Data Processing Agreement

1. DEFINITIONS AND INTERPRETATION

Terms used in this DPA have the meanings assigned in the DPDP Act, Platform Terms of Service, or as defined herein.

• "Data Fiduciary" means the healthcare provider who determines the purpose and means of processing patient personal data.
• "Data Processor" means Essenzvita, which processes patient personal data on behalf of and upon instructions from the Data Fiduciary.
• "Data Principal" means the patient whose personal data is processed.
• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, including health information, demographic data, and other patient-related information.
• "Processing" means any operation performed on personal data including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, combination, restriction, erasure, or destruction.
• "Sub-Processor" means any third party engaged by Essenzvita to process personal data on behalf of the Data Fiduciary.

2. ROLES AND OBLIGATIONS

Data Fiduciary (Healthcare Provider)

The healthcare provider is the Data Fiduciary and bears primary responsibility for lawful processing of patient data. The Data Fiduciary determines what patient data is collected, for what purposes it is used, and how long it is retained. The Data Fiduciary is responsible for obtaining valid consent from patients, ensuring data accuracy, facilitating data principal rights, and compliance with the DPDP Act and other applicable laws. The Data Fiduciary provides instructions to the Processor through use of platform functionality.

Data Processor (Essenzvita)

Essenzvita acts as Data Processor and processes patient data only upon instructions from the Data Fiduciary as manifested through platform usage. The Processor provides technology infrastructure, implements security measures, maintains confidentiality, engages Sub-Processors with appropriate safeguards, assists the Data Fiduciary in responding to data principal rights requests, notifies the Data Fiduciary of data breaches, allows audits of compliance, and returns or deletes data upon termination as instructed.

3. SCOPE OF PROCESSING

Categories of Data Principals

Patients receiving healthcare services, including adults, minors (for whom consent is provided by guardians), and incapacitated persons (for whom consent is provided by authorized representatives).

Categories of Personal Data Processed

Demographic information including name, date of birth, age, gender, mobile number, email address, and residential address. Health information including medical history, current symptoms, diagnoses, prescriptions, laboratory results, imaging reports, allergies, family medical history, lifestyle factors, mental health information, and sexual and reproductive health information where relevant. Voice recordings where artificial intelligence features are utilized with consent. Appointment and consultation records. Billing information limited to consultation fees and payment amounts.

Purpose of Processing

• Facilitating medical consultations and healthcare delivery
• Creating and maintaining electronic health records
• Generating and delivering prescriptions
• Managing appointments and clinic operations
• Enabling continuity of care across healthcare providers where patient has consented
• Providing artificial intelligence-assisted transcription and clinical decision support where patient has consented
• Quality assurance and platform improvement using de-identified data

Duration of Processing

Data is processed throughout the period during which the healthcare provider maintains an active account and the patient receives care through the platform. Data is retained after termination pursuant to the data retention policy, which provides for indefinite retention unless deletion is specifically requested and legally permissible.

4. PROCESSOR OBLIGATIONS

Processing Instructions

The Processor shall process personal data only in accordance with documented instructions from the Data Fiduciary. Instructions are provided through use of platform functionality including data entry, search, retrieval, AI tool activation, prescription generation, and related operations. The Processor shall not process data for purposes other than those instructed by the Data Fiduciary, except where required by Indian law, in which case the Processor shall inform the Data Fiduciary of such legal requirement before processing unless prohibited by law.

Confidentiality

The Processor shall ensure that all personnel authorized to process personal data are subject to confidentiality obligations, whether contractual or statutory. Access to personal data is restricted to personnel who require such access to fulfill their duties.

Security Measures

The Processor implements appropriate technical and organizational measures to ensure data security, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to data principals.

Sub-Processors

The Data Fiduciary authorizes the Processor to engage Sub-Processors to assist in providing platform services. Current Sub-Processors include cloud infrastructure providers for data hosting and storage, artificial intelligence service providers for voice transcription and clinical decision support, communication service providers for SMS and email delivery, payment processors for subscription fee handling, and analytics providers for platform usage analysis using de-identified data.

The Processor shall maintain a list of Sub-Processors, which shall be made available upon request. Before engaging a new Sub-Processor or materially changing an existing Sub-Processor arrangement, the Processor shall notify the Data Fiduciary with at least thirty days' advance notice. If the Data Fiduciary objects to a Sub-Processor on reasonable grounds within fifteen days of notification, the parties shall work in good faith to resolve the objection. If resolution is not possible, the Data Fiduciary may terminate the agreement without penalty.

All Sub-Processors are bound by written contracts imposing data protection obligations equivalent to or more stringent than those in this DPA, including confidentiality, security, notification, and audit provisions. The Processor remains fully liable to the Data Fiduciary for Sub-Processor performance.

Cross-Border Transfers

Personal data may be transferred outside India to Sub-Processors located in other jurisdictions, particularly for artificial intelligence processing conducted by providers based in the United States. Voice recordings are transmitted to transcription service providers for real-time processing. De-identified medical data is transmitted to clinical decision support providers for suggestion generation.

Safeguards for cross-border transfers include de-identification of data where feasible through removal of direct identifiers (name, mobile number) prior to transmission, though voice characteristics and medical context may remain. Contractual protections through data protection clauses in Sub-Processor agreements. Encryption during transmission. Use of Sub-Processors with recognized security certifications. Patient consent is obtained for use of artificial intelligence features that involve cross-border transfer.

5. DATA PRINCIPAL RIGHTS

The Data Fiduciary is primarily responsible for responding to requests from data principals to exercise their rights under the DPDP Act, including rights to access, correction, erasure, data portability, grievance redressal, and nomination of representatives.

