Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or other written agreement between FASTCLINIC LIMITED (RC 1919428), a company incorporated in Nigeria under the Companies and Allied Matters Act 2020 ("Processor" or "Fastclinic"), and the entity identified in the applicable agreement ("Controller" or "Customer").

This DPA applies where Fastclinic processes personal data on behalf ofthe Customer in the course of providing Fastclinic's enterprise healthcare software platform and related services (the "Services"). In that context the Customer determines the purposes and means of processing and Fastclinic acts on the Customer's documented instructions.

This DPA does notapply to processing in which Fastclinic acts as an independent controller of personal data. That includes, for example: Fastclinic's own marketing and website analytics; support correspondence with Fastclinic staff; personal FastLogin accounts that individuals create directly at idms.fastclinic.xyz (such accounts are governed by our Privacy Policy); and the operation of Fastclinic's shared identity, credit, and audit services at platform level. The same individual may appear in both contexts; the governing instrument in each case is determined by who decides the purpose of processing for that data set, not by the identity of the subject.

This DPA is designed to meet the requirements of the Nigeria Data Protection Act 2023 ("NDPA") and subsidiary regulations issued by the Nigeria Data Protection Commission ("NDPC").

In this DPA, unless the context requires otherwise:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the NDPA.
• "Sensitive Personal Data" means personal data revealing health status, medical records, biometric data, genetic data, or any other category designated as sensitive under the NDPA.
• "Processing" means any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
• "Data Subject" means the natural person to whom personal data relates, including patients, healthcare providers, staff, and end-users of the Services.
• "Sub-processor" means any third party engaged by Fastclinic to process personal data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• "Applicable Data Protection Law" means the NDPA, NDPC regulations, and any other applicable data protection legislation in force in the Federal Republic of Nigeria.

Fastclinic processes personal data solely for the purpose of performing the Services described in the applicable agreement. The categories of data, data subjects, and processing activities are as follows:

• Data subjects: Patients, healthcare providers, administrative staff, and other end-users of the Customer's deployment of the Services.
• Categories of personal data: Names, contact details, demographic information, employment information, health records, diagnostic data, prescription information, billing and payment data, usage data, and authentication credentials.
• Sensitive personal data: Health and medical records, diagnostic results, prescription histories, biometric data (where applicable).
• Nature of processing: Collection, storage, organisation, retrieval, consultation, use, transmission, and erasure in the provision of EMR, HMS, billing, telehealth, laboratory, pharmacy, AI-assisted, and related healthcare software services.
• Duration: Processing continues for the term of the applicable agreement, plus any retention period required by applicable law or agreed between the parties.

The Customer, as Controller, shall:

• Ensure that the collection and transfer of personal data to Fastclinic is lawful under the NDPA, including obtaining necessary consents or establishing another valid legal basis.
• Provide clear, accurate instructions to Fastclinic regarding the processing of personal data.
• Ensure that data subjects have been informed about the processing of their personal data in accordance with applicable transparency requirements.
• Conduct Data Protection Impact Assessments ("DPIAs") where required by the NDPA, particularly for large-scale processing of health data.
• Maintain records of processing activities as required under the NDPA.
• Appoint a Data Protection Officer where required by the NDPA or NDPC guidelines.
• Promptly notify Fastclinic of any data subject requests, complaints, or regulatory inquiries that may affect the processing.

Fastclinic, as Processor, shall:

• Process personal data only on documented instructions from the Customer, unless required to do so by Nigerian law, in which case Fastclinic shall inform the Customer of that legal requirement before processing (unless prohibited from doing so).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures as set out in Section 8 of this DPA.
• Respect the conditions for engaging sub-processors as set out in Section 6 of this DPA.
• Assist the Customer, taking into account the nature of the processing, in responding to requests for exercising data subject rights.
• Assist the Customer in ensuring compliance with obligations relating to security of processing, notification of data breaches, DPIAs, and prior consultation with the NDPC.
• At the Customer's choice, delete or return all personal data to the Customer after the end of the provision of Services, and delete existing copies unless Nigerian law requires storage.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections.

The Customer provides general written authorisation for Fastclinic to engage sub-processors for the performance of specific processing activities. The current list of principal sub-processors that may process Customer personal data is:

Enterprise Customers receive the full list, including non-principal sub-processors, on request under the Customer's active agreement.

Fastclinic shall notify the Customer of any intended changes to the list of sub-processors at least thirty (30) days before the engagement of a new sub-processor, giving the Customer an opportunity to object. If the Customer objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith.

Where Fastclinic engages a sub-processor, it shall impose data protection obligations no less protective than those set out in this DPA by way of a written contract. Fastclinic remains fully liable to the Customer for the performance of the sub-processor's obligations.

