Data Processing Agreement (Template)
For use between Qlinniq (Data Fiduciary) and any third-party processor that touches patient data on our behalf. Governed by DPDP Act, 2023 + IT Act, 2000.
This template lays out the mandatory protections every processor must contractually accept before being granted access to Qlinniq patient information. Vendor onboarding must produce a counter-signed copy filed with the Qlinniq compliance team.
1. Roles
Qlinniq is the Data Fiduciary; the vendor is the Data Processor. The processor must process personal data only on documented instructions from Qlinniq.
2. Permitted purposes
Vendor may use the data only for the specified service (notification delivery, error monitoring, video session relay, etc.) and must not retain, share, or repurpose the data after the engagement ends.
3. Security controls
- Encryption in transit and at rest equivalent to AES-256.
- Role-based access; no shared service accounts.
- Access audit logs retained ≥180 days, producible on request.
- Independent SOC 2 / ISO 27001 attestation refreshed annually.
- Secure SDLC, dependency review, vulnerability management.
4. Sub-processing
Vendor must obtain Qlinniq’s written consent before engaging sub-processors and must contractually flow down equivalent protections.
5. Cross-border transfer
Data must remain inside India unless Qlinniq has approved a specific cross-border transfer in writing. The transfer consent given to the patient must accommodate the vendor’s processing geography.
6. Breach notification
Vendor must notify Qlinniq of any actual or suspected personal-data breach within 2 hours of discovery so Qlinniq can meet the CERT-In 6-hour reporting deadline. Notification must include scope, root cause, and containment status.
7. Patient rights
Vendor must support Qlinniq in fulfilling DPDP patient rights (access, correction, withdrawal) within 7 calendar days of a forwarded request.
8. Termination
On termination, vendor must purge all Qlinniq data within 30 days and provide a written certificate of destruction.
9. Governing law
Governed by the laws of India. Disputes subject to the jurisdiction of the courts at Mumbai, Maharashtra.
Active processors
The current list of contracted processors and their DPA execution dates lives in the admin compliance dashboard at/admin/data-rights.