Legal

Data Processing Agreement

This Data Processing Agreement (the “Agreement”) is entered into between the healthcare practitioner or clinic registering for a professional account (the “Customer”) and Sistemi Umani Ltd (the “Processor”), as required by Article 28 of Regulation (EU) 2016/679 (the “GDPR”). It governs the personal data — including patient health records — that the Processor processes on the Customer's behalf when the Customer uses the Sistemi Umani platform (the “Platform”).

You accept this Agreement when you register for a professional account. Your acceptance, and the version of this Agreement you accepted (currently 2026-07-03), is recorded.

Effective 3 July 2026 · Last updated 3 July 2026

1. Parties and roles

The Customer is the healthcare practitioner practising independently, or the clinic, that maintains patient records on the Platform. The Customer is the controller of those records within the meaning of Article 4(7) GDPR.

The Processor is Sistemi Umani Ltd, company registration number [company number — to confirm], of 59, Ramiro Cali Street, Mġarr, Malta, which processes those records on the Customer's behalf as a processor within the meaning of Article 4(8) GDPR.

“Customer Data” means all personal data the Processor processes on the Customer's behalf under this Agreement, as described in section 2. The supervisory authority is the Information and Data Protection Commissioner (IDPC), Level 2, Airways House, High Street, Sliema SLM 1549, Malta.

2. Details of the processing

Subject matterProvision of the Platform to the Customer: patient records, clinical session notes, appointment booking and scheduling, and related communications; including any one-time import of existing records under section 13.
DurationFor as long as the Customer uses the Platform, plus the wind-down period in section 14.
NatureCollection, recording, organisation, structuring, storage, retrieval, consultation, disclosure to authorised users, restriction and erasure. Hosting and storage within the EU/EEA.
PurposeEnabling the Customer to manage and deliver care to their patients. No processing for the Processor's own purposes (see section 4 for the Processor's separate controller functions).
Data subjectsPatients and former patients of the Customer; patients' emergency contacts; the Customer and staff the Customer authorises.
Types of personal dataIdentity and contact data (name, email, phone, address, date of birth, gender, emergency contact); appointment data (bookings, attendance, practitioner, service, timing); and data concerning health (Article 9(1) GDPR) — clinical session notes, treatment and assessment records, injury and medical history recorded by the Customer.
Special-category basisProcessed on the Customer's behalf for the provision of health care — Article 9(2)(h) GDPR in conjunction with Article 9(3) (processing by or under the responsibility of a professional subject to the obligation of professional secrecy).

3. Processing on the Customer's instructions

The Processor processes Customer Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law — in which case the Processor informs the Customer of that legal requirement before processing, unless that law prohibits it on important grounds of public interest. This Agreement, the Customer's use and configuration of the Platform, and any migration instruction under section 13 constitute the Customer's complete documented instructions.

The Processor will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR.

4. What this Agreement does not cover

This Agreement does not apply to processing for which the Processor is itself a controller, namely: (a) account and authentication data of Platform users who register directly with the Platform; and (b) the Processor's own administrative, billing and security records, including platform audit logs kept for its own Article 32 obligations. Where a person is both a patient of the Customer and a registered Platform user, the Customer remains controller of the clinical record and the Processor is controller of the Platform account. That processing is described in the Privacy Notice.

5. Confidentiality

The Processor ensures that persons authorised to process Customer Data are committed to confidentiality or under an appropriate statutory obligation of confidentiality, and process Customer Data only as needed to provide the Platform.

6. Security (Article 32)

Taking into account the state of the art and the risks — in particular that Customer Data includes data concerning health — the Processor implements and maintains appropriate technical and organisational measures, including:

  • EU data residency: Customer Data is hosted and stored within the EU/EEA (see section 7).
  • Encryption in transit (TLS) and encryption at rest for the database and file storage.
  • Access control enforced at the database layer (row-level security): clinical records are accessible only to the treating practitioner and persons expressly authorised — never by virtue of platform membership alone. Administrative access is restricted to named Processor personnel.
  • An append-only audit trail of access to and changes in clinical records.
  • Logical separation of each customer's data through per-row access policies.
  • Regular automated backups with the same residency and encryption guarantees.
  • Organisational measures: confidentiality undertakings, least-privilege access, security review of changes to the Platform's access-control model, and a breach-response procedure supporting section 9.

