Data Processing Agreement

Parties: This Data Processing Agreement ("DPA") is entered into by and between:

Title: Data Processing Agreement (DPA) Version 1.2 | Last Updated: 29 May 2025

1. Purpose and Legal Basis

1.1 This Data Processing Agreement (DPA) governs the processing of personal data by CliniciansCheck on behalf of data controllers in accordance with applicable global privacy laws, including but not limited to the UK GDPR, EU GDPR, HIPAA, Australian Privacy Act, PIPEDA (Canada), and equivalent global frameworks. 1.2 The DPA forms an integral part of any service, participation, or listing agreement where CliniciansCheck acts as a processor or sub-processor on behalf of a clinician, partner, or organisation.

2. Definitions

2.1 "Personal Data" means any information relating to an identified or identifiable natural person. 2.2 "Data Controller" means the entity determining the purpose and means of processing personal data. 2.3 "Data Processor" means the entity processing personal data on behalf of the controller. 2.4 "Processing" refers to any operation performed on personal data, whether automated or not, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

3. Scope of Processing

3.1 CliniciansCheck processes personal data solely for the provision, maintenance, improvement, and lawful operation of the platform and its related services. 3.2 The categories of data processed may include: 3.2.1 Account identifiers, professional credentials, communications, audit trails, compliance data, and user preferences 3.2.2 Clinical and service-related content voluntarily submitted by the controller 3.2.3 Administrative metadata, access logs, and anonymised usage statistics 3.3 Sensitive or special category data (e.g. health, race, religion, biometric identifiers) is not processed unless explicitly permitted under applicable law and submitted voluntarily with appropriate legal basis.

4. Data Controller Responsibilities

4.1 The controller confirms that all personal data shared with CliniciansCheck is lawfully obtained and has an adequate legal basis for processing. 4.2 The controller remains responsible for: 4.2.1 Determining the lawful purpose of processing 4.2.2 Complying with obligations under applicable privacy laws 4.2.3 Managing individual rights requests not originating on the platform 4.2.4 Ensuring medical records and sensitive clinical data are directed to secure off-platform systems (e.g., HIPAA-compliant third-party services)

5. Data Processor Responsibilities

5.1 CliniciansCheck shall: 5.1.1 Process personal data only in accordance with documented instructions from the controller 5.1.2 Implement appropriate technical and organisational safeguards to protect personal data 5.1.3 Ensure staff authorised to process data are under confidentiality obligations 5.1.4 Assist the controller in responding to data subject access, rectification, erasure, portability, and objection requests 5.1.5 Notify the controller of any personal data breach without undue delay 5.1.6 Delete or return all personal data after processing is complete or upon termination, unless required by law to retain it 5.1.7 Maintain records of processing activities and cooperate with audits or inspections by the controller

6. Sub-Processors

6.1 The controller authorises CliniciansCheck to use sub-processors for service operations, infrastructure, compliance support, and technical maintenance. 6.2 Sub-processors are contractually bound to meet the same data protection obligations as this agreement. 6.3 A list of current sub-processors is available on request and will be updated with advance notification where required by law.

7. International Data Transfers

7.1 Where personal data is transferred outside the UK, EU, or other jurisdictions with data export restrictions, appropriate transfer mechanisms will be implemented, such as Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards. 7.2 CliniciansCheck ensures that all third-country recipients are subject to enforceable data protection standards and robust contractual controls.

8. Security Measures

8.1 CliniciansCheck maintains a comprehensive security framework aligned with ISO/IEC 27001, NIST CSF, and HIPAA technical safeguards. 8.2 Measures include data encryption in transit and at rest, access controls, penetration testing, and incident response protocols. 8.3 Security policies are reviewed annually and upon significant changes in infrastructure or threat landscape.

9. Liability and Indemnity

9.1 Each party is responsible for its own compliance with applicable data protection laws and this agreement. 9.2 The controller shall indemnify the processor for any damages, claims, or penalties arising from its own unlawful instructions or failure to comply with legal obligations.

10. Term and Termination

10.1 This agreement is effective for the duration of the services or until terminated by either party in writing. 10.2 Upon termination, CliniciansCheck will delete or anonymise personal data unless retention is legally required.

11. Contact and Oversight

11.1 Any questions or concerns about this agreement should be directed to: Email: operationsteam@clinicianscheck.com 11.2 CliniciansCheck will cooperate with regulatory authorities and respond promptly to data protection inquiries and investigations.