ClinicFlow
Legal

Data Processing Addendum

The GDPR-compliant DPA that forms part of the Customer Agreement.

Version 2.1 — 1 May 2026

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between ClinicFlow Inc. ("Processor") and the Customer (the "Controller") under which Customer accesses the Services. The DPA reflects the parties' agreement on the processing of personal data subject to the EU GDPR, UK GDPR, and equivalent jurisdictions.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in the GDPR.

2. Roles & scope

  • Customer is the Controller of the personal data it uploads.
  • ClinicFlow is the Processor for that data.
  • For account/billing/website data we collect directly, ClinicFlow is the Controller (see Privacy Policy).

3. Subject matter & duration

Subject matter: provision of the Services described in the Agreement. Duration: as long as Customer's subscription is active, plus the post-termination grace period.

4. Categories of data subjects & data

  • Data subjects: patients, clinic staff, prospective patients.
  • Personal data categories: identifiers, contact details, demographics, special category data (health, genetic, biometric — where uploaded by Customer), authentication data.

5. Processor obligations

  • Process personal data only on documented Controller instructions.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical & organizational measures (Annex B).
  • Assist Controller in responding to data subject requests.
  • Assist Controller with DPIAs and prior consultations.
  • Notify Controller without undue delay (within 72 hours) of personal data breaches.
  • Delete or return personal data at the end of the Agreement, at Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow audits.

6. Subprocessors

Customer authorizes the use of subprocessors listed at clinicflowai.app/legal/subprocessors. ClinicFlow will give Customer at least 30 days' notice of new subprocessors. Customer may object on reasonable grounds; if no resolution is reached, Customer may terminate the affected Service.

7. International transfers

Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: controller to processor) apply, incorporated by reference, with the parties as described in this DPA.

8. Security measures (Annex B summary)

  • PHI fields encrypted at rest (AES-128/HMAC-SHA-256 via Fernet, AWS KMS available).
  • TLS 1.2+ in transit, HSTS preload.
  • Strict tenant isolation enforced at middleware + service layer.
  • Access logged on reads and writes (PHI access logging).
  • MFA available for all accounts; account lockout enforced.
  • Annual third-party penetration testing.
  • Backup retention 30 days online, 6 years cold storage.

9. Audit rights

Customer may, no more than once per year and on 30 days' notice, conduct an audit of ClinicFlow's compliance. ClinicFlow may satisfy this obligation by providing recent SOC 2 Type II or ISO 27001 reports under NDA.

10. Liability

Liability under this DPA is subject to the limitations in the Agreement.

11. Governing law

For EU/UK data, the laws of Ireland (or as otherwise required for enforceability of the SCCs). Otherwise, as specified in the Agreement.

Annex A — List of processing activities

Hosting and providing the ClinicFlow Services: scheduling, encounters, telehealth, billing, messaging, AI-assisted documentation, and audit logging — all as configured by Customer.

Annex B — Technical and organizational measures

See Security Practices for the current list. We update this annex as our security posture evolves.

To execute this DPA, sign the order form referencing it, or email [email protected] to receive a counter-signed PDF.