Legal
This Data Processing Agreement (the “Agreement”) is entered into between the healthcare practitioner or clinic registering for a professional account (the “Customer”) and Sistemi Umani Ltd (the “Processor”), as required by Article 28 of Regulation (EU) 2016/679 (the “GDPR”). It governs the personal data — including patient health records — that the Processor processes on the Customer's behalf when the Customer uses the Sistemi Umani platform (the “Platform”).
You accept this Agreement when you register for a professional account. Your acceptance, and the version of this Agreement you accepted (currently 2026-07-03), is recorded.
Effective 3 July 2026 · Last updated 3 July 2026
The Customer is the healthcare practitioner practising independently, or the clinic, that maintains patient records on the Platform. The Customer is the controller of those records within the meaning of Article 4(7) GDPR.
The Processor is Sistemi Umani Ltd, company registration number [company number — to confirm], of 59, Ramiro Cali Street, Mġarr, Malta, which processes those records on the Customer's behalf as a processor within the meaning of Article 4(8) GDPR.
“Customer Data” means all personal data the Processor processes on the Customer's behalf under this Agreement, as described in section 2. The supervisory authority is the Information and Data Protection Commissioner (IDPC), Level 2, Airways House, High Street, Sliema SLM 1549, Malta.
| Subject matter | Provision of the Platform to the Customer: patient records, clinical session notes, appointment booking and scheduling, and related communications; including any one-time import of existing records under section 13. |
| Duration | For as long as the Customer uses the Platform, plus the wind-down period in section 14. |
| Nature | Collection, recording, organisation, structuring, storage, retrieval, consultation, disclosure to authorised users, restriction and erasure. Hosting and storage within the EU/EEA. |
| Purpose | Enabling the Customer to manage and deliver care to their patients. No processing for the Processor's own purposes (see section 4 for the Processor's separate controller functions). |
| Data subjects | Patients and former patients of the Customer; patients' emergency contacts; the Customer and staff the Customer authorises. |
| Types of personal data | Identity and contact data (name, email, phone, address, date of birth, gender, emergency contact); appointment data (bookings, attendance, practitioner, service, timing); and data concerning health (Article 9(1) GDPR) — clinical session notes, treatment and assessment records, injury and medical history recorded by the Customer. |
| Special-category basis | Processed on the Customer's behalf for the provision of health care — Article 9(2)(h) GDPR in conjunction with Article 9(3) (processing by or under the responsibility of a professional subject to the obligation of professional secrecy). |
The Processor processes Customer Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law — in which case the Processor informs the Customer of that legal requirement before processing, unless that law prohibits it on important grounds of public interest. This Agreement, the Customer's use and configuration of the Platform, and any migration instruction under section 13 constitute the Customer's complete documented instructions.
The Processor will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR.
This Agreement does not apply to processing for which the Processor is itself a controller, namely: (a) account and authentication data of Platform users who register directly with the Platform; and (b) the Processor's own administrative, billing and security records, including platform audit logs kept for its own Article 32 obligations. Where a person is both a patient of the Customer and a registered Platform user, the Customer remains controller of the clinical record and the Processor is controller of the Platform account. That processing is described in the Privacy Notice.
The Processor ensures that persons authorised to process Customer Data are committed to confidentiality or under an appropriate statutory obligation of confidentiality, and process Customer Data only as needed to provide the Platform.
Taking into account the state of the art and the risks — in particular that Customer Data includes data concerning health — the Processor implements and maintains appropriate technical and organisational measures, including:
The Processor may update these measures from time to time provided the overall level of security is not reduced.
The Customer grants the Processor general written authorisation to engage the following sub-processors:
| Sub-processor | Service | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, authentication and file-storage hosting | EU/EEA region | DPA + SCCs |
| Vercel Inc. | Application hosting and delivery | EU/EEA primary; global CDN | DPA + SCCs |
| Google Ireland Ltd (Google Workspace) | Transactional and business email | EU/EEA | DPA + SCCs |
The Processor will give the Customer at least 30 days' notice of any intended addition or replacement, giving the Customer the opportunity to object on reasonable data-protection grounds; if an objection cannot be resolved in good faith, the Customer may stop using the Platform and section 14 applies. The Processor imposes the same data-protection obligations on each sub-processor by contract and remains fully liable for their performance.
Taking into account the nature of the processing, the Processor assists the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests to exercise data subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). If a data subject contacts the Processor directly about Customer Data, the Processor forwards the request to the Customer without undue delay and does not respond on the merits except on the Customer's documented instruction.
The Processor notifies the Customer without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach affecting Customer Data, provides the information reasonably required for the Customer's obligations under Articles 33 and 34 GDPR, supplements the notification as further information becomes available, documents all such breaches, and cooperates with the Customer and the IDPC.
Taking into account the nature of the processing and the information available to it, the Processor assists the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation).
The Processor makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits require reasonable prior written notice (not less than 14 days, except following a personal data breach or where required by the IDPC), take place during business hours no more than once per year, and do not extend to other customers' data. The Processor may first satisfy an audit request with relevant documentation, certifications or third-party audit reports, including those of its sub-processors.
The Processor processes and stores Customer Data within the EU/EEA and does not transfer it to a third country without the Customer's prior documented instruction, except as required by Union or Member State law (section 3 applies). Where a sub-processor processes Customer Data from outside the EU/EEA, the Processor ensures the transfer is governed by a valid Chapter V GDPR mechanism (adequacy decision or Standard Contractual Clauses, with supplementary measures where required).
Where the Customer instructs the Processor to import existing patient records from a previous system, the import is performed as follows:
When the Customer stops using the Platform, the Processor — at the Customer's choice — deletes or returns all Customer Data in a structured, commonly used and machine-readable format, and deletes existing copies, unless Union or Member State law requires storage. The Customer, not the Processor, is subject to the applicable clinical-record retention obligation (see the Privacy Notice — 10 years is the reference period). The default is return followed by deletion, with deletion confirmed in writing within 30 days.
Each party is liable in accordance with Article 82 GDPR. Nothing in this Agreement excludes or limits either party's liability where such exclusion or limitation is not permitted by law.
This Agreement is governed by the laws of Malta and the Maltese courts have exclusive jurisdiction. If any provision is held invalid, the remainder remains in force. In the event of conflict between this Agreement and any other agreement between the parties concerning the processing of Customer Data, this Agreement prevails. Questions about this Agreement: privacy@sistemiumani.com.