Data Processing Agreement

 

DATA PROCESSING AGREEMENT

Healthcare Provider Edition — Polygon
Health EHR & Telehealth

Polygon Digital Ltd. | GDPR Article 28 +
Article 9 Compliant | Version 1.0 | Effective 1 March 2026

 

 

This Data Processing Agreement
(‘DPA’) is entered into between the Healthcare Provider organisation identified
in the signature block below (‘Controller’) and Polygon Digital Ltd., Dublin,
Ireland (‘Polygon Digital’, ‘Processor’) as part of the Polygon Health EHR /
Telehealth Platform subscription agreement (‘Main Agreement’).

This DPA reflects the parties’
obligations under Regulation (EU) 2016/679 (GDPR), in particular Articles 28
and 9, in respect of the processing of personal data — including special
category health data — through the Polygon Health EHR and Telehealth platforms.

1. Roles and Definitions

       ‘Controller’ — the
Healthcare Provider: determines the purposes and means of processing patient
and staff personal data

       ‘Processor’ — Polygon
Digital Ltd.: processes personal data on behalf of the Controller using the
EHR/Telehealth platform

       ‘Special Category Data’ —
health, medical, and clinical data within the meaning of GDPR Article 9

       ‘Patient Data’ — all
personal data relating to patients, clients, or service users entered into the
platform by the Controller

       ‘Sub-processor’ — any third
party engaged by Polygon Digital to process personal data on behalf of the
Controller

       ‘EHR Platform’ — Polygon
Health EHR and associated modules (telehealth, billing, analytics) operated at
polygondigital.co

2. Processing Details

2.1 Nature and Purpose

Polygon Digital processes personal
data — including special category health data — for the purpose of providing,
maintaining, and supporting the Polygon Health EHR and Telehealth platform as
contracted. Processing includes: storing and displaying patient records
(including ICD-11 coded diagnoses), scheduling and appointment management,
telehealth session facilitation, e-prescription support (in supported
jurisdictions), clinical document storage, billing and invoicing, and analytics
reporting for practice management purposes.

2.2 Legal Basis for Special Category Data (Art.
9)

Patient health data (special
category data) is processed on the basis of GDPR Article 9(2)(h) — processing
necessary for the purposes of preventive or occupational medicine, medical
diagnosis, the provision of health care or treatment, or the management of
health care systems and services — as enacted into Irish law by the Data
Protection Act 2018, Schedule 2, Part 1. The Controller is responsible for
establishing and documenting its own legal basis for collecting and inputting
patient data.

2.3 Categories of Data Subjects

       Patients and clients of the
healthcare provider

       Healthcare practitioners,
clinicians, and administrative staff of the Controller

       Third parties referenced in
clinical documentation

2.4 Categories of Personal Data

       Patient identifiers: name,
date of birth, PPS/NHS number or equivalent national identifier, contact
details

       Medical history: diagnoses
(ICD-11), allergies, medications, past procedures

       Clinical records:
consultation notes, practitioner observations, referral letters

       Investigations: lab
results, imaging reports, diagnostic findings

       Prescriptions and
medication records (in supported jurisdictions)

       Appointment and scheduling
data

       Billing and insurance
information

       Telehealth session data
(metadata; content only where recording is enabled by the Controller)

       Staff and practitioner
identifiers, credentials, and access logs

2.5 Duration

Processing continues for the term
of the Main Agreement plus any legally mandated retention period. In Ireland,
clinical records must be retained for a minimum of 8 years from the date of
last entry for adults (longer for children’s records per HSE guidelines). The
Controller remains responsible for specifying and enforcing retention
requirements.

3. Processor Obligations

Polygon Digital shall:

       Process personal data only
on the documented instructions of the Controller, unless required by applicable
law

       Ensure that all staff and
sub-processors with access to personal data are bound by enforceable
confidentiality obligations

       Implement and maintain
technical and organisational measures as set out in Clause 5

       Not process patient health
data for any purpose other than providing the contracted EHR/Telehealth service

       Not use patient data to
train AI or machine learning models without explicit written consent from the
Controller

       Assist the Controller in
responding to Data Subject rights requests under GDPR Articles 15–22

       Notify the Controller
within 48 hours of becoming aware of a personal data breach involving the
Controller’s data

       Assist the Controller in
conducting Data Protection Impact Assessments (DPIAs) where required by GDPR
Art. 35

       Make available all
information necessary to demonstrate compliance with GDPR Art. 28 and permit
audits

       Return or securely delete
all personal data upon termination as directed by the Controller

4. Controller Obligations

The Controller warrants that it:
has established a lawful basis under GDPR Art. 6 and Art. 9 for all personal
data inputted into the EHR; has provided appropriate transparency information
to patients and staff; has the authority to provide instructions to Polygon
Digital as Processor; and will notify Polygon Digital promptly of any changes
to applicable law that affect data processing obligations.