The Processor may update these measures from time to time provided the overall level of security is not reduced.

7. Sub-processors

The Customer grants the Processor general written authorisation to engage the following sub-processors:

Sub-processorServiceLocationSafeguard
Supabase Inc.Database, authentication and file-storage hostingEU/EEA regionDPA + SCCs
Vercel Inc.Application hosting and deliveryEU/EEA primary; global CDNDPA + SCCs
Google Ireland Ltd (Google Workspace)Transactional and business emailEU/EEADPA + SCCs

The Processor will give the Customer at least 30 days' notice of any intended addition or replacement, giving the Customer the opportunity to object on reasonable data-protection grounds; if an objection cannot be resolved in good faith, the Customer may stop using the Platform and section 14 applies. The Processor imposes the same data-protection obligations on each sub-processor by contract and remains fully liable for their performance.

8. Data subject rights

Taking into account the nature of the processing, the Processor assists the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests to exercise data subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). If a data subject contacts the Processor directly about Customer Data, the Processor forwards the request to the Customer without undue delay and does not respond on the merits except on the Customer's documented instruction.

9. Personal data breach

The Processor notifies the Customer without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach affecting Customer Data, provides the information reasonably required for the Customer's obligations under Articles 33 and 34 GDPR, supplements the notification as further information becomes available, documents all such breaches, and cooperates with the Customer and the IDPC.

10. Assistance with Articles 32–36

Taking into account the nature of the processing and the information available to it, the Processor assists the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation).

11. Audits

The Processor makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits require reasonable prior written notice (not less than 14 days, except following a personal data breach or where required by the IDPC), take place during business hours no more than once per year, and do not extend to other customers' data. The Processor may first satisfy an audit request with relevant documentation, certifications or third-party audit reports, including those of its sub-processors.

12. International transfers

The Processor processes and stores Customer Data within the EU/EEA and does not transfer it to a third country without the Customer's prior documented instruction, except as required by Union or Member State law (section 3 applies). Where a sub-processor processes Customer Data from outside the EU/EEA, the Processor ensures the transfer is governed by a valid Chapter V GDPR mechanism (adequacy decision or Standard Contractual Clauses, with supplementary measures where required).

13. Importing existing records (migrations)

Where the Customer instructs the Processor to import existing patient records from a previous system, the import is performed as follows:

  • the export is transferred to the Processor only through a secure channel agreed in advance — not by unencrypted email or consumer messaging;
  • the scope of records to be imported is confirmed in writing by the Customer before import;
  • the Processor verifies the import against the source export and reports the outcome (records imported, skipped and failed) to the Customer;
  • once the Customer confirms the import in writing, the Processor securely and permanently deletes all interim copies of the export; and
  • imported records are accessible only to the Customer and persons the Customer authorises, per section 6.
The Customer confirms they are entitled to disclose the imported records to the Processor for this purpose, and that they have informed — or will inform before the import — the patients concerned of the change of processor, in accordance with Articles 13 and 14 GDPR. That notification is the Customer's responsibility as controller; the Processor provides a template notice on request.

14. Return and deletion

When the Customer stops using the Platform, the Processor — at the Customer's choice — deletes or returns all Customer Data in a structured, commonly used and machine-readable format, and deletes existing copies, unless Union or Member State law requires storage. The Customer, not the Processor, is subject to the applicable clinical-record retention obligation (see the Privacy Notice 10 years is the reference period). The default is return followed by deletion, with deletion confirmed in writing within 30 days.

15. Liability

Each party is liable in accordance with Article 82 GDPR. Nothing in this Agreement excludes or limits either party's liability where such exclusion or limitation is not permitted by law.

16. General

This Agreement is governed by the laws of Malta and the Maltese courts have exclusive jurisdiction. If any provision is held invalid, the remainder remains in force. In the event of conflict between this Agreement and any other agreement between the parties concerning the processing of Customer Data, this Agreement prevails. Questions about this Agreement: privacy@sistemiumani.com.

Sistemi Umani Ltd is in the process of incorporation; the company registration number will be added to this Agreement once issued. Until then this document is published for transparency and review.