Home /Data Processing
Legal

Data Processing Agreement

Last updated: April 1, 2025. This DPA governs how ClinexaOS processes personal and clinical data on behalf of institutional customers acting as Data Controllers.

Purpose & Scope

This Data Processing Agreement ("DPA") supplements the main service agreement between ClinexaOS Inc. ("Processor") and the contracting institution ("Controller"). It applies wherever ClinexaOS processes personal data (including health data) on behalf of the Controller in connection with the provision of the platform.

Default position: Under standard platform operation, ClinexaOS processes submitted clinical data entirely in-session and retains nothing. This DPA primarily governs use cases where Controllers configure optional data retention for audit or retrospective review purposes.

Processing Activities

ClinexaOS processes data on the Controller's behalf to provide:

  • AI-assisted interpretation of submitted medical images and clinical reports
  • Generation of structured diagnostic output and confidence scoring
  • Optional audit log storage where enabled by the Controller
  • API integration services connecting the platform to the Controller's EMR/PACS infrastructure

Controller Obligations

The Controller warrants that it has a lawful basis for processing under applicable data protection law, that all data subjects have been appropriately informed, and that submission of clinical data to ClinexaOS is compliant with applicable healthcare data regulation in the relevant jurisdiction.

Processor Obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure all personnel with access to data are bound by confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance with this DPA

Subprocessors

ClinexaOS uses a limited set of approved subprocessors for cloud infrastructure and payment processing. A current list of subprocessors is available upon request. Controllers will be notified of any intended changes to subprocessors with a minimum of 30 days' notice.

Cross-Border Transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, ClinexaOS relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Institution-specific transfer impact assessments are available on request.

Requesting a Signed DPA

Enterprise customers requiring a countersigned DPA should contact info@clinexaos.com. Standard DPAs are processed within 5 business days. Custom DPAs are subject to legal review timelines.

Related Legal Documents
🔒

Privacy Policy

📜

Terms of Use

🛡️

Security

Compliance

📧

info@clinexaos.com

Request signed DPA