DATA PROCESSING AGREEMENT

Between Pranik Technologies Private Limited (Data Processor)
and the Registered Medical Practitioner / Healthcare Entity (Data Fiduciary)
Effective Date: [Date of Execution] | Version 1.0
Last Reviewed: March 2025

RECITALS
WHEREAS, the Controller (as identified in Schedule 1) is a Registered Medical Practitioner or healthcare entity who, in the course of providing teleconsultation and clinical healthcare services to patients through the P4D platform, independently determines the purposes and means of processing Patient Personal Data - including what clinical questions to ask, what diagnoses to record, what treatments to recommend, and what prescriptions to issue. In doing so, the Controller acts as an independent Data Fiduciary under the DPDP Act, 2023 in respect of the clinical sphere of processing;

WHEREAS, the Processor - Pranik Technologies Private Limited, operating as Pranik.ai - independently determines the purposes and means of its own platform infrastructure decisions: data security architecture, sub-processor selection, audit log maintenance, retention period implementation, and AI model improvement through irreversibly anonymized data. In doing so, the Processor acts as an independent Data Fiduciary in its own right under the DPDP Act in respect of the platform infrastructure sphere of processing;

WHEREAS, within the specific and bounded activity of transmitting, storing, and making Patient Personal Data accessible for the purpose of facilitating the Controller's consultations - and only for that purpose - the Processor acts as a Data Processor on behalf of the Controller, processing Patient Personal Data solely on the Controller's documented instructions as set out in this Agreement;

WHEREAS, the parties therefore occupy the following distinct roles simultaneously:
The Controller is Data Fiduciary for the clinical sphere - the purposes, content, and conduct of the clinical relationship between the Controller and the patient, including all clinical notes, diagnoses, treatment decisions, and prescriptions;
The Processor is Data Fiduciary for the platform infrastructure sphere - technology, security, sub-processors, audit logs, retention implementation, and post-anonymization AI improvement activities that the Controller does not direct;
The Processor is Data Processor for the consultation facilitation sphere - the bounded set of activities in Clause 2.2, carried out solely on the Controller's documented instructions;

WHEREAS, both parties acknowledge that this allocation reflects the true operational structure of the P4D platform - neither party fully controls all aspects of the processing, and each bears independent legal obligations under the DPDP Act corresponding to the sphere in which it acts as Data Fiduciary;

WHEREAS, applicable Indian law - in particular the DPDP Act and the IT-SPDI Rules, 2011 - requires that processing of Personal Data by a Data Processor on behalf of a Data Fiduciary be governed by a written agreement setting out the obligations and rights of each party;

NOW, THEREFORE, in consideration of the mutual obligations set forth herein and the services provided under the P4D Terms and Conditions ("Principal Agreement"), the parties agree as follows:

  1. DEFINITIONS AND INTERPRETATION

Controller / Data Fiduciary
The Registered Medical Practitioner or healthcare entity identified in Schedule 1, who independently determines the purposes and means of processing Patient Personal Data in the course of providing healthcare services. The Controller is a Data Fiduciary under the DPDP Act for the Clinical Sphere.
Processor / Data Processor
Pranik Technologies Private Limited (Pranik.ai), which: (a) acts as Data Processor on behalf of the Controller for consultation facilitation activities (Clause 2.2); and (b) acts as an independent Data Fiduciary for the Platform Infrastructure Sphere - security, sub-processors, retention, and post-anonymization AI improvement.
Clinical Sphere
Processing for which the Controller is Data Fiduciary: the content of consultations, clinical notes, diagnoses, prescriptions, and all clinical outputs determined by the Controller's independent professional judgment.
Consultation Facilitation Sphere
Processing for which the Processor acts as Data Processor on the Controller's behalf: transmitting Patient Personal Data from P4P to P4D, storing records during the active consultation period, and making data accessible to the Controller - as set out in Clause 2.2.
Platform Infrastructure Sphere
Processing for which the Processor is Data Fiduciary: security architecture, sub-processor engagement, audit log maintenance, retention period implementation, breach response, and - post-anonymization - AI model training and improvement. The Controller does not instruct these activities.
Data Principal
The patient whose Personal Data is processed - the P4P App user consulting the Controller through P4D. Data Principals have rights against both the Controller (Clinical Sphere) and the Processor (Platform Infrastructure Sphere) independently under the DPDP Act.
Patient Personal Data
Personal Data and Sensitive Personal Data of patients transmitted to the P4D App from P4P for consultation facilitation. Categories set out in Schedule 2.
Processing
Any operation carried out on Personal Data - collection, storage, use, access, disclosure, erasure, or destruction - whether automated or manual.
Sub-Processor
Any third party engaged by the Processor to process Patient Personal Data on behalf of the Processor in connection with the Consultation Facilitation Sphere services.
Security Incident / Data Breach
Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Patient Personal Data processed under this Agreement.
DPDP Act
The Digital Personal Data Protection Act, 2023, as amended, with all rules framed thereunder.
IT-SPDI Rules
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Principal Agreement
The P4D Terms and Conditions between the Processor and the Controller.
Applicable Law
The DPDP Act, IT-SPDI Rules, Telemedicine Practice Guidelines 2020, and all other applicable Indian laws governing Personal Data processing.

