Data Processing Addendum (DPA)

Version: 2026-01-26
Applies to: LinkHMS clinic and hospital management SaaS
Parties:

• Processor: LinkHMS BV (Netherlands) (“LinkHMS”)
• Controller: The clinic / legal entity accepting this DPA (“Customer”)

This DPA is part of the LinkHMS Terms and Conditions (the “Terms”). By accepting the Terms, Customer also accepts this DPA.

If there is a conflict between this DPA and the Terms on processing of Customer Personal Data, this DPA controls.

Single contact: For any DPA, privacy, or security questions (including incidents), contact contact@linkhms.com

“Customer Personal Data” means personal data processed by LinkHMS on behalf of Customer under the Terms, including patient/health data and clinic operational data.

“Applicable Data Protection Law” means (as applicable) GDPR and applicable EU Member State laws, and the Nigeria Data Protection Act 2023 and related NDPC guidance/directives.

“Subprocessor” means a third party engaged by LinkHMS to process Customer Personal Data.

“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

• Customer is the Controller of Customer Personal Data.
• LinkHMS is the Processor of Customer Personal Data.
• Annex A describes the processing (subjects, categories, purposes, duration).
• Customer responsibility: Customer is responsible for determining lawful basis, providing required notices to data subjects, and configuring the Service appropriately for its workflows.
• LinkHMS is an independent controller only for LinkHMS’s own business data (for example HR, accounting, corporate compliance). This DPA covers only Customer Personal Data.

• LinkHMS will process Customer Personal Data only on Customer’s documented instructions, including Customer’s configuration and use of the service, and as needed to provide, secure, and maintain the service.
• If LinkHMS is required by applicable law to process Customer Personal Data outside Customer’s instructions, LinkHMS will notify Customer before doing so unless legally prohibited.
• Aggregated metrics: LinkHMS may generate and use aggregated, de-identified usage metrics that do not identify patients or the clinic, for operating, securing, and improving the Service. These metrics are not Customer Personal Data.

LinkHMS will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory) and are trained on handling sensitive/health data.

• LinkHMS will implement appropriate technical and organizational measures to protect Customer Personal Data, including measures in Annex B.
• LinkHMS may update security measures over time, provided that updates do not materially reduce the overall security of the Service.

• Customer authorizes LinkHMS to use Subprocessors as needed to deliver the Service.
• Current Subprocessors are listed in Annex C.
• Updates: LinkHMS may add or replace Subprocessors and will make the updated list available (for example via email notice, in-product notice, or an updated Annex C published with this DPA).
• If Customer is not comfortable with a Subprocessor change, Customer may stop using the Service and terminate under the Terms (check section 12), and request deletion/return of data under Section 9.
• LinkHMS will impose data protection obligations on Subprocessors that are no less protective than this DPA and remains responsible for their performance.

• LinkHMS will provide reasonable assistance to help Customer respond to data subject requests, taking into account the nature of processing and the information available to LinkHMS.
• LinkHMS will assist with Customer’s compliance obligations related to security, breach notification, impact assessments, and prior consultation, to the extent applicable and reasonably feasible.

• LinkHMS will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
• The notification will include, to the extent available:
  1. description of the nature of the breach;
  2. categories of data and data subjects affected;
  3. where feasible, approximate number of affected data subjects/records;
  4. likely consequences/risks;
  5. measures taken or proposed to address/contain the breach and mitigate harm;
  6. a contact point for follow-up.
• Customer is responsible for any notifications to regulators, patients, or other third parties unless applicable law requires LinkHMS to notify.

• Upon termination or expiry of the service, LinkHMS will (at Customer’s choice, where the service supports it) return Customer Personal Data and/or delete it within a reasonable time.
• Backups: Customer Personal Data may remain in encrypted backups for a limited period and will be deleted as backups expire under LinkHMS’s standard retention schedule (see Annex B). Backups are not restored except for disaster recovery or testing.

• LinkHMS will make available information reasonably necessary to demonstrate compliance with this DPA (for example a security overview, policies, and relevant third-party reports where available).
• Audits (minimum, legally-required level): To the extent required by Applicable Data Protection Law, LinkHMS will allow and contribute to audits or inspections. Any such audit will be limited to a reasonable, remote review of documentation and security controls, during normal business hours, subject to confidentiality, and at Customer’s cost.

Regional hosting approach:

• EU clinics: data is hosted in the EU deployment.
• US and Canada clinics data is hosted in the US deployment
• African clinics: data is hosted in the Africa deployment.
• All other clinics: data is hosted in either the EU deployment or the Africa deployment, as selected by Customer

• Access restrictions: LinkHMS restricts administrative access and uses permissioned, logged access for support. Subprocessors are restricted to the minimum needed.
• If access or processing happens outside the selected deployment region: LinkHMS will implement appropriate safeguards as required by Applicable Data Protection Law.

Liability, disclaimers, and limitation of liability are as set out in the Terms (unless applicable law requires otherwise).

This DPA starts when Customer accepts the Terms and continues until LinkHMS deletes or returns Customer Personal Data under Section 9.

Subject matter: Provision of clinic management SaaS (appointments, patient records, clinical notes, billing/invoicing, reporting), support, and security operations.

Duration: For the term of the service under the Terms, plus deletion/backup retention periods described in Annex B.

Nature of processing: Collection, recording, structuring, storage, retrieval, consultation, use, disclosure (limited to authorized users/subprocessors), transmission, and deletion.

Purpose(s):

• Provide and operate the LinkHMS service for Customer
• User authentication and access management
• Customer support (permissioned access only)
• Security monitoring, logging, and incident response
• Backups, disaster recovery, and service continuity

Categories of data subjects:

• Patients of Customer
• Customer staff users (doctors, nurses, administrators)
• Clinic contacts and billing contacts

Categories of personal data:

• Patient identifiers and contact details
• Health and medical record data (special category data under GDPR)
• Appointment, treatment, and clinical notes
• Billing and invoicing data
• User account and access data (email, roles, permissions)
• Audit logs and security telemetry

Special categories of data: Health data and medical records (as applicable). Customer controls what is entered into the Service.

LinkHMS implements a risk-based security program. Measures include (non-exhaustive):

Access control

• Role-based access control and least privilege
• Authentication controls for users and admins
• Administrative access restricted and logged

Encryption

• Encryption in transit (TLS) for data sent between clients and the service
• Encryption at rest for stored data where appropriate
• Key management controls

Logging and monitoring

• Audit logging for user access, admin actions, and key data operations
• Alerting for suspicious activity and operational/security incidents
• Permissioned support access with auditable logs (“break-glass” where needed)

Backups and resilience

• Regular backups of production data
• Backup access restricted and encrypted
• Restore procedures documented

Restore testing

• Periodic restore tests (at least quarterly) or equivalent DR testing to validate recoverability

Vulnerability and change management

• Routine patching of infrastructure and dependencies (risk-based)
• Security review for material infrastructure changes
• Secrets management (no hardcoded secrets in repositories)

Data minimisation and isolation

• Logical tenant separation and environment separation (prod vs non-prod)
• No use of Customer production health data in testing environments unless explicitly instructed by Customer (and then minimized, protected, and time-bound)

Retention and deletion

• Deletion/return workflows on termination as per Section 9
• Encrypted backups retained for a limited period (example: 30-90 days) and deleted as they expire under standard backup lifecycle policies