Overview

This Data Processing Agreement (DPA) forms part of your subscription with MedPro. It governs how we process personal data on your instructions as your data processor under GDPR Article 28.

Roles

You are the data controller. MedPro is the data processor. We process patient data only on your documented instructions, and only as necessary to provide the service.

Scope of processing

Purpose: to provide the MedPro service to your practice.
Duration: for as long as you are a customer, plus any retention period instructed by you or required by law.
Data: patient records (clinical, demographic, billing), clinician records, voice recordings.
Categories of data subjects: your patients, your clinicians, your administrative staff.

Sub-processors (GDPR Art. 28(2))

We engage sub-processors only as needed to provide the service. The complete, current list — including each processor's location and transfer mechanism — is published at medproai.com/sub-processors. We give 14 days' written notice before adding or replacing any sub-processor. You may object in writing within that period; if we cannot accommodate your objection, you may terminate your subscription without penalty. By signing up you grant general written authorisation for the sub-processors listed at that time, as required by Art. 28(2).

Security measures

AES-256 encryption at rest. TLS 1.3 in transit. Per-practice encryption keys. Role-based access control. MFA on all internal access. Audit logs on all patient record access. Annual penetration testing. Documented incident response.

Data transfers

Patient data at rest is stored in Ireland (Supabase, EU region eu-west-1). AI inference for clinical text and voice runs within the EEA by default (Google Vertex AI, EU multi-region; Google Cloud STT europe-west1, Belgium). The “Live with Brigid” real-time voice feature currently routes audio via Google AI Studio (United States) under Art. 28 DPA + SCCs + EU-US Data Privacy Framework, with per-session explicit consent for EU-only tenants; this will be migrated to an EU endpoint. The full transfer basis for every sub-processor is documented on our Sub-Processors page.

Patient rights

If a patient exercises GDPR rights against you, we will assist you in fulfilling that request within 30 days. Tools to export, correct, and delete patient records are available in the MedPro admin panel.

AI processing & patient-controlled Brigid permissions

When the service is used with the MedYou patient app, each patient owns a set of permission toggles that govern what Brigid (our AI assistant) may do with their data: draft letters & referrals, summarise visits, send reminders, voice transcripts, and anonymised research.

The first three default to on (low-risk administrative processing under Art. 6(1)(b)/(f) and Art. 9(2)(h) GDPR). Voice transcripts and anonymised research default to off and require explicit Art. 9(2)(a)/(j) consent. The toggles are technically enforced at the data layer — you (as controller) and we (as processor) will refuse any Brigid action whose toggle is off. We will not process special-category data via Brigid in a way that contradicts the patient's current permission state, even at your instruction.

Brigid is operated as a high-risk AI system under Regulation (EU) 2024/1689 when used for clinical decision support. We supply the AI Act technical documentation, log retention, and human-oversight architecture; you are the deployer of the system in your clinical context and must comply with deployer obligations including patient transparency (Art. 13).

Breach notification (GDPR Art 33)

We will notify affected practices (data controllers) of any personal data breach without undue delay and in any event within 72 hours of becoming aware, per GDPR Article 33(2). The notification will include the categories and approximate number of data subjects + records concerned, the likely consequences, the measures taken or proposed, and the contact point for further information. See our Compliance Overview for the full Breach Notification Runbook.

Data Protection Impact Assessments (GDPR Art. 35–36)

We assist controllers with DPIAs where required by GDPR Article 35 (high-risk processing) and with prior consultation of the Data Protection Commission under Article 36 where the DPIA shows residual high risk. We have completed and ratified six DPIAs covering all AI-assisted clinical workflows (document classification, patient triage, voice transcription, Brigid AI, referral letters, live voice). These are signed by our DPO (David Galvin, david@medproai.com) and are available for your review in Settings → Security & Compliance → DPIA & Clinic Distribution once you are signed in. You may acknowledge receipt there, which satisfies your own Art. 35 obligation as controller.

Termination

On termination of the subscription, we will export your data to you in machine-readable format and delete it from our systems within 30 days, except as required by law (audit logs retained 8 years per Irish Health Act 2014 §73; financial records 7 years per Irish Revenue).

Related legal documents

Terms of Service · Clinician Terms · Privacy Policy · Sub-Processors · Medical Device Declaration · Acceptable Use Policy · Compliance Overview