Terminology note: 'Data Fiduciary' maps to 'Controller' and 'Data Processor' maps to 'Processor' under GDPR. The three-sphere framework - Clinical, Consultation Facilitation, and Platform Infrastructure - has no direct GDPR equivalent but is consistent with the GDPR concept of independent controllers with distinct purposes over the same data.

[LAWYER REVIEW FLAG - DUAL FIDUCIARY ARCHITECTURE] The three-sphere framework in these Recitals and Definitions represents the parties' best current characterisation of the data flow structure on P4D. A DPDP Act specialist should confirm before execution: (a) whether this allocation is consistent with how the DPDP Rules 2025 will define roles when fully in force; (b) whether patients require separate notice that both Controller and Processor act as independent Data Fiduciaries for different aspects of their data; and (c) whether the transition from Consultation Facilitation Sphere to Platform Infrastructure Sphere at the point of anonymization is correctly framed in Clause 3.8.

  1. SUBJECT MATTER, NATURE, AND DURATION OF PROCESSING

2.1 Subject Matter
This Agreement governs the processing of Patient Personal Data by the Processor on behalf of the Controller, solely in connection with the Processor's operation of the P4D platform and provision of the services described in the Principal Agreement.

2.2 Nature of Processing
The Processor processes Patient Personal Data for the following activities, each of which is performed exclusively to enable the Controller to deliver healthcare services to patients:
Receiving and transmitting patient pre-consultation SOAP summaries from the P4P App to the P4D App for review by the Controller.
Storing consultation records, doctor's notes, and post-consultation summaries generated during or after teleconsultations conducted by the Controller.
Storing and managing draft and finalised prescriptions generated through the P4D App.
Processing CDSS Lite interaction logs - the Controller's acceptance, modification, or rejection of AI-generated clinical suggestions.
Storing Live Scribe consultation transcripts, subject to the Controller's activation and approval.
Transmitting appointment scheduling and availability data between the P4P and P4D systems.
Processing Patient payment and transaction data for consultation fee processing (where applicable).
Maintaining audit logs of the Controller's clinical activity on the P4D platform, as required by applicable law.

2.3 Purposes of Processing
The Processor processes Patient Personal Data solely for the following purposes, which are determined by the Controller:
Facilitating teleconsultation between the Controller and the patient.
Enabling the Controller to review, approve, and issue prescriptions through the P4D App.
Maintaining clinical records as required under applicable law and professional obligations.
Processing consultation fees on behalf of the Controller.
The Processor shall NOT process Patient Personal Data for any purpose other than those set out above without the prior written instruction of the Controller, except where required to do so by applicable law.

2.4 Duration
This Agreement shall be effective from the date of execution and shall remain in force for as long as the Processor processes Patient Personal Data on behalf of the Controller under the Principal Agreement. This Agreement terminates automatically upon termination of the Principal Agreement, subject to the provisions of Clause 10 (Termination and Data Return).

  1. OBLIGATIONS OF THE DATA PROCESSOR

3.1 Processing on Instructions Only
The Processor shall process Patient Personal Data only on documented instructions from the Controller, as set out in this Agreement and the Principal Agreement, or as required by Applicable Law. If the Processor is required by Applicable Law to process Patient Personal Data for a purpose not contemplated by this Agreement, the Processor shall inform the Controller of that legal requirement before processing, unless Applicable Law prohibits such disclosure.

