Data Processing Agreement

Last updated: March 15, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller" or "Subscriber") and AI4DOCS.AI LTD (the "Processor") for the use of the AI4Docs.AI Clinical Documentation Assistant and Smart EMR services. By using the Service, you accept the terms of this DPA. This DPA is incorporated into and supplements our Terms & Conditions.

Article 1 Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including GDPR, UK GDPR, and equivalent regulations).
"Patient Data" means health-related personal data of the Controller's patients that is processed through the Service, including audio recordings, clinical notes, diagnoses, and treatment information.
"Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Service" means the AI4Docs.AI Clinical Documentation Assistant and Smart EMR platform.
"Applicable Data Protection Law" means GDPR (EU) 2016/679, UK GDPR, and any equivalent data protection legislation applicable in the Controller's jurisdiction.

Article 2 Roles and Responsibilities

2.1 The Controller (you, the healthcare provider) determines the purposes and means of processing Patient Data. You are responsible for ensuring a lawful basis for processing, obtaining appropriate patient consent, and complying with all applicable data protection and healthcare regulations.

2.2 The Processor (AI4DOCS.AI LTD) processes Patient Data solely on documented instructions from the Controller and only for the purpose of providing the Service. The Processor does not independently determine how Patient Data is used.

2.3 For Smart EMR users: all patient records are stored on the Controller's own Google Drive. The Processor accesses the Controller's Google Sheet only when explicitly authorised, and only to facilitate CDA integration (reading patient context, writing generated notes).

Article 3 Scope and Purpose of Processing

3.1 Purpose: The Processor processes Patient Data solely to provide the clinical documentation service, specifically:

Receiving and processing audio recordings, text, and uploaded documents from the Controller
Transmitting data to AI models (Google Vertex AI) for clinical note generation
Returning generated clinical notes to the Controller's browser
For Smart EMR users: reading patient context from and writing generated notes to the Controller's Google Sheet

3.2 Categories of Data Subjects:

Patients of the Controller (whose clinical data is processed through the Service)
The Controller themselves (account and professional profile data)

3.3 Types of Personal Data Processed:

Data Category	Processing Method	Retention
Patient audio recordings	Transient processing (in-memory or temporary GCS storage)	Maximum 24 hours (auto-deleted)
Patient clinical text (symptoms, history, findings)	Transient processing (in-memory only)	Not retained
Uploaded medical documents	Transient processing (in-memory only)	Not retained
Generated clinical notes	Returned to Controller's browser or Google Sheet	Not retained by Processor
Controller's professional profile	Stored in Supabase database	Duration of account + 30 days
Controller's email and authentication	Stored in Supabase Auth	Duration of account + 30 days

Article 4 Duration

4.1 This DPA shall remain in effect for the duration of the Controller's use of the Service.

4.2 Upon termination of the Service agreement, the Processor shall delete all Controller account data within 30 days, unless retention is required by law. Patient Data is not retained beyond the brief processing window and requires no deletion action.

Article 5 Technical and Organisational Measures

The Processor implements the following measures to protect Personal Data:

5.1 Encryption

TLS 1.2+ encryption for all data in transit
AES-256 encryption at rest for all stored data (Google Cloud, Supabase)
HSTS headers to prevent protocol downgrade attacks

5.2 Access Controls

Least-privilege service accounts with role-based permissions
Row-level security on database tables (users access only their own data)
API key validation for Smart EMR endpoints
Signed URLs with 15-minute expiry for temporary file uploads

5.3 Data Minimisation

Zero-storage architecture: Patient Data is not persisted in any database
Temporary audio files auto-deleted within 24 hours
PHI exclusion filter prevents patient data from appearing in system logs

5.4 Infrastructure Security

Backend hosted on Google Cloud Platform under signed HIPAA BAA
Containerised deployment on Cloud Run with auto-scaling
Cloud audit logging with 6-year retention
Security headers on all HTTP responses (X-Frame-Options, X-Content-Type-Options, CSP)

5.5 AI Processing Security

Google Vertex AI operates statelessly: no input/output storage, no model training on customer data
Vertex AI is HIPAA-eligible under Google Cloud's BAA

Article 6 Sub-processors

6.1 The Controller authorises the Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
Google Cloud Platform	Backend hosting, AI processing (Vertex AI), temporary storage	United States (us-central1)
Firebase Hosting (Google)	CDA application frontend	Global CDN (Google Cloud)
Supabase	Authentication, doctor profiles, usage tracking	Frankfurt, Germany (EU)
Stripe	Payment processing	United Kingdom
Resend	Transactional email delivery	United States

6.2 The Processor shall notify the Controller at least 30 days before engaging a new sub-processor. The Controller may object to the appointment of a new sub-processor by notifying the Processor in writing within 14 days.

