Data Processing Agreement (DPA)

Last Updated: January 2025

1. Definitions

For the purposes of this DPA, the following definitions apply:

• "Controller" means the Customer (healthcare organization) that determines the purposes and means of processing Personal Data.
• "Processor" means ORaigent GmbH, which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, including staff data and health-related information.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means an identified or identifiable natural person (e.g., hospital staff member).
• "Sub-processor" means any third-party processor engaged by ORaigent to process Personal Data.
• "GDPR" means the EU General Data Protection Regulation (Regulation 2016/679).
• "Supervisory Authority" means the data protection authority responsible for monitoring GDPR compliance.

2. Scope and Purpose of Processing

2.1 Subject Matter of Processing

ORaigent processes Personal Data to provide AI-powered operating room staff scheduling and resource management services.

2.2 Duration of Processing

Processing occurs for the duration of the service agreement and for up to 90 days after termination for data deletion purposes.

2.3 Nature and Purpose of Processing

Processing Activity	Purpose
Staff Scheduling	Automated assignment of staff to operating rooms based on qualifications and availability
Constraint Satisfaction	Enforcement of hospital rules, qualifications, and compliance requirements
Availability Tracking	Monitoring staff availability, shift assignments, and recovery day requirements
Performance Analytics	Generating insights and optimization recommendations
System Monitoring	Ensuring service availability, security, and error detection

2.4 Types of Personal Data

• Identification Data: Name, employee ID, contact information
• Professional Data: Job title, department, qualifications, certifications
• Operational Data: Shift schedules, availability, room assignments, expertise levels
• Health-Related Data (Special Categories): Sick leave status, BD recovery requirements, medical certifications

2.5 Categories of Data Subjects

• Hospital staff (surgeons, nurses, anesthesiologists, technical staff)
• Operating room coordinators and managers
• Healthcare administrators

3. Processor Obligations

3.1 Processing Instructions

ORaigent shall process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. If ORaigent believes an instruction violates GDPR or other data protection laws, it shall immediately inform the Controller.

3.2 Confidentiality

ORaigent ensures that all personnel authorized to process Personal Data:

• Are bound by confidentiality obligations or appropriate statutory obligations
• Receive appropriate training on data protection
• Have access only to Personal Data necessary for their duties
• Are subject to background checks where appropriate

3.3 Technical and Organizational Measures

ORaigent implements appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including:

3.3.1 Technical Measures

• Encryption: TLS 1.3+ for data in transit, AES-256 for data at rest
• Access Control: Multi-factor authentication (MFA), role-based access control (RBAC)
• Pseudonymization: Where applicable, to reduce identification risks
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS)
• Logging and Monitoring: Comprehensive audit trails for all data access
• Vulnerability Management: Regular security scans and penetration testing
• Backup and Recovery: Automated backups with encryption, disaster recovery procedures

3.3.2 Organizational Measures

• Data Protection Policy: Comprehensive internal policies and procedures
• Staff Training: Annual data protection and security training for all employees
• Incident Response Plan: Documented procedures for data breach response
• Vendor Management: Due diligence and contracts with all sub-processors
• Physical Security: Access controls, visitor management, secure data centers
• Data Minimization: Collection and retention of only necessary data
• Regular Audits: Internal and external security audits (ISO 27001)

3.4 Sub-processor Engagement

3.4.1 General Authorization

Controller provides general authorization for ORaigent to engage sub-processors, subject to the conditions in this section.

3.4.2 Current Sub-processors

Sub-processor	Service	Location
Amazon Web Services (AWS)	Cloud hosting and infrastructure	EU (Frankfurt)
Microsoft Azure	Cloud services and databases	EU (Netherlands)
SendGrid	Email delivery services	EU

3.4.3 New Sub-processors

ORaigent shall inform Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving Controller the opportunity to object. Updated sub-processor list available at: www.oraigent.com/sub-processors

3.4.4 Sub-processor Requirements

ORaigent ensures that:

• Sub-processors are bound by data protection obligations equivalent to this DPA
• Sub-processors implement appropriate technical and organizational measures
• ORaigent remains fully liable for sub-processor performance
• Sub-processor agreements include Controller's right to audit

3.5 International Data Transfers

3.5.1 Primary Processing Location

Personal Data is primarily processed within the EU/EEA (Germany and Netherlands data centers).

3.5.2 Transfers Outside EU/EEA

If data must be transferred outside the EU/EEA, ORaigent ensures appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021/914)
• Adequacy Decisions: Transfers only to countries with EU adequacy decisions
• Binding Corporate Rules: Where applicable for corporate groups
• Additional Safeguards: Encryption, access restrictions, legal analysis

3.5.3 Disclosure to Public Authorities

If ORaigent receives a legally binding request for Personal Data disclosure from a public authority, it shall:

• Immediately notify Controller (unless legally prohibited)
• Challenge the request if it appears invalid
• Disclose only the minimum data necessary
• Document all disclosures

4. Controller Obligations

4.1 Legal Basis and Instructions

Controller shall:

• Ensure it has a lawful basis for processing under GDPR
• Provide clear, documented processing instructions to ORaigent
• Ensure accuracy and completeness of Personal Data provided
• Comply with all applicable data protection laws

4.2 Data Subject Rights

Controller is responsible for responding to Data Subject rights requests. Controller shall ensure Data Subjects are informed of their rights.