3.2 Confidentiality
The Processor shall ensure that all personnel authorized to process Patient Personal Data are subject to binding obligations of confidentiality, whether under employment contracts, non-disclosure agreements, or applicable professional obligations. The Processor shall ensure that access to Patient Personal Data is limited to personnel who have a demonstrable need to access it for the purposes of this Agreement.

3.3 Security Measures
The Processor shall implement and maintain appropriate technical and organizational security measures to protect Patient Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. At a minimum, the Processor's security measures shall include:
Encryption of Patient Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256).
Strict role-based access controls with least-privilege principles, ensuring only authorized personnel can access Patient Personal Data.
Multi-factor authentication for all personnel with access to systems storing Patient Personal Data.
Regular security audits, vulnerability assessments, and penetration testing by qualified third-party security professionals.
Secure, geographically segregated data storage with automated backup and recovery procedures.
Comprehensive incident response and breach notification procedures.
Employee security training and awareness programmes, updated at least annually.
Secure deletion and destruction procedures for Patient Personal Data at end of retention period.

The Processor's security measures are described in greater detail in Schedule 3 (Technical and Organisational Security Measures) to this Agreement.

3.4 Sub-Processors
The Controller hereby grants the Processor general written authorization to engage Sub-Processors for the processing activities described in this Agreement, subject to the following conditions:
The Processor shall notify the Controller of any intended addition of or change to any Sub-Processor by updating the Sub-Processor List maintained at pranik.ai/subprocessors and by providing at least 30 (thirty) days' prior written notice to the Controller.
The Controller may object to the appointment of a new Sub-Processor on reasonable data protection grounds within 14 (fourteen) days of receiving notice. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the relevant services by providing 30 days' written notice to the Processor.
The Processor shall impose on each Sub-Processor data protection obligations equivalent to those applicable to the Processor under this Agreement, by way of a written contract.
The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations. A Sub-Processor's failure to fulfil its data protection obligations shall not relieve the Processor of its obligations under this Agreement.
The current list of Sub-Processors engaged by the Processor for Patient Personal Data processing is set out in Schedule 4 to this Agreement.

3.5 Assistance to the Controller
The Processor shall, to the extent technically feasible and subject to applicable law, provide reasonable assistance to the Controller:
In fulfilling the Controller's obligations to respond to requests from Data Principals (patients) exercising their rights under the DPDP Act, including rights of access, correction, erasure, data portability, and withdrawal of consent.
In complying with the Controller's security, breach notification, and audit obligations under Applicable Law.
By making available to the Controller all information reasonably necessary to demonstrate the Processor's compliance with this Agreement.

3.6 Data Minimization and Purpose Limitation
The Processor shall:
Not collect more Patient Personal Data than is strictly necessary for the purposes set out in Clause 2.3.
Not use Patient Personal Data for any secondary purpose - including analytics, advertising, marketing, or training of general AI models - without the prior written consent of the Controller and, where required, of the patient.
Anonymize or pseudonymize Patient Personal Data wherever technically feasible and consistent with the purposes of processing.

3.7 No Sale of Patient Data
The Processor shall not sell, rent, disclose, or otherwise transfer Patient Personal Data to any third party for commercial purposes. The Processor shall not use Patient Personal Data to build user profiles, behavioural databases, or advertising segments.

3.8 Explicit Authorisation for Anonymization and AI Model Training
The Controller hereby explicitly authorises and instructs the Processor to carry out the following processing activities, which the Processor requires in order to operate and improve the P4D platform:
Irreversible anonymization of Patient Personal Data: The Processor is authorised to apply a rigorous, multi-step anonymization process to Patient Personal Data - including consultation transcripts and CDSS Lite interaction logs - such that all personally identifiable information is irreversibly removed and the resulting data can no longer be attributed to any individual patient or to the Controller.
Use of anonymized data for AI model training: Once Patient Personal Data has been irreversibly anonymized in accordance with this clause, the resulting anonymized data ceases to be Personal Data under the DPDP Act, 2023. The Processor is authorised to use such anonymized data to train, fine-tune, test, and improve its proprietary AI models - including CDSS Lite, Live Scribe, and clinical language models - for which the Processor acts as Data Fiduciary in its own right, not as Processor on behalf of the Controller.
This clause reflects the parties' mutual understanding that: (a) the Processor's role as Data Processor applies only to identifiable Patient Personal Data; (b) once data is irreversibly anonymized by the Processor, the Processor's subsequent use of that data for AI training falls outside the scope of this Agreement and the DPDP Act, as anonymized data is not Personal Data; and (c) the anonymization step itself - the act of de-identifying the data - is carried out by the Processor on the Controller's instruction as set out in this clause, completing the Processor's obligations in respect of that data.

