Last updated: 15 May 2026
Overview
This Data Processing Agreement (DPA) forms part of your subscription with MedPro. It governs how we process personal data on your instructions as your data processor under GDPR Article 28.
Roles
You are the data controller. MedPro is the data processor. We process patient data only on your documented instructions, and only as necessary to provide the service.
Scope of processing
Purpose: to provide the MedPro service to your practice.
Duration: for as long as you are a customer, plus any retention period instructed by you or required by law.
Data: patient records (clinical, demographic, billing), clinician records, voice recordings.
Categories of data subjects: your patients, your clinicians, your administrative staff.
Sub-processors
We engage sub-processors only as needed to provide the service. A full list is published at medproai.com/sub-processors. We give 14 days written notice before adding any new sub-processor. You may object in writing; if we cannot accommodate, you may terminate without penalty.
Security measures
AES-256 encryption at rest. TLS 1.3 in transit. Per-practice encryption keys. Role-based access control. MFA on all internal access. Audit logs on all patient record access. Annual penetration testing. Documented incident response.
Data transfers
All data remains in the European Union (AWS Dublin). No transfers to third countries occur in the normal course of providing the service.
Patient rights
If a patient exercises GDPR rights against you, we will assist you in fulfilling that request within 30 days. Tools to export, correct, and delete patient records are available in the MedPro admin panel.
AI processing & patient-controlled Brigid permissions
When the service is used with the MedYou patient app, each patient owns a set of permission toggles that govern what Brigid (our AI assistant) may do with their data: draft letters & referrals, summarise visits, send reminders, voice transcripts, and anonymised research.
The first three default to on (low-risk administrative processing under Art. 6(1)(b)/(f) and Art. 9(2)(h) GDPR). Voice transcripts and anonymised research default to off and require explicit Art. 9(2)(a)/(j) consent. The toggles are technically enforced at the data layer — you (as controller) and we (as processor) will refuse any Brigid action whose toggle is off. We will not process special-category data via Brigid in a way that contradicts the patient's current permission state, even at your instruction.
Brigid is operated as a high-risk AI system under Regulation (EU) 2024/1689 when used for clinical decision support. We supply the AI Act technical documentation, log retention, and human-oversight architecture; you are the deployer of the system in your clinical context and must comply with deployer obligations including patient transparency (Art. 13).
Breach notification (GDPR Art 33)
We will notify affected practices (data controllers) of any personal data breach without undue delay and in any event within 72 hours of becoming aware, per GDPR Article 33(2). The notification will include the categories and approximate number of data subjects + records concerned, the likely consequences, the measures taken or proposed, and the contact point for further information. See our Compliance Overview for the full Breach Notification Runbook.
Data Protection Impact Assessments (GDPR Art 35-36)
We assist controllers with DPIAs where required by GDPR Article 35 (high- risk processing) and with prior consultation of the Data Protection Commission under Article 36 where the DPIA shows residual high risk. Our standard DPIA for AI-assisted clinical workflows is published in our internal Compliance documentation and available on request.
Termination
On termination of the subscription, we will export your data to you in machine-readable format and delete it from our systems within 30 days, except as required by law (audit logs retained 8 years per Irish Health Act 2014 §73; financial records 7 years per Irish Revenue).
Related legal documents
Terms of Service · Clinician Terms · Privacy Policy · Medical Device Declaration · Acceptable Use Policy · Compliance Overview