

The current list of contracted processors and their DPA execution dates is published at /legal/subprocessors.