Fastclinic shall not transfer personal data outside the Federal Republic of Nigeria unless:

• The receiving country has been determined by the NDPC to provide an adequate level of data protection; or
• Appropriate safeguards have been put in place, such as binding corporate rules, standard contractual clauses approved by the NDPC, or other legally recognised transfer mechanisms; or
• A derogation under the NDPA applies (e.g., explicit consent of the data subject, performance of a contract).

Where transfers are necessary for the provision of cloud infrastructure services, Fastclinic shall ensure that the cloud provider maintains security certifications (such as ISO 27001 or SOC 2) and that contractual safeguards are in place.

Fastclinic implements and maintains the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

• Encryption: AES-256 (or stronger equivalent) encryption at rest for databases, object storage, and backups; modern transport layer security in transit; envelope encryption under cloud-provider key management for sensitive fields such as provider verification records.
• Identity and access: Role-based access control with least privilege; multi-factor authentication for every staff role with production access; phishing-resistant authentication (WebAuthn) required for administrative roles and for clinical-tool access; step-up authentication for sensitive actions; time-bound privileged access with logging and periodic review.
• Network security: Firewalls, web application protections, network segmentation, administrator hostname isolation with network allowlisting, and abuse protection at the edge.
• Audit logging and integrity: Hash-chained audit log covering authentication, privilege changes, verification decisions, data exports, and OAuth2 client management. Each entry commits the hash of its predecessor; tampering with historical rows is detectable at verification time. A daily root hash is published to write-once storage. Secret fields (tokens, passwords, keys) are rejected at the write layer. Audit entries retained for a minimum of seven (7) years.
• Physical security: Data-centre access controls, environmental protections, and continuous monitoring at the infrastructure provider level.
• Business continuity: Encrypted backups with tested restore procedures, redundancy across availability zones, documented disaster-recovery plans, and a 99.9% uptime target per the SLA.
• Personnel: Confidentiality obligations, mandatory data-protection training, and role-specific access reviews. Background checks for roles that handle sensitive personal data, to the extent permitted by Nigerian law.
• Fraud and abuse prevention: Rule-based risk signals at sign-in for accounts with clinical reach (device recognition, country-level change detection, off-hours pattern detection) that trigger step-up authentication rather than silent denial; rate limiting on authentication and sensitive API routes.
• Vulnerability management: Regular vulnerability scanning, dependency review, and patch management; independent penetration testing at defined cadence with severity-based remediation service levels; coordinated disclosure programme.

Fastclinic shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to requests from data subjects exercising their rights under the NDPA, including rights of access, rectification, erasure, restriction, portability, and objection. Assistance may include providing export tooling, deletion utilities, and access logs for the Customer's production tenant.

If Fastclinic receives a request directly from a data subject relating to personal data it processes on behalf of the Customer, it shall promptly redirect the request to the Customer, unless otherwise instructed. Fastclinic shall not respond to such requests directly except on the Customer's documented instructions or as required by applicable law.

Requests concerning personal data that Fastclinic holds as controller (for example, FastLogin identity accounts created directly by individuals) are handled by Fastclinic under its Privacy Policy rights framework and do not fall under this DPA.

Fastclinic shall notify the Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.

The notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of the point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Fastclinic shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the data breach. Fastclinic shall assist the Customer in meeting the Customer's obligation to notify the NDPC and affected data subjects where required under the NDPA.

Fastclinic shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA.

The Customer may, at its own expense and upon at least thirty (30) business days' written notice, conduct an audit of Fastclinic's processing activities and security measures, subject to reasonable confidentiality obligations. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Fastclinic's operations.

As an alternative to on-site audits, Fastclinic may provide the Customer with copies of relevant third-party audit reports, certifications, or summaries of penetration testing results, subject to confidentiality obligations.

Upon termination or expiry of the applicable agreement, Fastclinic shall, at the Customer's election:

• Return all personal data to the Customer in a commonly used, machine-readable format; or
• Securely delete all personal data and certify such deletion in writing.

Fastclinic shall complete the return or deletion within ninety (90) days of termination, unless Nigerian law requires continued storage, in which case Fastclinic shall inform the Customer and isolate the data from further processing.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the applicable agreement between the parties.

Fastclinic shall indemnify the Customer against losses arising from Fastclinic's breach of this DPA or applicable data protection law, subject to the liability caps in the applicable agreement.

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Federal Capital Territory, Abuja, Nigeria, unless the applicable agreement specifies a different dispute resolution mechanism.

For questions regarding this Data Processing Agreement, please contact us at contact@fastclinic.xyz.