30-day pilot · No EHR · KPI-backed · Self-pay & Insurer tracks

Data Processing Agreement (DPA)

Parties and term

Controller: Clinic or healthcare organisation named in the Order Form.

Processor: EpicRose LLC.

Effective date: 12.04.2022. Term: coterminous with the Master Services Agreement (MSA) / Order Form.

1. Subject matter and duration

Administrative messaging and inbox services (reminders, self-reschedule links, waitlist, no-show recovery, voicemail-to-text triage).

Duration: during the service term.

2. Nature and purpose of processing

Sending and managing service communications and admin tasks related to appointments and billing front-end, on the Controller’s documented instructions.

3. Types of personal data & data subjects

Data subjects: patients and clinic staff involved in scheduling.

Personal data: name, contact details, appointment identifiers, timing, location, non-clinical notes required for messaging; staff work emails.

Special categories: excluded; Processor will not process PHI. Controller undertakes not to transmit PHI to the Processor.

4. Processor obligations

  • Process only on documented instructions from Controller.
  • Ensure confidentiality; train personnel; maintain records of processing.
  • Implement TOMs: encryption in transit, access control, MFA, logging, least-privilege, data minimisation.
  • Assist Controller with data-subject requests, DPIAs, security and PECR compliance for service messaging.
  • Notify Controller without undue delay of any personal-data breach; provide incident details and mitigation steps.
  • Delete or return personal data at end of contract (Controller’s choice), unless legally required retention applies.
  • Make information available to demonstrate compliance; allow audits with reasonable notice.

5. Sub-processing

Processor may use sub-processors to deliver messaging, inbox, forms, telephony, analytics and billing. Maintain a current list: available upon request.

Impose obligations equivalent to this DPA by written contract. Remain fully liable for sub-processor actions.

6. International transfers

Any transfers outside the UK/EU will rely on valid safeguards (UK Addendum to SCCs / adequacy decisions). Details provided on request.

7. Security summary

Access control with MFA; role-based permissions; encryption in transit; segmented environments; logging and monitoring; vendor risk management; incident response.

8. Controller obligations

Provide lawful instructions; ensure a valid legal basis to message patients; avoid sending PHI; provide necessary consents and notices to data subjects under PECR/GDPR.

9. Liability and conflicts

This DPA follows and is subject to the liability caps and terms in the MSA. If any conflict arises, the stricter data-protection obligation prevails.

10. Termination

Upon termination, Processor will delete or return personal data per Controller choice within 30 days, save legally required retention.

Signatures

Signed for and on behalf of Controller: Name / Title / Date / Signature

Signed for and on behalf of Processor (EpicRose LLC): Name / Title / Date / Signature