5. Security Measures (GDPR Article 32)

Technical Measures

       TLS 1.2+ encryption for all
data in transit between client systems and Polygon Digital infrastructure

       AES-256 encryption for all
health data stored at rest

       Role-based access control
(RBAC) with minimum-necessary access principles

       FHIR-compliant data
architecture with audit trail for all data access and modifications

       Automated backup and tested
disaster recovery procedures with defined RPO and RTO

       Intrusion detection and
vulnerability management programme

       Multi-factor authentication
mandatory for all administrative access to production systems

Organisational Measures

       Written information
security policy with annual review

       Staff training on data
protection and healthcare data confidentiality

       Documented incident
response procedure with breach notification workflow

       Sub-processor due diligence
and contractual obligations

       Annual internal security
review; penetration testing on material platform changes

6. Sub-processors

6.1 General Authorisation

The Controller provides general
written authorisation for Polygon Digital to engage sub-processors for platform
delivery, subject to the conditions in this Clause.

6.2 Current Sub-processors

Sub-processor

Service

Location

Safeguard

Supabase (or equiv.)

Database & auth

EU region

GDPR compliant

Azure / AWS

Cloud infra & hosting

EU region

EU SCCs

Stripe

Billing & payments

USA

SCCs + PCI-DSS

Sentry (or equiv.)

Error monitoring

USA

SCCs

AI/ML service (if used)

Document intelligence

EU preferred

DPA + SCCs

6.3 Changes to Sub-processors

Polygon Digital shall provide the
Controller with at least 30 days’ written notice of any intended change to
sub-processors involving health data. The Controller may object within 14 days
on documented GDPR grounds. Unresolved objections entitle the Controller to
terminate the affected services without penalty.

7. International Transfers

Where patient health data is
transferred outside the EEA, Polygon Digital ensures appropriate safeguards are
in place per GDPR Chapter V, including Standard Contractual Clauses (Module 2 —
Controller to Processor) pursuant to Commission Implementing Decision 2021/914.
For African market deployments, data localisation requirements of the
applicable jurisdiction will be observed where mandated by local law.

8. Data Subject Rights Assistance

Polygon Digital shall assist the
Controller in responding to Data Subject rights requests (GDPR Articles 15–22)
within timeframes that allow the Controller to respond within 30 days of
receipt of a request. Polygon Digital cannot respond directly to patient rights
requests — all such requests must be channelled through the treating healthcare
provider (the Controller).

9. Data Breach Notification

In the event of a personal data
breach involving health data, Polygon Digital shall notify the Controller
without undue delay and within a maximum of 48 hours of becoming aware of the
breach. Notification shall include: nature of the breach and categories of data
affected; approximate number of Data Subjects impacted; likely consequences;
and measures taken or proposed. The Controller remains responsible for
notifying the Data Protection Commission within 72 hours per GDPR Art. 33, and
notifying affected patients per Art. 34 where required.

10. DPIA Assistance

Given the nature of health data
processing, DPIAs are likely to be required for deployment of the EHR system at
scale. Polygon Digital shall provide all reasonable technical assistance to the
Controller in conducting DPIAs under GDPR Art. 35, including documentation of
our security measures, sub-processor list, and data flows.

11. Audit Rights

The Controller may conduct or
commission an audit of Polygon Digital’s data processing activities relevant to
this DPA no more than once per calendar year, with at least 30 days’ written
notice. Polygon Digital may satisfy audit obligations by providing relevant
third-party audit certifications (SOC 2 Type II, ISO 27001, or equivalent)
where available.

12. Termination and Data Return

On termination of the Main
Agreement, Polygon Digital shall: (a) at the Controller’s election, return all
patient data in FHIR-compliant format within 30 days; or (b) securely delete
all patient data and provide written certification of deletion. Polygon Digital
may retain data beyond this period only where required by Irish or EU law, and
shall inform the Controller of any such retention obligation.

13. Governing Law & Jurisdiction

This DPA is governed by the laws
of Ireland. The parties submit to the exclusive jurisdiction of the Irish
courts. Patient Data Subject rights may be enforced before any competent
Supervisory Authority in the EU/EEA.

14. Conflict

This DPA is incorporated into and
forms part of the Main Agreement. In the event of conflict between this DPA and
the Main Agreement on data protection matters, this DPA shall prevail.

 

Signatures

By signing, the parties confirm
their agreement to this Data Processing Agreement including the processing of
special category health data as described herein.

 

Healthcare Provider (Data
Controller)

Organisation:
________________________

Signature:
____________________________

Name:
________________________________

Title:
_________________________________

Date:
_________________________________

Polygon Digital Ltd. (Data
Processor)

Signature:
____________________________

Name:
________________________________

Title:
_________________________________

Date:
_________________________________

For enquiries:

Email: [email protected]

Phone: +353 89 981 5670

Polygon Digital Ltd., 3 The Grove, Donabate, Co. Dublin, K36 KD27, Ireland | polygondigital.co