Legal

Data Processing Agreement (DPA)

Last updated: April 12, 2026

This agreement formalises, pursuant to article 28 GDPR, the role of My Data My Care as a processor on behalf of professionals and healthcare facilities acting as data controllers. Major versions trigger an explicit re-acceptance.

Current version

Loading current version…

1. Subject matter

This DPA governs the processing of personal data carried out by My Data My Care (Processor) on behalf of the Data Controller (healthcare professional, practice, facility, insurer or laboratory). It supplements the professional terms of service and prevails over any contrary stipulation regarding data protection.

2. Parties & roles

The Data Controller determines the purposes and means of the processing. My Data My Care acts strictly on documented instructions, without processing for its own purposes. Our contact details and those of the DPO are listed below.

3. Purposes & documented instructions

Processing is limited to: encrypted storage, secure sharing, FHIR R4 portability, intra-care-team communication, backup. Any extension of purpose requires a formal amendment. No data is sold, transferred or monetised.

4. Duration & data fate

Processing duration is aligned with the main contract term and applicable legal retention obligations (medical records: 20 years after last contact in the EU; security logs: 12 months). At contract termination, FHIR R4 export + deletion within 90 days, with timestamped proof of erasure.

5. Security measures

HDS-certified hosting in France (ISO 27001 + HDS), AES-256 encryption at rest and TLS 1.3 in transit, client-side end-to-end encryption for sensitive data, mandatory MFA, immutable logging, annual penetration tests, SOC 2 Type 2 review. Sub-processors are listed publicly and the list is updated at every change.

6. Transfers outside the EU

No transfer outside the European Union for production purposes. Any UK/US sub-processors (outside the critical healthcare path) are framed by Standard Contractual Clauses (SCCs 2021) with additional measures (encryption, pseudonymisation).

7. Assistance with data subject rights

We assist the Controller in responding to requests for access, rectification, erasure, portability, restriction and objection within a maximum of 15 working days. Integrated patient tools (/settings/terms, /export) enable self-service handling for most cases.

8. Contact & notifications

For any DPA request, incident or audit: dpo@mydatamycare.com. Contractual incident notification deadline: 24h (art. 33 GDPR).