3.9 Model Weights - Technical Clarification
For the avoidance of doubt: deletion or anonymization of source Patient Personal Data under this Agreement refers to deletion of original identifiable records. Neural network model weights derived from anonymized training data exist as aggregate mathematical parameters and cannot be individually identified, attributed to specific patients or the Controller, or selectively removed from a trained model. The Processor confirms that no trained model weights contain identifiable Personal Data in recoverable form. Deletion of source records constitutes full compliance with the Processor's erasure obligations under this Agreement in respect of training data.

  1. OBLIGATIONS OF THE DATA FIDUCIARY (CONTROLLER)

4.1 Lawfulness of Instructions
The Controller warrants and represents that:
All instructions provided to the Processor regarding the processing of Patient Personal Data comply with Applicable Law.
The Controller has obtained all consents, permissions, and authorizations required under Applicable Law (including the Telemedicine Practice Guidelines, 2020) to transmit Patient Personal Data to the Processor for the purposes described in this Agreement.
The Controller has provided patients with adequate notice of the processing of their data by the Processor, including information about the P4D platform.

4.2 Patient Rights Management
The Controller is responsible for managing and responding to Patient rights requests under the DPDP Act (access, correction, erasure, portability, withdrawal of consent). Where a patient's rights request relates to data processed by the Processor on the Controller's behalf, the Controller shall notify the Processor and coordinate the response. The Processor shall provide reasonable technical assistance as described in Clause 3.5.

4.3 Professional Obligations
The Controller acknowledges its independent professional obligations under the Telemedicine Practice Guidelines, 2020, the NMC Code of Medical Ethics, and the IT-SPDI Rules, 2011 with respect to Patient data confidentiality and security. This Agreement does not diminish or replace those obligations.

  1. SECURITY INCIDENTS AND DATA BREACH NOTIFICATION

5.1 Processor's Notification Obligation
In the event that the Processor becomes aware of a Security Incident affecting Patient Personal Data, the Processor shall:
Notify the Controller without undue delay, and in any event within 72 (seventy-two) hours of becoming aware of the Security Incident, by email to the Controller's registered email address and to dpo@pranik.ai.
Provide the Controller with the following information in the initial notification (or as soon as reasonably practicable thereafter):
A description of the nature of the Security Incident, including - where possible - the categories and approximate number of Data Principals affected;
The categories and approximate volume of Patient Personal Data records affected;
The name and contact details of the Processor's Data Protection Officer or other contact point;
A description of the likely consequences of the Security Incident;
A description of the measures taken or proposed to address the Security Incident and mitigate its possible adverse effects.
Cooperate fully with the Controller in any investigation, remediation, and regulatory notification required as a result of the Security Incident.
Not make any public statement or media disclosure about the Security Incident without the prior written consent of the Controller, unless required to do so by Applicable Law.

5.2 Controller's Notification Obligation
The Controller is responsible for assessing whether a Security Incident notified by the Processor constitutes a Personal Data Breach requiring notification to the Data Protection Board of India (once established) or to affected patients, in accordance with Applicable Law. The Processor shall provide all reasonable assistance to the Controller in making this assessment.

5.3 Controller-Discovered Incidents
If the Controller becomes aware of a potential Security Incident or unauthorized access to Patient Personal Data through the P4D platform, the Controller shall notify the Processor at dpo@pranik.ai without undue delay. The Processor shall investigate and respond within 24 hours of notification.

  1. AUDIT RIGHTS AND COMPLIANCE VERIFICATION

6.1 Right to Audit
The Controller has the right to audit the Processor's compliance with this Agreement, subject to the following conditions:
The Controller shall give the Processor at least 30 (thirty) days' prior written notice of any intended audit, unless a Security Incident has occurred, in which case the Controller may request an expedited audit on 5 (five) business days' notice.
Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.
Audits shall be limited to the Processor's data processing activities relating to Patient Personal Data processed under this Agreement.
The Controller may conduct the audit itself or appoint an independent, qualified third-party auditor, subject to that auditor signing an appropriate confidentiality agreement with the Processor.
The cost of audits shall be borne by the Controller, unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall bear the reasonable cost of the audit.

