Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service and governs our processing of personal data on behalf of a clinic under Art. 28 GDPR and the Swiss revFADP. It is entered into when the Controller accepts the Terms.

1. Parties & roles

The clinic ("Controller") determines the purposes and means of processing patient/clinical personal data. Lopes2Tech, a sole proprietorship of Paulo Lopes ("Processor") processes that data only on the Controller's documented instructions β€” the Terms and the Controller's use of the platform constituting such instructions.

2. Subject & duration

The Processor processes personal data to provide the Clinika OS service, for the term of the subscription and any wind-down period.

3. Data & data subjects (Annex I)

Data subjects: the Controller's patients/clients and its staff. Personal data: identity and contact details, appointment data, and β€” where the Controller enables those features β€” special-category health data (clinical notes, intake, consent, treatment plans).

4. Processor obligations

The Processor: keeps personnel bound to confidentiality; applies the technical and organisational security measures in Annex II (Art. 32); assists the Controller with data-subject requests, DPIAs and breach handling; notifies the Controller without undue delay on becoming aware of a personal-data breach; and makes available information necessary to demonstrate compliance and allows for audits.

5. Sub-processors (Annex III)

The Controller grants general authorisation to engage sub-processors. The Processor maintains a current list, gives advance notice of changes with a right to object, and binds each sub-processor to equivalent obligations.

6. International transfers

Where personal data is transferred outside Switzerland/the EEA, the Processor uses appropriate safeguards β€” Standard Contractual Clauses and, for certified US providers, the EU–US Data Privacy Framework (see Annex III).

7. Return & deletion

On termination the Processor deletes or returns all personal data (subject to any legal retention obligation) and deletes existing copies.

8. Liability & law

Liability is as set out in the Terms of Service. This DPA is governed by Swiss law.

Annex I β€” Processing details

Purpose: provision of the Clinika OS scheduling and practice-management service. Categories as in Β§3. Duration: the subscription term.

Annex II β€” Technical & organisational measures

Data stored in Switzerland (Supabase, Zurich); encryption in transit (TLS 1.2+) and at rest (AES-256); row-level security isolating each clinic; role-based access controls and audit logging; rate-limiting and abuse protection; error monitoring with anonymisation; regular backups. Measures are kept aligned with the production environment.

Annex III β€” Sub-processors

Supabase (Zurich, CH); Vercel; Stripe (US β€” DPF); Resend (US); Twilio (US); Sentry (US). Website-only analytics: Google Analytics / Vercel Analytics. This list is kept in step with the Privacy Policy.

Read our Privacy Policy β†’

Data Processing Agreement β€” Clinika OS | Clinika OS