Skip to main content

Data Processing Addendum

Effective date: 8 July 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Sarjudas Digital Trading and Escrow Services LLC (trading as OduDoc, the "Processor") and the organisation using the Service (the "Controller"). It governs the processing of personal data in accordance with the Indian Digital Personal Data Protection Act 2023 (DPDP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Subject matter and purpose

The Processor processes personal data on behalf of the Controller solely to provide the Service — telemedicine, electronic medical records, billing, pharmacy dispense, lab orders, and related healthcare workflows.

2. Categories of data subjects

3. Categories of personal data

4. Sub-processors

The Processor uses the following sub-processors. The Controller consents to these and will be notified at least 30 days before any addition.

Sub-processorPurposeData sharedRegion
Dedicated VPS hosting (self-managed)Application serverAll platform data (encrypted)Regional pod
Cloudflare, Inc.CDN, DNS, WAF, R2 object storageEncrypted files, request metadataGlobal edge / regional bucket
PostgreSQL hosted providerPrimary data storeAll platform dataRegional pod (IN/EU/US)
Razorpay Software Pvt LtdPayment gateway (India)Tokenised payment ref, amountIndia
Stripe PaymentsPayment gateway (international)Tokenised payment ref, amount, emailUS / EU
Google LLCSign-in, Gemini AI, MapsName/email (login); de-identified prompt text (AI, no PHI)US / global
Apple Inc.Sign in with AppleName, Apple relay emailUS / global
Meta PlatformsFacebook Login, WhatsApp Business APIName/email (login); phone + message (WhatsApp)US / global
OpenAI · AnthropicAI failover (scribe, translation)De-identified prompt text — no PHI, not used for trainingUS
Daily.coVideo consultation infrastructureEphemeral room tokensUS / global
ResendTransactional email deliveryEmail address, message contentUS / EU
TelegramOptional OTP / notification deliveryChat ID, message contentGlobal

5. Security measures

The Processor maintains the security measures described at /security — 12 defence layers covering network, authentication, encryption at rest, file scanning, audit logging, and break-glass controls.

6. Data subject rights

The Processor provides tooling for the Controller to fulfil data-subject requests (export, delete, restrict, rectify) within 30 days of receipt. Requests originating directly with the Processor are forwarded to the Controller within 5 business days.

7. Breach notification

The Processor will notify the Controller of a personal data breach within 72 hours of becoming aware, providing the nature of the breach, affected data categories, likely consequences, and remediation steps.

8. International transfers

Patient health data is stored in the region of the Controller's primary operation. Indian Controllers are pinned to Indian data centres; transfers outside India require prior written approval from the Controller.

9. Termination

On termination of the Service, the Processor will return or delete all personal data within 60 days, except where retention is required by law (audit logs, financial records).

10. Governing law

This DPA is governed by the law stated in the Terms of Service for the Controller's region, and is read together with the healthcare-data laws of the Controller's jurisdiction (e.g. HIPAA in the US, the DPDP Act 2023 in India, the GDPR / UK GDPR in the EU/UK, the PDPL in the UAE). Where a jurisdiction grants a data subject a stronger right, that stronger right prevails.

11. Contact

Data Protection Officer: [email protected].
For executing this DPA, email [email protected] with your organisation name.