Data Processing Addendum

Last updated: April 18, 2026

In plain English: This document describes our data-protection obligations when we handle patient information on your behalf. You're the "controller" of that data (you own the patient relationships); we're the "processor" (we handle it only as instructed by you and by our contract). This DPA is for practices who need a signed processor agreement for their own compliance — especially those serving EU patients or operating under stricter provincial / state privacy rules.

This Data Processing Addendum ("DPA") supplements and forms part of the ExperClinic Terms of Service (the "Agreement") between you ("Customer") and Mark Guirgis, doing business as ExperClinic ("ExperClinic"). Capitalized terms not defined here have the meaning given in the Agreement or, where applicable, in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and its UK counterpart.

By using the ExperClinic Service you accept this DPA; no separate signature is required unless you specifically ask for one. If you need a counter-signed PDF for your records, email [email protected] and we'll send one.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in the GDPR, including patient names, phone numbers, email addresses, and message content.
"Processing" has the meaning given in the GDPR (collecting, storing, using, sharing, deleting, etc.).
"Controller" is the party that determines why and how Personal Data is Processed. For patient data on the ExperClinic platform, the Customer is the Controller.
"Processor" is the party that Processes Personal Data on behalf of the Controller. ExperClinic is the Processor.
"Sub-processor" is any Processor engaged by ExperClinic to Process Personal Data on the Customer's behalf.
"Data Subject" is the individual the Personal Data relates to — typically one of the Customer's patients.

2. Roles and scope

ExperClinic Processes Personal Data on the Customer's behalf solely to provide the Service as described in the Agreement. The subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects are set out in Annex I below.

3. Customer instructions

ExperClinic will Process Personal Data only on the documented instructions of the Customer. The Agreement (including this DPA and the Customer's use of the Service through its normal interface) constitutes the Customer's complete and final instructions. If ExperClinic believes an instruction violates applicable law, it will inform the Customer without undue delay.

4. Obligations of the Customer

The Customer warrants that:

It has a lawful basis to Process the Personal Data it uploads or enters into the Service.
It has provided any notices and obtained any consents required by applicable law, including for SMS communication with patients (CASL, TCPA, GDPR, state/provincial laws).
Its instructions comply with applicable law.
It will respond in a timely manner to requests from Data Subjects exercising their rights.

5. Obligations of ExperClinic (Processor)

ExperClinic will:

Process Personal Data only as instructed by the Customer and only to provide the Service.
Require all personnel with access to Personal Data to commit to confidentiality.
Implement and maintain appropriate technical and organizational measures to protect Personal Data, described in Annex II.
Assist the Customer in responding to requests from Data Subjects, and to regulators, to the extent reasonably possible given the nature of the Processing.
Notify the Customer without undue delay — and in any case within 72 hours — of becoming aware of a Personal Data breach affecting the Customer's data.
At the Customer's choice, delete or return all Personal Data at the end of the relationship, subject to the limited retention carve-outs in our Privacy Policy (e.g. billing records for tax compliance).
Make available information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, subject to reasonable confidentiality and notice requirements.

6. Sub-processors

The Customer authorizes ExperClinic to engage the Sub-processors listed in Annex III. ExperClinic will:

Have a written contract with each Sub-processor imposing data protection obligations no less strict than those in this DPA;
Remain responsible to the Customer for the Sub-processor's acts and omissions;
Provide at least 30 days notice (by email or an update to this page) before engaging a new Sub-processor or replacing an existing one. The Customer may object in writing during that period; if the objection cannot be resolved, the Customer may terminate the Agreement for the affected services.

7. International transfers

Where the Customer's Personal Data is transferred outside the jurisdiction of origin — for example, from the EEA or the UK to a country without an adequacy decision — the parties rely on the following safeguards, in order of preference:

Standard Contractual Clauses ("SCCs") adopted by the European Commission, incorporated here by reference. Where the transfer is from the UK, the UK International Data Transfer Addendum applies.
Any other transfer mechanism approved by the relevant supervisory authority.
Where applicable, the Data Subject's explicit consent.