The Processor shall assist the Data Fiduciary in responding to such requests by providing technical capabilities for data export, facilitating corrections through platform functionality, executing deletion instructions where legally permissible, maintaining records of consent and processing activities, and providing audit logs and documentation as reasonably requested.

Requests received directly by the Processor will be promptly forwarded to the Data Fiduciary for evaluation and response. The Processor may provide general information about data processing but does not make determinations regarding the appropriateness of granting or denying rights requests, as such determinations are the responsibility of the Data Fiduciary.

6. DATA BREACH NOTIFICATION

A personal data breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

Upon becoming aware of a personal data breach, the Processor shall notify the Data Fiduciary without undue delay and in any event within twenty-four hours of discovery. Notification shall include a description of the nature of the breach, categories and approximate number of data principals affected, categories and approximate volume of data affected, likely consequences of the breach, measures taken or proposed to address the breach, and contact point for further information.

The Processor shall take immediate steps to contain and remediate the breach, conduct investigation to determine root cause and scope, implement corrective measures to prevent recurrence, and cooperate fully with the Data Fiduciary's investigation and regulatory notifications.

The Data Fiduciary acknowledges that under the DPDP Act, it bears primary responsibility for notifying the Data Protection Board of India within seventy-two hours of becoming aware of a breach and for notifying affected data principals where the breach is likely to result in high risk. The Processor shall provide reasonable assistance to enable the Data Fiduciary to meet these obligations.

7. AUDITS AND COMPLIANCE

The Data Fiduciary or an authorized third-party auditor may audit the Processor's compliance with this DPA upon reasonable advance notice, typically not less than thirty days except in cases of suspected breach. Audits may be conducted remotely through review of documentation, policies, procedures, and audit logs, or through on-site inspection where necessary and feasible.

Audits shall be conducted during business hours in a manner that does not unreasonably disrupt the Processor's operations. The auditor must execute appropriate confidentiality agreements. The Processor shall cooperate with audits and provide reasonable access to relevant information, personnel, and systems.

In lieu of individual audits, the Data Fiduciary may rely on third-party security certifications, audit reports (such as SOC 2 Type II), and compliance summaries provided by the Processor or its infrastructure providers. Audits are permitted once per year at no cost. Additional audits may be conducted at the Data Fiduciary's expense, except where conducted due to suspected breach or non-compliance, in which case costs shall be allocated based on audit findings.

8. DATA RETURN AND DELETION

Upon termination of the Data Fiduciary's account, the Processor shall handle personal data according to instructions from the Data Fiduciary. Options include data export in portable format (CSV, JSON, or PDF) delivered within fifteen business days of request, subject to applicable fees for former subscribers; deletion of personal data from active systems within thirty days and from backup systems within the next backup cycle (typically ninety days), with written certification of deletion provided upon request; or retention in archived state inaccessible to the Data Fiduciary pending instructions or re-subscription.

The Processor may retain personal data despite deletion instructions where retention is required by law, necessary for legal proceedings or investigations, subject to valid legal holds, or technically necessary as part of de-identified aggregated datasets that cannot be re-identified.

9. LIABILITY AND INDEMNIFICATION

The Data Fiduciary, as Data Fiduciary under the DPDP Act, bears primary legal liability for data protection violations, including financial penalties imposed by the Data Protection Board and damages to data principals. The Processor is liable to the Data Fiduciary for breaches of this DPA, including failure to implement required security measures, unauthorized processing or disclosure, negligence or willful misconduct, and Sub-Processor breaches.

The Processor's liability to the Data Fiduciary for breach of this DPA is subject to the limitation of liability provisions in the Platform Terms of Service, except where such limitations are prohibited by law, including cases of gross negligence, fraud, or willful misconduct.

The Data Fiduciary shall indemnify the Processor from liability arising from the Data Fiduciary's failure to obtain valid patient consent, provision of unlawful processing instructions, violations of professional or regulatory obligations, or misrepresentations regarding legal basis for processing. The Processor shall indemnify the Data Fiduciary from liability directly attributable to the Processor's failure to comply with obligations under this DPA.

10. TERM AND TERMINATION

This DPA commences on the effective date and continues for so long as the Processor processes personal data on behalf of the Data Fiduciary. Termination occurs upon termination of the Platform Terms of Service or earlier mutual agreement.

Obligations regarding confidentiality, data return or deletion, audit rights, liability, and dispute resolution survive termination.

11. MODIFICATIONS

The Processor may modify this DPA to reflect changes in law, regulatory guidance, or data processing practices. Material modifications affecting data protection obligations or rights shall be communicated with sixty days' advance notice and may require affirmative acceptance. Non-material modifications shall be effective upon thirty days' notice.

12. GENERAL PROVISIONS

This DPA is governed by Indian law, specifically the DPDP Act, IT Act 2000, and other applicable data protection regulations. Disputes are subject to the dispute resolution provisions in the Platform Terms of Service, including negotiation, mediation, and arbitration.

This DPA, together with the Platform Terms of Service, constitutes the entire agreement between the parties regarding data processing. In case of conflict between this DPA and the Platform Terms on matters specifically addressed in this DPA, this DPA controls.

If any provision is held invalid or unenforceable, the remaining provisions remain in effect and the invalid provision shall be modified to the minimum extent necessary to make it enforceable.

No waiver of any breach constitutes a waiver of subsequent breaches. Waivers must be in writing.

The Processor may assign this DPA to affiliates or in connection with corporate transactions. The Data Fiduciary may not assign without the Processor's consent.

13. CONTACT INFORMATION