Data Processing Addendum
Effective date: 8 July 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Sarjudas Digital Trading and Escrow Services LLC (trading as OduDoc, the "Processor") and the organisation using the Service (the "Controller"). It governs the processing of personal data in accordance with the Indian Digital Personal Data Protection Act 2023 (DPDP) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Subject matter and purpose
The Processor processes personal data on behalf of the Controller solely to provide the Service — telemedicine, electronic medical records, billing, pharmacy dispense, lab orders, and related healthcare workflows.
2. Categories of data subjects
- Patients of the Controller
- Doctors, nurses, and clinical staff employed by the Controller
- Administrative staff (billing, reception, pharmacy, lab) employed by the Controller
- Dependents of patients added under family-account scope
3. Categories of personal data
- Identity data: name, date of birth, gender, government ID
- Contact data: email, phone, address
- Health data: diagnoses, prescriptions, lab results, imaging, vitals, allergies
- Financial data: payment records, insurance claims, wallet balance
- Behavioural data: appointment history, login events, audit log
4. Sub-processors
The Processor uses the following sub-processors. The Controller consents to these and will be notified at least 30 days before any addition.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Dedicated VPS hosting (self-managed) | Application server | All platform data (encrypted) | Regional pod |
| Cloudflare, Inc. | CDN, DNS, WAF, R2 object storage | Encrypted files, request metadata | Global edge / regional bucket |
| PostgreSQL hosted provider | Primary data store | All platform data | Regional pod (IN/EU/US) |
| Razorpay Software Pvt Ltd | Payment gateway (India) | Tokenised payment ref, amount | India |
| Stripe Payments | Payment gateway (international) | Tokenised payment ref, amount, email | US / EU |
| Google LLC | Sign-in, Gemini AI, Maps | Name/email (login); de-identified prompt text (AI, no PHI) | US / global |
| Apple Inc. | Sign in with Apple | Name, Apple relay email | US / global |
| Meta Platforms | Facebook Login, WhatsApp Business API | Name/email (login); phone + message (WhatsApp) | US / global |
| OpenAI · Anthropic | AI failover (scribe, translation) | De-identified prompt text — no PHI, not used for training | US |
| Daily.co | Video consultation infrastructure | Ephemeral room tokens | US / global |
| Resend | Transactional email delivery | Email address, message content | US / EU |
| Telegram | Optional OTP / notification delivery | Chat ID, message content | Global |
5. Security measures
The Processor maintains the security measures described at /security — 12 defence layers covering network, authentication, encryption at rest, file scanning, audit logging, and break-glass controls.
6. Data subject rights
The Processor provides tooling for the Controller to fulfil data-subject requests (export, delete, restrict, rectify) within 30 days of receipt. Requests originating directly with the Processor are forwarded to the Controller within 5 business days.
7. Breach notification
The Processor will notify the Controller of a personal data breach within 72 hours of becoming aware, providing the nature of the breach, affected data categories, likely consequences, and remediation steps.
8. International transfers
Patient health data is stored in the region of the Controller's primary operation. Indian Controllers are pinned to Indian data centres; transfers outside India require prior written approval from the Controller.
9. Termination
On termination of the Service, the Processor will return or delete all personal data within 60 days, except where retention is required by law (audit logs, financial records).
10. Governing law
This DPA is governed by the law stated in the Terms of Service for the Controller's region, and is read together with the healthcare-data laws of the Controller's jurisdiction (e.g. HIPAA in the US, the DPDP Act 2023 in India, the GDPR / UK GDPR in the EU/UK, the PDPL in the UAE). Where a jurisdiction grants a data subject a stronger right, that stronger right prevails.
11. Contact
Data Protection Officer: [email protected].
For executing this DPA, email [email protected] with your organisation name.