8. Data Subject rights

If ExperClinic receives a request from a Data Subject directly (for example, a patient contacting us rather than the practice), we will:

Not respond substantively without the Customer's instruction;
Promptly forward the request to the Customer;
Assist the Customer in responding, as required by applicable law.

9. Audits

Given ExperClinic's size and the nature of the Service, we satisfy audit obligations by providing, on request, up-to-date information about our security practices, Sub-processor list, and incident response procedures. The Customer may request additional audit information once per calendar year, at its own expense, subject to reasonable confidentiality protections.

10. Liability

Each party's liability under this DPA is subject to the limitations set out in the Agreement. Nothing in this DPA limits any party's liability to a Data Subject under applicable data protection law.

11. Termination and deletion

This DPA terminates automatically on termination of the Agreement. On termination, ExperClinic will delete Personal Data within 90 days, subject to limited retention for tax or legal compliance. The Customer may request earlier deletion in writing.

12. Governing law

This DPA is governed by the laws of the Province of Ontario, Canada, except that where the Customer is established in the EEA or the UK, the data protection laws of the relevant jurisdiction apply to the Processing to the extent required by law.

13. Order of precedence

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data.

Annex I — Description of Processing

Subject matter: provision of the ExperClinic Service to the Customer.
Duration: for as long as the Customer has an active ExperClinic account, plus any period required by law.
Nature and purpose: sending SMS, receiving SMS, capturing feedback, storing patient records, managing appointments, delivering email notifications, providing analytics — all on the Customer's behalf.
Types of Personal Data:
- Customer personnel: name, email, phone, password (hashed).
- Patients: name, phone number, email (optional), appointment details, feedback responses, message content.
Categories of Data Subjects: Customer's staff, Customer's patients.
Special categories: Personal Data on the platform is not intended to include "special categories" under Article 9 of the GDPR (health data, biometric data, etc.). Customers are contractually required not to transmit detailed medical information through the Service without a separate Business Associate Agreement or equivalent arrangement.

Annex II — Security measures

ExperClinic implements and maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include:

Encryption in transit: All traffic uses HTTPS with modern TLS.
Encryption at rest: Database and backup storage is encrypted at rest by the underlying managed service (Railway / PostgreSQL).
Credentials: Passwords stored as salted bcrypt hashes. Session cookies are HTTP-only, secure, and rotated on login.
Access control: Production systems access is restricted to Mark Guirgis.
Abuse prevention: Rate limits on signup, login, password-reset, and support endpoints. IP-based throttling at the CDN edge.
Backup and recovery: Daily automated database backups; encrypted.
Monitoring: Application error alerts and suspicious-activity notifications routed to the administrator.
Incident response: Documented 72-hour notification process for confirmed data breaches affecting Customer data.

Annex III — Approved Sub-processors

The following Sub-processors are engaged to deliver the Service as of the "Last updated" date:

Twilio, Inc. (United States) — SMS delivery, phone number management, inbound SMS webhook.
Resend, Inc. (United States) — Transactional email delivery (verification, password reset, trial emails, alerts).
Stripe, Inc. (United States, Canada) — Payment processing for subscriptions.
Google LLC (United States) — Places API, used to retrieve a practice's business hours and timezone from its Google Maps URL.
Railway Corp. (United States) — Application and database hosting.
Cloudflare, Inc. (United States, global edge) — DNS, CDN, and inbound email routing.

We will update this list if we add or replace a Sub-processor, with at least 30 days notice before the change takes effect for existing Customers.

Disclaimer: This DPA is an operational template designed to work for common SaaS use cases. It is not legal advice for your own business. If you operate in a strictly regulated jurisdiction (for example, a US medical practice subject to HIPAA), you may need a separate Business Associate Agreement in addition to this DPA. Contact [email protected] to request one.