Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) is entered into by and between the entity identified in the Master Services Agreement (“Customer”) and Solid Gold Technologies LLC d/b/a MediChatApp (“Processor” or “MediChatApp”). Capitalized terms not defined here have the meanings set forth in the Master Services Agreement (“MSA”). Where Customer is a Covered Entity or Business Associate under HIPAA, this DPA is intended to operate together with the Business Associate Addendum (BAA). If there is a conflict between the BAA and this DPA regarding PHI, the BAA controls.

1. Definitions

Applicable Data Protection Laws: All laws applicable to the Processing of Personal Data under the MSA, including, where applicable, GDPR, UK GDPR, CCPA/CPRA, state privacy laws, and HIPAA.
Personal Data / Personal Information: Any information relating to an identified or identifiable natural person processed by MediChatApp on Customer’s behalf.
PHI: Protected Health Information as defined by HIPAA; governed primarily by the BAA.
Processing, Controller, Processor, Subprocessor: As defined by Applicable Data Protection Laws.
Services: The MediChatApp platform and related services provided under the MSA.

2. Roles; Processing on Documented Instructions

Customer is the Controller (and Covered Entity/Business Associate for PHI); MediChatApp is the Processor (and Business Associate/Subcontractor for PHI). MediChatApp shall process Personal Data only on Customer’s documented instructions as set out in the MSA, this DPA, and Customer’s configuration or written directions. MediChatApp will inform Customer if an instruction violates Applicable Data Protection Laws.

3. Nature, Purpose, Duration, and Types of Data

Details are described in Annex A (Data Categories & Processing Activities).

Nature/Purpose: Provision of the Services (communications, patient portal, check-in, revenue automation, analytics/operations) and related support.
Duration: For the term of the MSA and any transition/retention periods per policy.
Data Subjects: Patients, staff/admin users, prospective customers (marketing site only; no PHI intended).

4. Security Measures

MediChatApp implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A high-level overview is described in Annex C and further detailed on our Security & Compliance page. Measures include (as applicable): encryption in transit and at rest, least-privilege access, network segmentation/WAF, vulnerability management, audit logging with immutability, and personnel security controls (NDA, training).

5. Confidentiality & Personnel

MediChatApp ensures personnel with access to Personal Data are bound by confidentiality and receive appropriate training. Access is role-based and limited to what is necessary to perform the Services or support obligations.

6. Subprocessors

Customer authorizes MediChatApp to engage Subprocessors reasonably required to deliver the Services. MediChatApp imposes data protection obligations on Subprocessors no less protective than those in this DPA. The current list of Subprocessors is published at Subprocessors. Customer may subscribe to updates and object on reasonable, documented grounds related to data protection by notifying MediChatApp within ten (10) days of notice. If the parties cannot reach resolution, Customer may terminate the affected Services as its sole and exclusive remedy.

7. International Transfers; Standard Contractual Clauses

Where Personal Data is subject to GDPR/UK GDPR and transferred outside the EEA/UK in a manner requiring a transfer mechanism, the parties agree the applicable Standard Contractual Clauses (“SCCs”) are incorporated by reference: EU Commission 2021 SCCs (Controller-to-Processor) and UK Addendum as applicable. MediChatApp will provide completed annexes upon request. The parties will cooperate on transfer impact assessments and supplementary measures as needed.

8. Data Subject Requests & Cooperation

Taking into account the nature of Processing, MediChatApp will provide reasonable assistance to Customer to fulfill Data Subject requests (access, correction, deletion, portability, restriction, objection) received by Customer under Applicable Data Protection Laws. If MediChatApp receives a request directly, it will notify Customer without undue delay and not respond except to confirm it acts on Customer instructions.

9. DPIAs & Regulatory Inquiries

MediChatApp provides reasonable assistance to Customer with data protection impact assessments and consultations with supervisory authorities, to the extent required by law and relating to the Services. MediChatApp will promptly notify Customer of any authority request relating to the Customer Personal Data, unless legally restricted.

10. Security Incident Notification

MediChatApp shall notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data. The notification will include, where available, the nature of the incident, categories/approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the incident. MediChatApp will cooperate to support Customer’s legal obligations, including notifications to authorities and individuals as required.

11. Audits & Reports

Upon reasonable written request and subject to confidentiality, MediChatApp will make available information necessary to demonstrate compliance with this DPA (e.g., third-party audit reports or summaries). Where further audit is required by law or regulator, Customer may conduct (or appoint an independent auditor to conduct) an on-site or remote audit upon at least thirty (30) days’ notice, during normal business hours, no more than annually, and in a manner that does not unreasonably interfere with operations. Customer is responsible for its audit costs.

12. Return & Deletion

Upon termination of the Services, Customer may export Personal Data. Thereafter, MediChatApp will delete Customer Personal Data from active systems within a commercially reasonable period, unless retention is required by law or permitted for documented compliance/defense purposes. Backups expire on a rolling schedule and are not selectively edited. See our Data Retention & Deletion Policy for defaults and options.

13. Liability; Order of Precedence

Liability is governed by the MSA. In case of conflict among the documents regarding Personal Data: (1) BAA (for PHI), (2) this DPA, (3) the MSA. For international transfers, the SCCs prevail to the extent they apply and conflict with this DPA.

14. Changes

MediChatApp may update this DPA as required by law or to reflect changes to the Services. Material changes will be communicated in advance when feasible.

Annex A — Data Categories & Processing Activities

Data Subjects: Patients; practice staff/admin users; website leads (marketing site only).
Categories: Identifiers (name, DOB, contact); scheduling/encounter metadata; portal messages & attachments; audit and access logs; configuration and routing metadata.
Special Categories: Health data/PHI (Services components that handle patient communications and portal data); processed under the BAA.
Processing: Collection, storage, retrieval, transmission, display, analytics (operational), and deletion per Customer instructions.

Annex B — Subprocessors

Current list available at /legal/subprocessors/. Includes hosting, email/SMS delivery, monitoring, and security tooling as applicable.

Annex C — Technical & Organizational Measures (Summary)

Encryption: TLS in transit; encryption at rest for databases and backups.
Access Control: Role-based access, MFA for privileged accounts, least privilege, regular access reviews.
Network & App Security: Segmentation, firewalls/WAF, vulnerability management, code review, dependency scanning.
Monitoring & Logging: Immutable audit logs, centralized logging, anomaly detection.
Business Continuity & DR: Redundant infrastructure, rolling encrypted backups, tested recovery procedures.
Personnel & Policies: Security training, confidentiality obligations, incident response plan.

Incorporation into the MSA

This DPA is incorporated into and forms part of the Master Services Agreement (“MSA”) between Customer and MediChatApp as of the Effective Date of the MSA. A separate countersigned copy is not required unless Customer requests one for its records. If you require an executed copy, please contact our legal team.