Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of our Terms & Conditions between you, the clinic or business using Documenti ("Controller", "you"), and Apavai Ltd, trading as Documenti, company number 17036797, registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Processor", "we", "us").
1. Parties and roles
You act as the data controller for personal data relating to your patients and staff. We act as your data processor when we process that personal data on your behalf through the Documenti platform, in accordance with UK GDPR and the Data Protection Act 2018.
2. Subject matter and duration
We process personal data to provide the Documenti clinic management service, including patient records, treatment maps, clinical notes, digital consent forms, images, audit trails, and related features you use. Processing continues for the duration of your subscription and until you delete data or we delete it in line with our retention policies after termination.
3. Nature and purpose of processing
Processing includes storing, organising, retrieving, using, disclosing (where you direct), backing up, and deleting personal data as necessary to:
- Host and operate your clinic's Documenti account and tenant environment
- Store and display patient records, clinical documentation, and consent records you enter
- Provide treatment mapping, clinical notes, and digital consent workflows
- Send service-related emails and notifications you configure
- Process subscription billing and payment records via Stripe (card data is handled by Stripe; we do not store full card numbers)
- Maintain security, backups, access logs, and audit trails
- Provide customer support and troubleshoot issues you report
4. Types of personal data and data subjects
Categories of data subjects include your patients, and staff or end users you invite to the Platform. Categories of personal data may include:
- Identity and contact details (name, email, phone, address, date of birth)
- Health and clinical data, including medical history, treatment records, clinical notes, and consent records (special category data under UK GDPR)
- Before and after photographs and other images you upload to patient records
- Treatment map data, including injection points, products, units, and session history
- Digital signatures and consent audit trails
- Staff user accounts, roles, and activity within your clinic tenant
- Technical logs (IP address, device/browser data, login times) for security and support
5. Your obligations as controller
You warrant that you have a lawful basis and, where required, appropriate consents to process personal data and to instruct us as processor. This includes ensuring you have informed patients appropriately and obtained any consents required for health data and clinical photography.
You are responsible for the accuracy of data you upload and for providing privacy information to your patients. You will not instruct us to process personal data in breach of UK GDPR or applicable healthcare regulations.
6. Our obligations as processor
We will:
- Process personal data only on your documented instructions, including as set out in this DPA, our Terms & Conditions, and your use of the Platform
- Ensure persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational measures to protect personal data
- Assist you, where reasonably possible, with data subject requests and your compliance obligations
- Notify you without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting your data
- At your choice, delete or return personal data when you cease using the service, subject to legal retention requirements
- Make available information necessary to demonstrate compliance and allow audits on reasonable notice, subject to confidentiality and security
7. Sub-processors
You authorise us to engage sub-processors who assist in providing the service. Our key sub-processors include Google Cloud Platform (application hosting, database, and file storage in the EU) and Stripe (subscription payment processing). We may also use providers for email delivery, error monitoring, and customer support as listed in our Privacy Policy.
We impose data protection terms on sub-processors that are substantially similar to this DPA. We will inform you of material changes to sub-processors where required by law. An up-to-date list is maintained in our Privacy Policy.
8. International transfers
Patient and clinic data is hosted on Google Cloud Platform in the europe-west1 region (Belgium). Subscription billing data is processed by Stripe, which may process data outside the United Kingdom. Other sub-processors may also process data outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement and/or UK Addendum to the EU Standard Contractual Clauses.
9. Security
We maintain administrative, physical, and technical safeguards appropriate to the risk, including encryption in transit (HTTPS/TLS), encryption at rest on our infrastructure, access controls, authentication, regular backups, and monitoring. Details are summarised in our Privacy Policy and may be provided on request.
10. Liability
Each party's liability under this DPA is subject to the limitation of liability in our Terms & Conditions. Nothing in this DPA limits either party's liability for breaches of UK GDPR where liability cannot be limited by law.
11. Contact
For data protection enquiries, contact us or write to Apavai Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.