Legal
Data Processing Agreement
How CliniqPulse processes patient and clinic data on your behalf, and the obligations of both parties.
Last updated: 1 June 2026 · Effective date: 1 June 2026
1. Scope & Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Data Fiduciary" or "Clinic") and CliniqPulse (the "Data Processor") for the use of the CliniqPulse Service. It governs the processing of personal data — including patient health records, contact details, and financial information — entered into or generated by the Service.
This DPA is designed to comply with the Digital Personal Data Protection Act, 2023 (India) ("DPDPA") and other applicable data protection legislation.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, including patient names, phone numbers, dates of birth, and health information.
- Processing — any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
- Data Fiduciary — the clinic or healthcare provider that determines the purposes and means of processing personal data (you).
- Data Processor — CliniqPulse, which processes personal data on behalf of the Data Fiduciary.
- Sub-processor — a third-party engaged by CliniqPulse to assist in processing (e.g. Google Firebase).
3. Obligations of CliniqPulse (Data Processor)
CliniqPulse agrees to:
- Process personal data only on documented instructions from the Data Fiduciary, as set out in the Terms of Service and this DPA
- Ensure that all personnel with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures as described in Section 5
- Notify the Data Fiduciary within 72 hours of becoming aware of a personal data breach
- Delete or return all personal data upon termination of the Service agreement, within 30 days
- Make available all information necessary to demonstrate compliance with this DPA
4. Obligations of the Clinic (Data Fiduciary)
As Data Fiduciary, the Clinic agrees to:
- Obtain all required consents from patients before entering their personal data into CliniqPulse
- Ensure that use of the Service complies with the DPDPA and any other applicable healthcare data regulations
- Maintain appropriate clinic-level access controls (not sharing login credentials between staff members)
- Promptly inform CliniqPulse of any data subject requests (patient requests for access, correction, or deletion)
5. Technical & Organisational Security Measures
CliniqPulse implements the following security measures for the protection of personal data:
- Encryption at rest: All Firestore data is encrypted using AES-256
- Encryption in transit: All connections use TLS 1.2 or higher
- Access control: Role-based access (admin, receptionist, pharmacist) limits data exposure
- Firebase security rules: Firestore rules restrict reads and writes to authenticated clinic users only
- Audit logging: Firebase provides audit trails for data access in paid tiers
- Infrastructure compliance: Google Firebase holds ISO 27001, SOC 2 Type II, and other certifications
6. Sub-processors
CliniqPulse currently uses the following sub-processors for data processing activities:
- Google Firebase — Authentication, Firestore database, and hosting (Google Cloud, Iowa US / Singapore)
- Payment gateway — Billing and subscription management (does not process patient data)
We will inform you of any intended changes to sub-processors with 14 days' advance notice. You may object to new sub-processors within that period.
7. International Transfers
Your data may be stored on Google Firebase infrastructure outside India (e.g. Singapore or US regions). Google's Standard Contractual Clauses and Firebase's data processing terms govern such transfers. We recommend selecting the Firebase region closest to India (asia-south1 — Mumbai) when configuring your project to minimise data residency concerns.
8. Data Subject Rights
If a patient exercises their rights under DPDPA (access, correction, erasure), you as the Data Fiduciary are responsible for fulfilling that request. CliniqPulse will assist by providing the data export and deletion capabilities built into the Settings page. For further assistance, contact support@cliniqpulse.in.
9. Contact
Data protection queries:
CliniqPulse Data Protection
Email: dpo@cliniqpulse.in
Address: Ahmedabad, Gujarat — 380001, India