Data Processing Agreement

Last updated: 28 March 2026 · GDPR Art. 28 · KVKK Art. 12 · UAE PDPL · Saudi PDPL

1. Parties

Data Controller ("Controller"): The clinic entity subscribing to MedFlow
Data Processor ("Processor"): MedFlow Ltd, London, United Kingdom

2. Subject Matter and Duration

This DPA governs the processing of personal data by MedFlow on behalf of the clinic for the duration of the subscription agreement, plus 30 days for data return/deletion.

3. Nature and Purpose of Processing

MedFlow processes personal data to provide clinic automation services including: patient communication (WhatsApp, Instagram, email), quote generation and tracking, appointment scheduling, deposit tracking, follow-up automation, checklist management, AI-powered patient analysis, and clinic analytics.

4. Types of Personal Data Processed

• Patient names, phone numbers, email addresses, country of residence
• Medical treatment interests and procedure history (not medical records)
• Communication content (messages, replies, automated responses)
• Financial information (quote amounts, deposit status, payment records)
• Appointment dates, times, and attendance status
• Pre-procedure checklist completion status
• Internal notes recorded by clinic staff

5. Categories of Data Subjects

Patients and prospective patients of the clinic.

6. Obligations of the Processor (MedFlow)

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorised to process data have committed to confidentiality
• Implement appropriate technical and organisational security measures
• Engage sub-processors only with prior written authorisation (see Section 8)
• Assist the Controller in responding to data subject requests
• Assist with data protection impact assessments where required
• Delete or return all personal data on termination, at the Controller's choice
• Make available all information necessary to demonstrate compliance
• Notify the Controller of any data breach without undue delay and within 72 hours

7. Obligations of the Controller (Clinic)

• Ensure a lawful basis exists for processing patient data
• Provide clear instructions to MedFlow regarding data processing
• Obtain necessary consents from data subjects where required
• Respond to data subject requests in accordance with applicable law
• Notify MedFlow of any data protection concerns

8. Sub-Processors

The Controller authorises the following sub-processors:

Sub-Processor	Purpose	Location	DPA
Supabase Inc.	Database, authentication	EU (Ireland)	Link
Anthropic PBC	AI analysis	United States	Link
Meta Platforms Inc.	WhatsApp API, Instagram API	US / EU	Link
Stripe Inc.	Payment processing	US / EU	Link
Vercel Inc.	Hosting, serverless	US / EU	Link

MedFlow will notify the Controller at least 30 days before adding a new sub-processor.

9. Security Measures

• Encryption in transit via TLS 1.2+
• Encryption at rest (Supabase managed encryption)
• SHA-256 password hashing
• Row Level Security (RLS) for clinic data isolation
• 24-hour session expiration
• Rate limiting on authentication
• No API keys stored client-side
• Security headers (HSTS, X-Frame-Options, CSP)
• Regular security reviews and penetration testing

10. Data Breach Notification

MedFlow will notify the Controller within 72 hours of becoming aware of a personal data breach, providing: (a) the nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences, (d) measures taken to address the breach.

11. Data Subject Requests

MedFlow will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through the MedFlow dashboard tools. MedFlow will forward any direct data subject requests to the Controller without undue delay.

12. Return and Deletion of Data

On termination of the subscription: (a) the Controller may export all data within 30 days via the dashboard, (b) after 30 days MedFlow will permanently delete all Controller data, (c) MedFlow will provide written confirmation of deletion upon request.

13. Audit Rights

The Controller may audit MedFlow's compliance with this DPA, subject to reasonable notice (minimum 30 days). MedFlow will make available all necessary information and allow inspections. Audits shall be conducted during business hours and no more than once per year.

14. International Data Transfers

Where personal data is transferred outside the EEA/UK, MedFlow ensures appropriate safeguards including Standard Contractual Clauses (SCCs) as adopted by the European Commission (Implementing Decision 2021/914). For transfers to Turkey, UAE, and Saudi Arabia, additional contractual safeguards are implemented in compliance with KVKK, UAE PDPL, and Saudi PDPL respectively.

15. Multi-Jurisdiction Compliance

• GDPR (EU): This DPA satisfies the requirements of Article 28 GDPR
• UK GDPR: This DPA satisfies the requirements of Article 28 UK GDPR
• KVKK (Turkey): This DPA satisfies the requirements of Article 12 of Law No. 6698
• UAE PDPL: This DPA satisfies the requirements of Federal Decree-Law No. 45 of 2021
• Saudi PDPL: This DPA satisfies the requirements of the Saudi Personal Data Protection Law

16. Governing Law

This DPA is governed by the laws of England and Wales, without prejudice to mandatory data protection laws applicable in the Controller's jurisdiction.

17. Contact

MedFlow Ltd
Email: dpa@medflowai.io
Website: medflowai.io