eMedical Platform
This is a draft template.
These policies have not been reviewed by a lawyer and must be adapted to your jurisdiction before they are legally binding. Do not publish as-is to production.

Data Processing Addendum

Last updated: 2026-04-23

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween eMedical Platform Pty Ltd (“Processor”) and the Clinic using the eMedical Platform service (“Controller”). It governs the processing of Personal Data, including Protected Health Information.

1. Definitions

  • Personal Data — information relating to an identified or identifiable natural person.
  • PHI — Protected Health Information as defined under HIPAA, where applicable.
  • Processing — any operation performed on Personal Data.
  • Subprocessor — a third party engaged by us to process Personal Data on behalf of the Controller.
  • Data Protection Laws — GDPR, UK GDPR, Australian Privacy Act, HIPAA, CCPA/CPRA, and other applicable laws.

2. Roles

The Controller determines the purposes and means of Processing of Personal Data. eMedical Platform acts as Processor and Processes Personal Data only on documented instructions from the Controller, except where required by law.

3. Scope, duration, nature and purpose

  • Subject matter: provision of the eMedical Platform practice-management service.
  • Duration: the term of the subscription plus the retention periods below.
  • Nature: storage, display, access, amendment, transmission, anonymisation, deletion and other operations required to deliver the service.
  • Categories of data: identity and contact data; appointment and scheduling data; clinical notes; billing data; authentication data; usage metadata.
  • Categories of data subjects:the Controller’s patients, staff, practitioners, and other authorised users.

4. eMedical Platform obligations

  1. Process Personal Data only on the Controller’s documented instructions.
  2. Ensure personnel with access are bound by confidentiality.
  3. Implement the technical and organisational measures in Annex 1.
  4. Assist the Controller with data-subject requests, DPIAs and regulator enquiries.
  5. Notify the Controller of Personal Data breaches without undue delay and in any event within 72 hours of awareness.
  6. Delete or return all Personal Data at the end of the engagement in line with clause 8.
  7. Make available the information necessary to demonstrate compliance and allow audits (see clause 7).

5. Subprocessors

The Controller provides general authorisation for eMedical Platform to engage Subprocessors listed in our Privacy Policy. We will:

  • Impose contractual obligations on each Subprocessor equivalent to those in this DPA.
  • Notify the Controller at least 30 days before adding or replacing a Subprocessor.
  • Allow the Controller to object on reasonable grounds. If we cannot accommodate the objection, the Controller may terminate the affected service without penalty.
  • Remain fully liable for Subprocessor performance.

6. International transfers

Personal Data is stored in the region selected by the Controller (AU/NZ, EU or US). Where a transfer outside that region is necessary, it is made on the basis of:

  • Standard Contractual Clauses (EU/UK GDPR);
  • an adequacy decision, where one exists;
  • or appropriate safeguards under the Australian Privacy Act.

7. Audits

We will respond to reasonable audit enquiries by providing our most recent SOC 2 report, penetration-test summary and completed security questionnaires. On reasonable notice, and no more than once per year (except after a material breach), a Controller may conduct an on-site audit at their expense and subject to a non-disclosure agreement.

8. Return and deletion

On termination of the subscription, the Controller may export data for 60 days. After that window we will delete Personal Data within a further 30 days, including from backups in the normal course of backup rotation, except where retention is required by law.

9. Breach notification

Notification will include, to the extent known: the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed to mitigate. We will cooperate with the Controller’s investigation and regulatory notifications.

10. HIPAA

Where the Controller is a Covered Entity or Business Associate under HIPAA and processes PHI using eMedical Platform, the Business Associate Agreement (“BAA”) executed between the parties forms part of this DPA. In case of conflict, the BAA prevails as to PHI.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited by applicable law.

Annex 1 — Technical and organisational measures

Refer to our Security overview for the current list of controls. At a minimum:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Row-level tenant isolation with database-enforced policies.
  • MFA for all staff with production access; least-privilege IAM.
  • Audit logging of PHI access and change; 6+ year retention.
  • Annual third-party penetration testing.
  • Documented incident-response runbook; breach notification within 72 hours.
  • Quarterly disaster-recovery drills; 4-hour RTO / 15-minute RPO.
  • Secure-development lifecycle with code review and dependency scanning.

Annex 2 — List of Subprocessors

Current list available at /privacy#subprocessors. Subscribe to change notifications at privacy@emedicalplatform.com.

How to execute

Clinics on the Clinic or Scale plan can request a countersigned copy of this DPA by emailing legal@emedicalplatform.com. Starter plan subscribers are bound to the version posted here as incorporated by reference in the Terms of Service.