4.3 Data Protection Impact Assessment (DPIA)

If required under Article 35 GDPR, Controller is responsible for conducting a DPIA. ORaigent shall provide reasonable assistance.

5. Data Subject Rights

5.1 Processor Assistance

ORaigent shall assist Controller in responding to Data Subject rights requests, including:

• Right of Access (Art. 15): Provide data extracts within 7 days
• Right to Rectification (Art. 16): Update inaccurate data within 3 business days
• Right to Erasure (Art. 17): Delete data within 7 days (subject to legal obligations)
• Right to Restriction (Art. 18): Restrict processing as instructed
• Right to Data Portability (Art. 20): Provide data in machine-readable format (CSV, JSON)
• Right to Object (Art. 21): Cease processing as instructed

5.2 Fees

ORaigent shall provide reasonable assistance at no additional charge. Excessive or repetitive requests may incur reasonable fees.

6. Data Breach Notification

6.1 Notification to Controller

In the event of a Personal Data breach, ORaigent shall notify Controller:

• Without undue delay: Within 24 hours of becoming aware
• Initial notification: Via email to designated contact
• Follow-up notification: Within 72 hours with complete details

6.2 Breach Information

Notification shall include:

• Nature of the breach (types of data, number of affected Data Subjects)
• Contact point for more information (ORaigent DPO)
• Likely consequences of the breach
• Measures taken or proposed to mitigate adverse effects
• Timeline of events and discovery

6.3 Controller Notification Obligations

Controller remains responsible for notifying Supervisory Authorities and Data Subjects as required by Articles 33 and 34 GDPR.

6.4 Breach Response

ORaigent shall:

• Immediately contain and remediate the breach
• Preserve evidence for forensic analysis
• Cooperate fully with Controller's investigation
• Implement corrective measures to prevent recurrence
• Document all breach response activities

7. Deletion and Return of Data

7.1 Upon Termination

Within 90 days of service termination, ORaigent shall, at Controller's choice:

• Return: All Personal Data in structured format (CSV, JSON)
• Delete: Securely destroy all Personal Data and copies

7.2 Deletion Method

Deletion shall be performed using industry-standard methods:

• Secure overwrite (DoD 5220.22-M standard or equivalent)
• Cryptographic erasure (destruction of encryption keys)
• Physical destruction of hardware (where applicable)

7.3 Certification

Upon request, ORaigent shall provide written certification of data deletion.

7.4 Legal Retention

ORaigent may retain Personal Data to the extent required by EU or Member State law, provided it informs Controller of such requirement.

8. Audit Rights

8.1 Controller Audit Rights

Controller has the right to conduct audits and inspections to verify ORaigent's compliance with this DPA and GDPR.

8.2 Audit Process

• Notice: Controller shall provide at least 30 days' written notice
• Frequency: Once per year, or more frequently if required by Supervisory Authority or after a breach
• Scope: Relevant processing operations, security measures, and sub-processors
• Timing: During normal business hours to minimize disruption
• Confidentiality: Auditors must execute confidentiality agreements
• Costs: Controller bears audit costs unless non-compliance is found

8.3 Alternative Compliance Evidence

ORaigent may satisfy audit requirements by providing:

• ISO 27001 certification and audit reports
• SOC 2 Type II reports
• Third-party security assessments
• Internal audit reports

9. Liability and Indemnification

9.1 Liability

Each party's liability is governed by the main service agreement and applicable law, including GDPR Article 82 (right to compensation).

9.2 Allocation of Liability (Art. 82(5))

Where Controller and Processor are both involved in the same processing operation:

• Each party is liable for the damage caused by processing that violates GDPR
• Processor is exempt from liability if it proves it is not responsible for the damage
• Right of contribution between parties as appropriate

10. Standard Contractual Clauses (SCCs)

For international data transfers outside the EU/EEA, the parties agree to be bound by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as follows:

• Module Two: Controller to Processor (primary transfer basis)
• Docking Clause: Available for sub-processors (Clause 7)
• Governing Law: German law (Clause 17)
• Jurisdiction: Courts of Munich, Germany (Clause 18)

11. Term and Termination

11.1 Term

This DPA is effective as of the service agreement effective date and continues for the duration of the service agreement.

11.2 Survival

Provisions that by their nature should survive termination shall remain in effect, including:

• Data deletion obligations
• Confidentiality obligations
• Liability provisions
• Audit rights (for 12 months post-termination)

12. Amendments

This DPA may be amended:

• By mutual written agreement of both parties
• To reflect changes in applicable law (with 30 days' notice)
• To reflect changes in sub-processors (with 30 days' notice and objection right)

13. Hierarchy of Documents

In the event of conflict between documents, the following order of precedence applies:

1. This Data Processing Agreement (DPA)
2. Standard Contractual Clauses (if applicable)
3. Main Service Agreement
4. Privacy Policy

14. Contact Information

14.1 ORaigent Data Protection Officer

14.2 Supervisory Authority

15. Signatures

This Data Processing Agreement is executed as of the service agreement effective date and forms an integral part of the agreement between the parties.

16. Additional Resources

• Privacy Policy
• Terms of Service
• GDPR Compliance Statement

---

← Back to Home