Data Processing Agreement (DPA)

Template — effective on counter-signature. Last revised: May 16, 2026

This Data Processing Agreement is entered into between Project Line ('Processor') and the clinic identified in the Virtual Medical Assistant (VMA) account ('Controller'), pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).

1. Subject matter and duration

Processor will process personal data on behalf of Controller solely to provide the Virtual Medical Assistant (VMA) service. Processing continues for the term of the Service subscription.

2. Nature, purpose; categories of data subjects

Personal data processed: patient identifiers, contact details, appointment information, clinical notes, and limited financial data necessary for invoicing. Categories of data subjects: patients of the Controller, staff of the Controller, and authorised end-users. Special categories (Art. 9 GDPR) — health data — are processed under Art. 9(2)(h) GDPR (medical treatment).

3. Processor obligations (Art. 28(3) GDPR)

• Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country or international organisation.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement the technical and organisational measures referred to in Art. 32 GDPR, as listed in the Privacy Policy §11.
• Engage sub-processors only with prior general authorisation, with at least 30 days' prior notice of changes (current list at /sub-processors).
• Assist the Controller in fulfilling data-subject requests under Arts. 12–23 GDPR.
• Notify the Controller of personal-data breaches without undue delay and within 72 hours of becoming aware.
• Delete or return all personal data after the end of the provision of services, at the Controller's choice, within 30 days.
• Make available to the Controller all information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits.

4. International transfers

Primary processing occurs in Azure Israel Central. Israel is recognised as an adequate country under Commission Implementing Decision 2011/61/EU. Where data is transferred to other jurisdictions (e.g., OpenAI US, Stripe US/EU, Twilio US), Standard Contractual Clauses (Commission Decision 2021/914) apply and additional safeguards under the EDPB Recommendations 01/2020 are implemented.

5. Sub-processors

The Controller authorises the sub-processors listed at /sub-processors. The Processor will give the Controller at least 30 days' prior written notice of any intended addition or replacement; the Controller may object on reasonable grounds within that period.

6. Liability

Subject to the limitation of liability stated in the Terms of Service, each party is liable for damage caused by processing only where it has not complied with obligations of the GDPR directed specifically to processors, or where it has acted outside or contrary to lawful instructions of the Controller (Art. 82 GDPR).

7. Execution

Acceptance is recorded server-side via the Legal Acceptance dialog (signer name + title + email + IP + UTC timestamp). A counter-signed PDF copy is provided on email request to emil.mamadov@projectlineil.com.