Data Processing Agreement

Understanding our commitment to lawful and secure processing of your data

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally binding contract that outlines the rights and obligations of each party regarding the processing of personal data. It is required under various data protection laws, including the GDPR, when a data controller engages a data processor.

As a healthcare technology provider, Mediscript acts as a data processor for our customers (the data controllers) who use our platform to process patient information. Our DPA establishes clear guidelines for how we handle this sensitive data.

The DPA ensures that both parties understand their responsibilities and that appropriate safeguards are in place to protect personal data throughout the processing lifecycle.

Key Components of Our DPA

Scope and Purpose

Defines the scope of data processing activities covered by the DPA and the purpose of the agreement.

Definitions

Clarifies key terms used in the DPA, such as 'personal data', 'processing', 'controller', 'processor', etc.

Roles and Responsibilities

Establishes the roles of the parties (controller and processor) and their respective responsibilities.

Processing Instructions

Specifies that the processor will only process personal data in accordance with the controller's documented instructions.

Confidentiality

Requires the processor to ensure that persons authorized to process personal data have committed to confidentiality.

Security Measures

Outlines the technical and organizational measures implemented to protect personal data.

Sub-processing

Establishes conditions for engaging sub-processors, including obtaining authorization from the controller.

Data Subject Rights

Requires the processor to assist the controller in fulfilling its obligation to respond to data subject requests.

Data Breach Notification

Establishes procedures for notifying the controller of personal data breaches.

Data Protection Impact Assessments

Requires the processor to assist the controller in conducting data protection impact assessments.

Data Deletion or Return

Specifies that the processor will delete or return all personal data to the controller at the end of the provision of services.

Audit Rights

Grants the controller the right to audit the processor's compliance with the DPA.

Our Commitments as a Data Processor

When you entrust your data to Mediscript, we make the following commitments:

Processing According to Instructions

We will only process personal data in accordance with your documented instructions, including with regard to transfers to third countries.

Confidentiality

We ensure that all personnel who have access to your data are bound by confidentiality obligations and receive appropriate training.

Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Sub-processor Management

We will not engage another processor without your prior authorization and will ensure that any sub-processors are bound by the same data protection obligations.

Data Subject Rights

We will assist you in responding to requests from data subjects seeking to exercise their rights under applicable data protection laws.

Data Return or Deletion

At your choice, we will delete or return all personal data to you after the end of the provision of services, and delete existing copies.

Our DPA Process

Executing a DPA with Mediscript is a straightforward process:

Request

Contact our legal team to request our standard DPA or submit your own template for review.

Review

Our legal team will review the DPA to ensure it meets all legal requirements and aligns with our capabilities.

Execution

Both parties sign the DPA, establishing a legally binding agreement for data processing activities.

Implementation

We implement the terms of the DPA and provide ongoing compliance with its requirements.

Ready to Execute a DPA?

Contact our legal team to request our standard DPA or to discuss your specific requirements.