Legal document
Data Processing Agreement (DPA)
Last updated :
This agreement forms an integral part of the general terms of use. It sets out the respective obligations of the Clinic (Data Controller) and Oulitech (Data Processor) when Oulitech processes personal data on behalf of the Clinic in the context of les plateformes Oulitech.
1. Definitions
- Data: any personal data processed by Oulitech on behalf of the Clinic through the platform.
- Data subjects: the Clinic's patients and, ancillarily, members of its staff.
- Applicable law: Algerian loi n° 18-07 of 10 June 2018 (Algerian Personal Data Protection Act) and, where relevant, the GDPR (EU 2016/679).
2. Purpose and duration
Oulitech processes the Data for the sole purpose of providing the clinical service. The processing lasts for as long as the Clinic remains a customer, plus the return and deletion period provided for in article 9.
3. Nature of processing
- collection through entry by Clinic staff via the interface;
- recording, structuring and retention in a database;
- consultation, modification and deletion by authorised users;
- automated transmission for the sending of notifications (for example appointment reminders);
- archiving, backup and, ultimately, secure erasure.
4. Categories of data and data subjects
| Category of persons | Categories of data |
|---|---|
| Patients | Identity (surname, first name, date of birth, gender, national identification number), contact details (phone, email, emergency contact), health data (free-text clinical notes, entered medical history, appointment history), data relating to appointments and the waiting queue. |
| Clinic staff | Professional identity, email, phone, role, permissions, sign-in history, account status. |
5. Oulitech's obligations as data processor
- process the Data only on documented instructions from the Clinic, within the limits set by the contract;
- ensure confidentiality through contractual undertakings from any staff member with access to the Data;
- implement the security measures described in our Security Statement;
- assist the Clinic with its obligations to respond to data subject requests;
- notify the Clinic without undue delay, and no later than within 72 hours, of any confirmed Data breach;
- delete or return the Data at the end of the service, at the Clinic's choice.
6. Clinic's obligations
- have a valid legal basis for each processing carried out through the platform, and obtain the required consents;
- inform its patients of the use of Oulitech as a data processor;
- correctly configure the roles and permissions of its staff so as to respect the principle of access minimisation;
- respond to patients' requests to exercise their rights, using the export and deletion tools provided.
7. Subprocessors
All application data (databases, backups, uploaded files) is hosted in Algeria.Only the delivery of the web interface and the sending of transactional emails rely on providers outside the national territory.
| Subprocessor | Role | Data processed | Location |
|---|---|---|---|
| Icosnet (Algeria) | Application servers, databases, encrypted backups | All patient, clinic and user data | Algeria |
| Vercel Inc. (United States) | Delivery of the static files of the web interface; web analytics for the public marketing site (cookieless, aggregate) | No patient data | Outside Algeria |
| Resend Inc. (United States) | Sending of confirmation, reminder and notification emails | Recipient email address, name, date and time of appointment, Clinic name | Outside Algeria |
Oulitech informs the Clinic of any addition or replacement of a subprocessor at least thirty (30) daysbefore it goes into production.
8. Transfers outside the national territory
As a principle, patient and clinic data does not leave the Algerian territory. Only the two exceptions listed above involve processing outside Algeria, within a strictly limited scope.
9. Return and deletion
At the end of the contract, the Clinic has a period of thirty (30) days to request the export of its Data. After that period, Oulitech proceeds to delete it from production environments within the following thirty (30) days, then from backups within an additional period not exceeding thirty (30) days.
10. Audit
The Clinic may request, once a year and with reasonable advance notice, a documentary audit of the measures implemented by Oulitech.
11. Liability
Each party is liable for damages caused by the failure to comply with its own obligations. Oulitech's liability may not exceed, all causes combined, the annual amount paid by the Clinic for the subscription, except in the event of gross or wilful misconduct.
12. Contact
For any question concerning data processing: hello@ouli.tech.