Legal

Data Processing Agreement

Last updated: 22 May 2026

This page is an overview of Meddilink's data-processing posture. The binding instrument for any customer engagement is the executable Data Processing Agreement (DPA) signed between Meddilink and the customer, plus its Annexes I (parties & data), II (technical and organisational measures), and III (sub-processors). To request the executable DPA package — including a HIPAA Business Associate Agreement, the UK IDTA, EU SCCs (2021), a UAE data-residency annex, or an Australian APP 8 statement as applicable to your jurisdiction — email compliance@meddilink.com.

1. Scope & roles

For the meddilink.com marketing website, Meddilink is a controller (see the Privacy Policy). Where Meddilink processes customer or patient data on behalf of a clinic — for example, running MedART for an IVF clinic — Meddilink acts as a processor under the executable DPA, and the clinic is the controller. The signed DPA sets out the controller–processor relationship, the customer's documented instructions, and the scope of processing for that engagement.

2. Subject-matter, duration, nature & purpose

Annex I of the signed DPA records the specific subject-matter (e.g. clinical IVF cycle management, embryology lab records, scheduling, billing, patient communication), the duration (typically the term of the underlying subscription), the nature (storage, retrieval, structuring, and transmission within MedART workflows), and the purpose (delivery of the contracted service to the clinic). For UAE clinics, the Annex notes any DHA Nabidh or DOH Malaffi-specific obligations. For US clinics processing electronic protected health information (ePHI) under HIPAA, permitted use is limited to the engagement and to associated treatment, payment, and healthcare-operations activities listed in the Business Associate Agreement.

3. Categories of data & data subjects

Annex I lists the categories of data subjects (Meddilink typically processes data about patients, donors, surrogates, clinic staff, and clinic partners) and the categories of personal data — including special category data (health, genetic, biometric) where applicable under GDPR Art. 9, UAE PDPL Art. 6 / DIFC Data Protection Law, and the equivalent provisions in UK GDPR and the Australian Privacy Act.

4. Processor obligations

Under the signed DPA, Meddilink: (a) processes data only on the controller's documented instructions; (b) keeps personnel under written confidentiality obligations; (c) implements technical and organisational measures designed to support GDPR Art. 32 — AES-256 at rest, TLS 1.3 in transit, role-based access controls, and audit logging — as recorded in Annex II; (d) assists the controller with data-subject rights, DPIAs, and prior consultations with supervisory authorities; (e) notifies the controller of personal-data breaches without undue delay, with attention to jurisdiction-specific timelines — EU and UK GDPR within 72 hours of awareness; US HIPAA 60-day Breach Notification Rule for ePHI; the Australian Notifiable Data Breaches scheme, including the 30-day eligible-breach assessment window; and (f) deletes or returns customer data at the end of the engagement.

5. Sub-processors

Annex III lists Meddilink's authorised sub-processors — cloud infrastructure providers, hosted lab and imaging integrators, and communication channels such as WhatsApp Business API — together with the controller's right of change-notification and objection. Sub-processors are bound by written terms providing data-protection obligations equivalent to those Meddilink owes the controller, including HIPAA Business Associate flow-down for any sub-processor that handles ePHI.

6. International transfers

Where personal data leaves its origin jurisdiction, Meddilink relies on the appropriate transfer mechanism for the route:

  • EU / EEA: the EU Standard Contractual Clauses (2021) for transfers out of the EEA.
  • United Kingdom: the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, for transfers out of the UK.
  • United Arab Emirates: customer data for UAE clinics is hosted on UAE-region cloud infrastructure designed to support DHA Nabidh and DOH Malaffi data-residency expectations. Onward-transfer restrictions are documented in Annex I.
  • United States: an executed HIPAA Business Associate Agreement (BAA) plus a US state-privacy addendum covering CCPA / CPRA, VCDPA, CPA, CTDPA and equivalents, where the engagement involves US ePHI.
  • Australia: Australian Privacy Act APP 8 cross-border accountability statement for engagements involving Australian personal information.

7. Audits & liability

The signed DPA grants the controller audit rights — by written notice, and through proportionate independent-auditor reports where appropriate. Meddilink's processor liability is aligned with the prevailing standards in each jurisdiction: controller–processor co-liability under GDPR Art. 82; business-associate liability under the HIPAA Omnibus Rule for ePHI; OAIC enforcement under the Australian Privacy Act. The order of precedence between this DPA, the main subscription agreement, and any applicable HIPAA BAA, EU SCC, or UK IDTA terms is set out in the DPA itself.

Request the executable DPA + Annexes: compliance@meddilink.com · Privacy Policy