Data Protection Agreement
Version 1.0 — Effective Date: 18 Aug 2025
This Data Processing Agreement (“DPA”) forms part of the agreement between Brainox Tech, operating the Doxmate platform (“Processor”), and the clinic, hospital, healthcare organisation, or authorised representative (“Controller”).
This DPA governs the processing of personal data by Doxmate on behalf of the Controller in accordance with applicable data protection laws, including the EU/UK General Data Protection Regulation (GDPR), Indian IT Act, and other relevant international privacy laws.
1. Definitions
“Controller”: The clinic/hospital that determines the purposes and means of processing patient and staff personal data.
“Processor”: Brainox Tech, provider of Doxmate, processing personal data on behalf of the Controller.
“Data Subject”: Patients, staff, or individuals whose data is processed.
“Personal Data”: Any information relating to an identifiable individual.
“Services”: Appointment automation, WhatsApp messaging, scheduling, reminders, dashboards, embedded signup, and related functionalities provided by Doxmate.
“Subprocessors”: Third parties engaged by the Processor to assist in delivering services.
2. Subject Matter & Purpose of Processing
The Processor processes Personal Data solely for purposes of:
Appointment creation, scheduling, confirmations, and reminders
Administrative WhatsApp messaging using WhatsApp Cloud API
User account creation and authentication
Dashboard & calendar operations
System monitoring and analytics
Customer support and technical troubleshooting
No processing occurs beyond service delivery, legal compliance, or Controller instructions.
3. Categories of Personal Data
The Processor may process:
A. Patient Data
Name
Phone number
Appointment time/date
Notes required for administrative scheduling
B. Clinic/Staff Data
Names, roles
Phone numbers, business emails
Working hours, clinic profile
C. Messaging Data
Administrative WhatsApp message content
Delivery/read status & metadata
D. Technical Data
IP address
Logs, device data
API usage
The Processor does not intentionally process medical records (diagnosis, prescriptions, lab results).
4. Duration of Processing
Processing continues until:
The service agreement ends, or
The Controller requests deletion, subject to legal retention requirements
Backup systems purge after the retention window (typically 30 days).
5. Processor Obligations
The Processor shall:
5.1 Process Data Only Under Controller Instructions
No processing occurs except:
As required for providing the service
As required by law
As instructed by the Controller
5.2 Maintain Security Measures
Including:
Encryption (in transit & at rest)
SOC2/ISO-compliant infrastructure (AWS)
Access control & login security
Regular audits, vulnerability scanning, logging
Incident detection & breach response procedures
5.3 Confidentiality
All employees, contractors, and subprocessors must sign confidentiality agreements.
5.4 Assist Controller with Data Rights Requests
Including:
Access
Correction
Deletion
Objection
Restriction
Portability
Requests must be verified to prevent unauthorized access.
5.5 Incident Notification
If a data breach occurs:
The Processor will notify the Controller without undue delay
Provide necessary details for compliance
Assist in remediation
5.6 Provide Information for Audits
The Controller may request:
Security documentation
Subprocessor information
System architecture descriptions
Formal audits may require additional arrangements.
6. Controller Obligations
The Controller shall:
Ensure lawful basis for processing personal data
Obtain patient consent if required by local law
Ensure only necessary data is shared
Not upload sensitive medical data unless lawfully authorized
Maintain secure access to accounts
Comply with Meta/WhatsApp policies
The Controller is responsible for accuracy of personal data provided.
7. Subprocessors
The Processor may use the following categories of subprocessors:
Messaging
Meta Platforms / WhatsApp Cloud API
Cloud & Hosting
Amazon Web Services (AWS) — storage, compute, networking
Analytics & Monitoring
Google Analytics, logging/monitoring providers
Billing
Payment processors (Stripe, Razorpay, etc.)
Subprocessors must meet contractual and technical security requirements.
The Controller will be informed of material changes to subprocessors where legally required.
8. International Data Transfers
Data may be stored in AWS regions outside the Controller’s jurisdiction.
The Processor uses safeguards including:
Standard Contractual Clauses (SCCs)
Encryption
Access controls
Industry-standard security certifications
By using the service, the Controller acknowledges and approves cross-border transfers.
9. Data Deletion & Return
Upon account closure or valid request:
Processor will delete personal data within 30 days
Backups are purged automatically within retention windows
Data may be returned to the Controller upon written request before deletion
Some data may be retained where legally required (tax, billing, fraud prevention)
10. Breach Notification
The Processor will:
Notify the Controller promptly
Provide available details (impact, scope, type)
Assist in mitigation
Provide cooperation with authorities
11. Liability & Indemnity
Each party remains responsible for its own compliance under applicable laws.
The Controller remains responsible for lawful collection of data.
The Processor remains responsible for safeguarding data under its control.
Neither party is liable for breaches caused by the other’s negligence or non-compliance.
12. Governing Law
This DPA is governed by the governing law of the primary service agreement between the parties.
13. Termination
Upon termination:
Processing ceases
Accounts are disabled
Data is deleted according to Section 9
Obligations regarding confidentiality and security remain in effect
14. Contact Information
Brainox Tech — Doxmate Data Protection Office
📧 privacy@brainoxtech.com
📧 support@doxmate.in
Website: https://www.doxmate.in
Company Website: https://www.brainoxtech.com