Data Processing Agreement

Effective
2 June 2026
Last updated
2 June 2026
Version
v1

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditionsbetween the Customer (“Controller ”) and OGA Care(“Processor”) and governs the Processor’s processing of Personal Data on the Controller’s behalf in connection with the Services. It is designed to support obligations under the GDPR / UK GDPR, India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), and — where a BAA is signed — HIPAA.

1. Scope and Roles of the Parties

  • The Controller (the Customer) determines the purposes and means of processing Personal Data, including patient and clinical data it enters into the Services.
  • The Processor (OGA Care) processes Personal Data only on the Controller’s documented instructions to provide the Services.
  • For its own business operations (e.g. account administration of Authorised Users), OGA Care may act as an independent controller as described in the Privacy Policy.

2. Definitions

“Personal Data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given under applicable data-protection law. “PHI” means Protected Health Information as defined under HIPAA. “Sub-processor” means any third party engaged by the Processor to process Personal Data.

3. Processing Instructions

  • OGA Care processes Personal Data only to provide and support the Services, as instructed by the Controller through its use of the platform and this DPA, and as required by law.
  • OGA Care will inform the Controller if, in its opinion, an instruction infringes applicable data-protection law (without obligation to provide legal advice).
  • Personnel authorised to process Personal Data are bound by confidentiality obligations.
  • The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of data subjects are as described in the Services and the Privacy Policy.

4. PHI and Special-Category Data

The Services are used to process health and other special-category / sensitive Personal Data. OGA Careapplies heightened safeguards to such data and processes it strictly on the Controller’s instructions. Where the Controller is a HIPAA Covered Entity, OGA Carewill enter into a Business Associate Agreement (“BAA”); the BAA governs PHI and prevails over this DPA to the extent of any conflict regarding PHI. Request a BAA via support@ogacare.in.

Where the Controller’s users invoke the optional AI Clinical Assistant, only de-identified clinical context is transmitted to the AI sub-processor for processing.

Note: AI analysis is performed without collecting or processing patient personal information such as name, email address, phone number, or other identifying details.

5. Security Controls

Taking into account the state of the art and the risks of processing, OGA Care implements appropriate technical and organisational measures, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest.
  • Role-based access control, least-privilege provisioning, and tenant isolation.
  • Authentication via Clerk with multi-factor support.
  • Audit logging of access to sensitive records, with tamper-resistant storage.
  • Secrets management, dependency scanning, and network isolation.
  • Continuous monitoring, routine encrypted backups, and tested restore procedures.
  • Vendor due diligence and contractual data-protection terms with sub-processors.

6. Sub-Processors

The Controller authorises OGA Care to engage the sub-processors below. OGA Care imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. We will give the Controller prior notice of any intended addition or replacement of a sub-processor and an opportunity to object on reasonable data-protection grounds.

Sub-ProcessorPurposeData CategoriesProcessing Region
SupabasePrimary database, file/object storage, and point-in-time backupsTenant, patient, clinical, and billing records; uploaded filesIndia (ap-south-1, Mumbai)
Amazon Web Services (EC2)Application hosting and computeHosted application data in transit and on the hostIndia (ap-south-1, Mumbai)
ClerkAuthentication, session management, invite deliveryAccount, profile, and authentication metadataUnited States
RazorpaySubscription billing and payment processingBilling contact, payment metadata, invoice dataIndia
Anthropic (Claude AI)AI clinical-assistant text analysis and note draftingDe-identified clinical text only — no patient name, email, phone, or other direct identifiersUnited States
ResendTransactional email delivery (account, billing, security notices)Recipient email address and message contentUnited States
SentryError monitoring and performance diagnosticsDiagnostic data with PHI/PII redacted before transmissionUnited States / European Union

7. Cross-Border Processing and Transfers

Primary patient and tenant data, file storage, and database backups are hosted in India (ap-south-1, Mumbai) and are not transferred outside India in the ordinary course of providing the Services. Only the supporting sub-processors identified above as operating outside India process Personal Data abroad, and they do so on scrubbed, de-identified, or non-patient data.

Where such cross-border processing occurs, OGA Carerelies on a lawful transfer mechanism — such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or other safeguards permitted by applicable law, including any restrictions or notified country-specific requirements under the DPDP Act.

8. Retention and Deletion

  • OGA Care retains Personal Data only for as long as needed to provide the Services or as required by law.
  • On termination, the Controller may export Customer Data within 30 days, after which OGA Care deletes or anonymises it, except where law requires longer retention.
  • Records subject to statutory retention (e.g. clinical or financial records) may be retained for up to 2555 days (approximately 7 years).
  • Audit and security logs are retained for 1 year (365 days).

9. Assistance with Data-Subject Rights

OGA Careprovides functionality and reasonable assistance to help the Controller respond to data-subject (data-principal) requests — access, correction, deletion, portability, restriction, and objection. Where a data subject contacts OGA Care directly about data processed for a Controller, we refer the request to that Controller.

10. Personal Data Breach Handling

OGA Caremaintains incident-response procedures and will notify the affected Controller without undue delay after becoming aware of a Personal Data breach affecting that Controller’s data, providing information reasonably available to support the Controller’s own notification obligations. Our end-to-end process — including regulator and user-notification timelines — is described in the Breach Notification Policy.

11. Audits and Assistance

On reasonable written request and subject to confidentiality, OGA Care makes available information necessary to demonstrate compliance with this DPA and contributes to audits or inspections, which may be satisfied through up-to-date certifications, reports, or questionnaires where available.

12. Term and Termination

This DPA takes effect when the Controller begins using the Services and continues until all processing on the Controller’s behalf ends. Obligations that by their nature should survive termination (e.g. confidentiality and lawful retention) survive.

13. Contact

Data-protection enquiries and requests to execute a counter-signed DPA or BAA can be sent to support@ogacare.in or our Data Protection contact at support@ogacare.in.