Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or other written agreement between FASTCLINIC LIMITED (RC 1919428), a company incorporated in Nigeria under the Companies and Allied Matters Act 2020 ("Processor" or "Fastclinic"), and the entity identified in the applicable agreement ("Controller" or "Customer").

This DPA applies where Fastclinic processes personal data on behalf of the Customer in the course of providing Fastclinic's enterprise healthcare software platform and related services (the "Services").

This DPA is designed to meet the requirements of the Nigeria Data Protection Act 2023 ("NDPA") and subsidiary regulations issued by the Nigeria Data Protection Commission ("NDPC").

In this DPA, unless the context requires otherwise:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the NDPA.
• "Sensitive Personal Data" means personal data revealing health status, medical records, biometric data, genetic data, or any other category designated as sensitive under the NDPA.
• "Processing" means any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
• "Data Subject" means the natural person to whom personal data relates, including patients, healthcare providers, staff, and end-users of the Services.
• "Sub-processor" means any third party engaged by Fastclinic to process personal data on behalf of the Customer.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• "Applicable Data Protection Law" means the NDPA, NDPC regulations, and any other applicable data protection legislation in force in the Federal Republic of Nigeria.

Fastclinic processes personal data solely for the purpose of performing the Services described in the applicable agreement. The categories of data, data subjects, and processing activities are as follows:

• Data subjects: Patients, healthcare providers, administrative staff, and other end-users of the Customer's deployment of the Services.
• Categories of personal data: Names, contact details, demographic information, employment information, health records, diagnostic data, prescription information, billing and payment data, usage data, and authentication credentials.
• Sensitive personal data: Health and medical records, diagnostic results, prescription histories, biometric data (where applicable).
• Nature of processing: Collection, storage, organisation, retrieval, consultation, use, transmission, and erasure in the provision of EMR, HMS, billing, telehealth, laboratory, pharmacy, AI-assisted, and related healthcare software services.
• Duration: Processing continues for the term of the applicable agreement, plus any retention period required by applicable law or agreed between the parties.

The Customer, as Controller, shall:

• Ensure that the collection and transfer of personal data to Fastclinic is lawful under the NDPA, including obtaining necessary consents or establishing another valid legal basis.
• Provide clear, accurate instructions to Fastclinic regarding the processing of personal data.
• Ensure that data subjects have been informed about the processing of their personal data in accordance with applicable transparency requirements.
• Conduct Data Protection Impact Assessments ("DPIAs") where required by the NDPA, particularly for large-scale processing of health data.
• Maintain records of processing activities as required under the NDPA.
• Appoint a Data Protection Officer where required by the NDPA or NDPC guidelines.
• Promptly notify Fastclinic of any data subject requests, complaints, or regulatory inquiries that may affect the processing.

Fastclinic, as Processor, shall:

• Process personal data only on documented instructions from the Customer, unless required to do so by Nigerian law, in which case Fastclinic shall inform the Customer of that legal requirement before processing (unless prohibited from doing so).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational measures as set out in Section 8 of this DPA.
• Respect the conditions for engaging sub-processors as set out in Section 6 of this DPA.
• Assist the Customer, taking into account the nature of the processing, in responding to requests for exercising data subject rights.
• Assist the Customer in ensuring compliance with obligations relating to security of processing, notification of data breaches, DPIAs, and prior consultation with the NDPC.
• At the Customer's choice, delete or return all personal data to the Customer after the end of the provision of Services, and delete existing copies unless Nigerian law requires storage.
• Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections.

The Customer provides general written authorisation for Fastclinic to engage sub-processors for the performance of specific processing activities. Fastclinic maintains a current list of sub-processors, available upon request.

Fastclinic shall notify the Customer of any intended changes to the list of sub-processors at least thirty (30) days before the engagement of a new sub-processor, giving the Customer an opportunity to object. If the Customer objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith.

Where Fastclinic engages a sub-processor, it shall impose data protection obligations no less protective than those set out in this DPA by way of a written contract. Fastclinic remains fully liable to the Customer for the performance of the sub-processor's obligations.

Fastclinic shall not transfer personal data outside the Federal Republic of Nigeria unless:

• The receiving country has been determined by the NDPC to provide an adequate level of data protection; or
• Appropriate safeguards have been put in place, such as binding corporate rules, standard contractual clauses approved by the NDPC, or other legally recognised transfer mechanisms; or
• A derogation under the NDPA applies (e.g., explicit consent of the data subject, performance of a contract).

Where transfers are necessary for the provision of cloud infrastructure services, Fastclinic shall ensure that the cloud provider maintains security certifications (such as ISO 27001 or SOC 2) and that contractual safeguards are in place.

Fastclinic implements and maintains the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

• Encryption: AES-256 encryption at rest; TLS 1.3 encryption in transit.
• Access control: Role-based access control (RBAC) with granular permissions; multi-factor authentication (MFA) for administrative access; principle of least privilege.
• Network security: Firewalls, intrusion detection/prevention systems, network segmentation, and DDoS protection.
• Audit logging: Comprehensive logging of all data access, modification, and administrative actions with attribution and timestamps. Logs retained for a minimum of twelve (12) months.
• Physical security: Data centre access controls, environmental protections, and 24/7 monitoring.
• Business continuity: Regular backups, disaster recovery procedures, and redundant infrastructure with 99.9% uptime target.
• Personnel: Background checks, confidentiality agreements, and mandatory data protection training for all staff with access to personal data.
• Vulnerability management: Regular penetration testing, vulnerability scanning, and a responsible disclosure programme.

Fastclinic shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures for the fulfilment of the Customer's obligation to respond to requests from data subjects exercising their rights under the NDPA, including rights of access, rectification, erasure, restriction, portability, and objection.

If Fastclinic receives a request directly from a data subject, it shall promptly redirect the request to the Customer, unless otherwise instructed. Fastclinic shall not respond to data subject requests directly except on the Customer's documented instructions or as required by applicable law.

Fastclinic shall notify the Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.

The notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of the point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Fastclinic shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the data breach. Fastclinic shall assist the Customer in meeting the Customer's obligation to notify the NDPC and affected data subjects where required under the NDPA.

Fastclinic shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA.

The Customer may, at its own expense and upon at least thirty (30) business days' written notice, conduct an audit of Fastclinic's processing activities and security measures, subject to reasonable confidentiality obligations. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Fastclinic's operations.

As an alternative to on-site audits, Fastclinic may provide the Customer with copies of relevant third-party audit reports, certifications, or summaries of penetration testing results, subject to confidentiality obligations.

Upon termination or expiry of the applicable agreement, Fastclinic shall, at the Customer's election:

• Return all personal data to the Customer in a commonly used, machine-readable format; or
• Securely delete all personal data and certify such deletion in writing.

Fastclinic shall complete the return or deletion within ninety (90) days of termination, unless Nigerian law requires continued storage, in which case Fastclinic shall inform the Customer and isolate the data from further processing.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the applicable agreement between the parties.

Fastclinic shall indemnify the Customer against losses arising from Fastclinic's breach of this DPA or applicable data protection law, subject to the liability caps in the applicable agreement.

This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Nigeria. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Federal Capital Territory, Abuja, Nigeria, unless the applicable agreement specifies a different dispute resolution mechanism.

For questions regarding this Data Processing Agreement, please contact us at contact@fastclinic.xyz.