6.3 The Processor ensures that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

Article 7 Data Subject Rights

7.1 The Processor shall assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) in relation to Personal Data processed through the Service.

7.2 If the Processor receives a request directly from a data subject, the Processor shall promptly forward the request to the Controller and shall not respond directly unless instructed to do so.

7.3 Due to the zero-storage architecture, Patient Data is not retained by the Processor. Requests for erasure of Patient Data require no action by the Processor, as no Patient Data is stored. The Processor will confirm this in writing upon request.

Article 8 Data Breach Notification

8.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach affecting the Controller's data.

8.2 The notification shall include:

A description of the nature of the breach, including categories and approximate number of data subjects affected
The name and contact details of the Processor's point of contact
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach and mitigate its effects

8.3 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8.4 Due to the zero-storage architecture, the risk of a Patient Data breach is inherently limited to data in transit during the brief processing window. There is no stored Patient Data that could be compromised.

Article 9 Data Return and Deletion

9.1 Patient Data is not stored by the Processor and therefore does not require return or deletion. Generated clinical notes are delivered to the Controller's browser or Google Sheet in real-time.

9.2 Upon termination of the Service agreement, the Processor shall:

Delete the Controller's account data (profile, preferences, authentication) within 30 days
Delete any associated data from Supabase (profile, logo, templates) within 30 days
Confirm deletion in writing upon request

9.3 Data retained for legal or regulatory purposes (billing records, audit logs) shall be handled in accordance with applicable law and deleted when no longer required.

Article 10 Audit Rights

10.1 The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable advance notice (at least 30 days) and during normal business hours.

10.2 The Processor shall make available all information necessary to demonstrate compliance, including documentation of technical and organisational measures, sub-processor agreements, and incident response procedures.

10.3 The Processor may satisfy audit requests by providing existing compliance documentation, certifications, or audit reports from sub-processors (such as Google Cloud SOC 2 reports or Stripe PCI DSS attestations).

Article 11 International Data Transfers

11.1 Personal Data may be transferred to and processed in the United States (Google Cloud backend, us-central1) and the European Union (Supabase, Frankfurt). Payment data is processed in the United Kingdom (Stripe).

11.2 For transfers from the EEA/UK to the US, the Processor relies on:

Google Cloud's Data Processing Addendum with Standard Contractual Clauses (SCCs)
Stripe's Data Processing Agreement with SCCs

11.3 Account data (profiles, authentication) is stored in the EU (Supabase, Frankfurt) and does not require international transfer mechanisms for EEA data subjects.

11.4 The Processor shall ensure that any international transfer of Personal Data complies with applicable data protection law.

Article 12 Confidentiality

12.1 The Processor shall ensure that all personnel authorised to process Personal Data are bound by obligations of confidentiality.

12.2 The Processor shall not disclose Personal Data to any third party except as required to provide the Service (via authorised sub-processors) or as required by law.

Article 13 Liability

13.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms & Conditions.

13.2 Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is prohibited by law.

Article 14 Governing Law

14.1 This DPA is governed by the laws of England and Wales.

14.2 For Controllers located in the European Economic Area, this DPA shall be interpreted in accordance with GDPR (EU) 2016/679. For Controllers located in the United Kingdom, it shall be interpreted in accordance with the UK GDPR.

Article 15 Acceptance

By creating an account and using the AI4Docs.AI Service, the Controller accepts the terms of this Data Processing Agreement. If you require a signed copy of this DPA for your records, please contact us at support@ai4docs.ai.

Contact

For questions about this Data Processing Agreement:

Email: support@ai4docs.ai
Data Protection Officer: Prof. Dr. Alaa Meshref
Company: AI4DOCS.AI LTD
Address: 167-169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom
Company No. 16893518
ICO Registration: C1891752