Data Processing Addendum
This Addendum forms part of the agreement between Kahloon, LLC (“Processor”, “we”) and the organisation using Clinic by Kahloon (the “Customer” or “Controller”). It explains how we process personal data on the Customer’s behalf.
1. Roles
The Customer (typically a clinic) decides what personal data is processed and why — it is the Controller. Kahloon processes that data only to provide the Service — it is the Processor. Each party complies with the data protection laws that apply to it.
2. What we process
- Subject matter: providing the Clinic by Kahloon service.
- Duration: for as long as the Customer uses the Service.
- Types of data: account details of staff; and patient data including identity, contact, visit, clinical, and billing information — which may include health data.
- Data subjects: the Customer’s staff and patients.
3. Our obligations
- Process personal data only on the Customer’s documented instructions, including as set out in the agreement.
- Keep personal data confidential and ensure our personnel are bound by confidentiality.
- Apply appropriate technical and organisational security measures (Section 5).
- Not sell personal data or use it for our own advertising.
4. Sub-processors
The Customer authorises us to use sub-processors to deliver the Service. We require each to provide an equivalent level of protection. Current sub-processors:
- Microsoft Azure — cloud hosting and storage.
- Stripe — payment processing.
- [Email provider] — transactional and sign-in email.
We will give notice of new sub-processors and a reasonable opportunity to object.
5. Security measures
- Encryption of data in transit and at rest, including encryption of sensitive fields.
- Strict logical separation so one organisation’s data is never accessible to another.
- Role-based access control, and an audit log of access to and changes in clinical records.
- Encryption keys managed in a dedicated key vault with restricted access.
6. Assisting the Controller
Taking into account the nature of processing, we will reasonably assist the Customer in responding to data subject requests and in meeting its security, breach-notification, and assessment obligations.
7. Personal data breaches
If we become aware of a breach affecting the Customer’s personal data, we will notify the Customer without undue delay and provide the information reasonably needed for the Customer to meet its obligations.
8. International transfers
Data may be processed in the United States and other regions where we or our sub-processors operate. Where required, we will put appropriate transfer safeguards in place.
9. Return and deletion
On termination, we will, at the Customer’s choice, delete or return the personal data within a reasonable period, except where we are required by law to retain it.
10. Audits
On reasonable request, we will make available information necessary to demonstrate compliance with this Addendum, and support audits within reasonable, agreed limits.
11. Liability and governing law
This Addendum is subject to the liability terms of the main agreement and is governed by the laws of the State of Delaware, United States, alongside any data protection law that applies to the Customer.
12. Contact
For data processing matters, contact info@kahloon.com.