Data Processing Agreement (DPA)

1) Subject Matter and Duration

• The Processor will process personal data on behalf of the Controller in connection with the Controller's use of the Docyment Platform and services under the Agreement.
• This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller.

2) Nature and Purpose of Processing

The Processor will process personal data only as necessary to:

• provide the Docyment Platform (documentation support, dictation, transcription, summarisation, and clinical letter drafting);
• support, maintain, and secure the Platform;
• comply with applicable laws;
• as otherwise instructed in writing by the Controller.

The Processor will not process personal data for its own purposes. No patient data is used to train, develop, or improve AI models.

3) Categories of Data Subjects

Processing may include, as determined by the Controller:

• Patients of the Controller (including children, if entered by the Controller)
• Healthcare professionals (Practitioners) using the Platform
• Controller's staff (administrators, billing contacts)

4) Categories of Personal Data

Processing may include:

• General personal information (name, contact details, professional identifiers)
• Patient health information (medical history, clinical notes, medications, results, letters)
• Account and usage data (logins, preferences, activity logs)
• Billing and payment data (contact, transaction references – no full card numbers)
• Device and technical information (IP address, browser/device type, logs, crash reports)

Special category data (Article 9 GDPR): Health data provided by the Controller or its authorised users.

5) Processor Obligations

The Processor shall:

• process personal data only on documented instructions from the Controller;
• ensure persons authorised to process personal data are bound by confidentiality;
• implement appropriate technical and organisational security measures (see Annex II);
• assist the Controller with data subject requests, DPIAs, and breach notifications;
• notify the Controller without undue delay upon becoming aware of a personal data breach;
• delete or return personal data upon termination, in line with Section 10 of this DPA;
• make available information necessary to demonstrate compliance and allow audits as described in Section 9.

6) Controller Obligations

The Controller shall:

• ensure it has a valid legal basis for the processing of personal data via the Platform;
• provide instructions to the Processor that comply with applicable laws;
• inform data subjects where required;
• not input unnecessary or excessive personal data into the Platform.

7) Sub-processors

• The Controller authorises the Processor to engage sub-processors listed at: https://docyment.com/legal/subprocessors.
• The Processor shall inform the Controller of changes to sub-processors and give 30 days to object on reasonable grounds.
• The Processor shall ensure sub-processors are bound by written agreements imposing obligations no less protective than this DPA.

8) International Transfers

• By default, personal data is hosted in the UK/EEA.
• If transfers outside the UK/EEA are necessary, the Processor shall implement safeguards such as:
  • UK IDTA,
  • EU Standard Contractual Clauses with UK Addendum, and
  • additional technical/organisational protections.

9) Audit Rights

• The Processor shall make available documentation necessary to demonstrate compliance.
• The Controller may request audits (once per year, unless required more frequently by law or following a breach).
• Audits shall be conducted with 30 days written notice, during business hours, and without undue disruption.
• The Controller bears its own audit costs.

10) Return or Deletion of Data

• Upon termination of services, the Controller may request deletion or return of personal data.
• Unless otherwise required by law, the Processor will delete personal data within 90 days of termination.
• Backups will be securely purged within the specified timeframe thereafter.

11) Liability

Liability under this DPA shall follow the limitations set out in the Agreement, unless otherwise required by law.

12) Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Disputes shall be resolved by the courts of England and Wales.

Annex I – Details of Processing

• Subject matter: Provision of the Docyment Platform and services.
• Duration: Term of the Agreement + data retention as required by law.
• Nature & purpose: Hosting, storing, processing, and transmitting data for clinical documentation support.
• Data subjects: Patients, healthcare professionals, Controller staff.
• Data categories: General personal data, patient health data, account/usage, billing, technical data.

Annex II – Security Measures

The Processor implements, at minimum, the following measures:

• Encryption (TLS 1.2+ in transit, AES-256 at rest)
• Role-based access controls, MFA/SSO, least-privilege access
• Logging, monitoring, and incident response procedures
• Regular vulnerability management, patching, and penetration testing
• Data separation (logical separation of customers, segmented environments)
• Encrypted backups and disaster recovery processes
• Employee confidentiality agreements and privacy/security training

Annex III – Sub-processors

The current list of authorised sub-processors is published at:https://docyment.com/legal/subprocessors

Final Note

This DPA is incorporated into and forms part of the Terms of Service. By using the Docyment Platform, you agree to this DPA.

If you require a signed copy, please contact privacy@docyment.com.