Data Processing Agreement (DPA)

This is a starter template for informational purposes. A lawyer should review and the parties should sign a final version.

1. Roles

American Hospital for Plastic Surgery acts as the Controller and M Studio Digital acts as the Processor providing the software platform and technical support.

2. Subject matter and duration

Processing includes patient data managed within the application for the duration of the service agreement.

3. Data types and categories

• Patients and portal users
• Contact data, appointment data, medical documents and attachments

4. Processor obligations

• Process data only on documented instructions from the Clinic.
• Implement appropriate security measures (RBAC, audit logs, HTTPS, backups).
• Use sub-processors only as needed (hosting/email/push) under appropriate contractual safeguards.
• Assist the Clinic with data subject requests and compliance where applicable.

5. Security incidents

The Processor will notify the Clinic without undue delay upon becoming aware of a personal data incident.

6. Deletion/return

Upon termination, data will be returned or deleted per the Clinic’s instructions unless otherwise required by law.