Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below:

• “Controller” means the entity that determines the purposes and means of processing Personal Data. In the context of this DPA, the healthcare provider or business partner engaging NowMedical services acts as the Controller.
• “Processor” means NowMedical, Inc., which processes Personal Data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person, including Protected Health Information (PHI) as defined under HIPAA.
• “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
• “Sub-processor” means any third party engaged by NowMedical to process Personal Data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• “Applicable Data Protection Law” means GDPR, HIPAA, LGPD, PIPEDA, UK-GDPR, and any other applicable data protection legislation.

2. Scope & Purpose

This DPA applies to the processing of Personal Data by NowMedical on behalf of the Controller in connection with the provision of healthcare platform services, including:

• Patient registration and profile management
• Appointment scheduling and telehealth visit facilitation
• Secure messaging between patients and providers
• Electronic health record (EHR) storage and management
• Payment processing and billing
• Prescription management and pharmacy integration
• AI-assisted clinical documentation and health insights
• Analytics and reporting (with aggregated, de-identified data)

The categories of Data Subjects include patients, healthcare providers, and authorized staff members of the Controller. The types of Personal Data processed include names, contact information, medical records, insurance details, payment information, and usage data.

3. Data Controller / Data Processor Roles

The parties acknowledge and agree that:

• The Controller (healthcare provider / business partner) determines the purposes and means of processing patient Personal Data and is responsible for compliance with Applicable Data Protection Law regarding its use of NowMedical services.
• NowMedical acts as a Processor when processing Personal Data on behalf of and under the instructions of the Controller.
• NowMedical may also act as an independent Controller for certain processing activities, such as platform analytics (using aggregated, de-identified data), security monitoring, and compliance with its own legal obligations.
• Under HIPAA, NowMedical acts as a Business Associate to the Controller (Covered Entity), and this DPA incorporates the terms of a Business Associate Agreement (BAA).

4. Processing Instructions

NowMedical shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
• Inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law
• Not process Personal Data for any purpose other than the provision of services under the main agreement
• Not sell Personal Data or use it for marketing purposes unrelated to the Controller's services
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Provide the Controller with all information necessary to demonstrate compliance with this DPA upon reasonable request

5. Security Measures

NowMedical implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures

• Encryption at rest using AES-256-GCM for all stored Personal Data
• Encryption in transit using TLS 1.3 for all data transmissions
• Multi-factor authentication for all administrative and provider access
• Role-based access controls (RBAC) with principle of least privilege
• Automated intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Encrypted daily backups with geographic redundancy
• Comprehensive audit logging with tamper detection

Organizational Measures

• Mandatory security and privacy training for all employees (annual and upon onboarding)
• Background checks for personnel with access to Personal Data
• Information security management system aligned with ISO 27001
• Incident response plan with documented procedures and regular drills
• Designated Data Protection Officer (DPO) and HIPAA Privacy Officer
• Business continuity and disaster recovery plans tested annually

6. Sub-processors

The Controller provides general written authorization for NowMedical to engage Sub-processors. NowMedical shall:

• Maintain a list of current Sub-processors and make it available to the Controller
• Notify the Controller at least 30 days before adding or replacing a Sub-processor
• Enter into written agreements with each Sub-processor imposing data protection obligations no less protective than this DPA
• Remain fully liable to the Controller for the performance of each Sub-processor's obligations

Current Sub-processors

The Controller may object to any new or replacement Sub-processor by notifying NowMedical in writing within 14 days of receiving notice.

7. Cross-border Transfers

NowMedical shall not transfer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom, or the Controller's jurisdiction unless:

• The transfer is to a country recognized as providing adequate protection by the relevant authority
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission (June 2021 version)
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs is in place for transfers from the UK
• The transfer falls within a recognized derogation under Applicable Data Protection Law

NowMedical conducts Transfer Impact Assessments (TIAs) for all cross-border transfers and implements supplementary measures where necessary, including encryption, pseudonymization, and access controls.

8. Data Subject Rights

NowMedical shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of Access — Providing copies of Personal Data upon request
• Right to Rectification — Correcting inaccurate or incomplete data
• Right to Erasure — Deleting data where no legal basis for retention exists
• Right to Data Portability — Exporting data in structured, machine-readable formats (JSON, FHIR R4)
• Right to Restrict Processing — Limiting processing under certain conditions
• Right to Object — Ceasing processing based on legitimate interest or direct marketing

NowMedical provides a self-service Privacy & Data Rights Center where Data Subjects can exercise their rights directly. The Controller will be notified of all Data Subject requests that require Controller action.

9. Breach Notification

In the event of a Data Breach, NowMedical shall:

• Notify the Controller without undue delay and in any case within 24 hours of becoming aware of a Data Breach
• Provide the Controller with all available information about the breach, including the nature, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to mitigate the breach
• Cooperate with the Controller in investigating and remediating the breach
• Assist the Controller in meeting its breach notification obligations under GDPR (72 hours to supervisory authority) and HIPAA (60 days to HHS and affected individuals)
• Document all Data Breaches, including facts, effects, and remedial actions taken

10. Audit Rights

NowMedical shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. This includes:

• Providing SOC 2 Type II and HIPAA compliance reports upon request (under NDA)
• Allowing on-site or remote audits with at least 30 days' prior written notice
• Providing access to relevant policies, procedures, and technical documentation
• Participating in compliance review meetings on a quarterly or annual basis as agreed
• Promptly addressing any audit findings with documented remediation plans

Audits shall be conducted during normal business hours and shall not unreasonably interfere with NowMedical's operations. The Controller shall bear its own costs of any audit unless the audit reveals material non-compliance by NowMedical.

11. Term and Termination

This DPA shall remain in effect for the duration of the main service agreement between the parties. Upon termination:

• NowMedical shall, at the Controller's choice, delete or return all Personal Data within 90 days of termination, unless retention is required by applicable law
• NowMedical shall provide the Controller with the ability to export all data in machine-readable format prior to termination
• Obligations under this DPA that by their nature should survive termination (including confidentiality, breach notification, and audit rights) shall survive
• NowMedical shall certify in writing that it has deleted or returned all Personal Data, except where legally required to retain it

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the main service agreement, except that:

• Neither party limits its liability for damages caused by a breach of its data protection obligations to Data Subjects
• Each party shall be liable for the entire damage caused by processing that violates Applicable Data Protection Law, in accordance with Article 82 GDPR
• A party that has paid full compensation shall be entitled to claim back from the other party that portion of the compensation corresponding to the other party's share of responsibility
• NowMedical maintains cyber liability insurance with coverage of at least $5,000,000 per occurrence