6.2 Audit Reports and Certifications
The Processor shall, upon request and no more than once per year (unless a Security Incident has occurred), provide the Controller with:
A summary of its most recent third-party security audit report or penetration testing results (with commercially sensitive information redacted).
Evidence of current security certifications, if any (e.g., ISO 27001, SOC 2), where applicable and available.
A written confirmation that the Processor's security measures comply with the requirements of Schedule 3.

  1. INTERNATIONAL TRANSFERS OF PATIENT PERSONAL DATA

7.1 Data Localisation
Patient Personal Data shall be stored and processed on servers located within the territory of India, in compliance with applicable data localisation requirements under Indian law. The Processor shall use data centre infrastructure with Indian data residency for all primary storage of Patient Personal Data.

7.1A Third-Party AI Infrastructure - Explicit Confirmation
The Processor explicitly confirms the following in respect of its use of third-party AI and machine learning infrastructure:
No identifiable Patient Personal Data - including consultation records, patient health histories, diagnostic data, or any data that could be used to identify a patient - is transmitted to any third-party foundation model provider, general-purpose AI platform, or cloud AI service.
Third-party AI compute infrastructure providers receive only anonymized or synthetic data. All Patient Personal Data is irreversibly de-identified before it reaches any third-party AI environment, in accordance with the anonymization authorisation in Clause 3.8.
Primary storage and processing of all identifiable Patient Personal Data and Doctor's Input Data remains within India. Only anonymized data may be processed on compute infrastructure outside India, and only under the contractual safeguards described in Clause 7.3.

7.2 Permitted Cross-Border Transfers
Patient Personal Data may only be transferred outside the territory of India in the following circumstances:
To countries notified by the Central Government of India as providing an adequate level of data protection under the DPDP Act.
Under contractual arrangements with the receiving party that impose data protection obligations equivalent to those applicable under Indian law.
With the prior written consent of both the Controller and the affected patients, where the transfer involves Sensitive Personal Data.

7.3 Sub-Processor Transfers
Where any Sub-Processor listed in Schedule 4 is located outside India, the Processor shall ensure that the transfer to that Sub-Processor complies with the requirements of Clause 7.2. The Processor shall document the legal basis for each cross-border transfer in the Sub-Processor agreement.

7.4 Future Regulatory Compliance - Cross-Border Transfers
The parties acknowledge that the cross-border transfer framework under the DPDP Act, 2023 is subject to ongoing rule-making by the Central Government of India, including the publication of adequacy decisions, permitted country lists, and transfer mechanism requirements. The Processor shall comply with any future notifications, transfer restrictions, or adequacy determinations issued by the Central Government under the DPDP Act as and when they come into force, without requiring an amendment to this Agreement. Where such future requirements necessitate material changes to the Processor's data transfer arrangements, the Processor shall notify the Controller within 30 (thirty) days of the relevant notification taking effect and provide details of the measures taken to achieve compliance.

  1. DATA RETENTION AND DELETION

8.1 Retention Period
The Processor shall retain Patient Personal Data processed under this Agreement for no longer than the periods set out in Schedule 5 (Retention Schedule), or as required by Applicable Law, whichever is longer. Retention periods reflect mandatory requirements under the Telemedicine Practice Guidelines, 2020, the Drugs and Cosmetics Act, the Clinical Establishments Act, and the DPDP Act.

8.2 Deletion on Instruction
Upon written instruction from the Controller - or upon termination of this Agreement - the Processor shall, within 30 (thirty) days of the instruction or termination date:
Delete or irreversibly anonymize all Patient Personal Data no longer required for the purposes of this Agreement and not subject to a mandatory retention obligation.
Provide the Controller with written confirmation that deletion or anonymization has been completed.
Return to the Controller, in a machine-readable format, any Patient Personal Data that the Controller requests be transferred to the Controller or to a successor processor.

8.3 Mandatory Retention After Termination
Notwithstanding Clause 8.2, the Processor shall retain Patient Personal Data for the mandatory periods set out in Schedule 5 even after termination of this Agreement, solely to fulfil its legal obligations. Such data shall not be used for any operational purpose during the post-termination retention period.

  1. DATA PRINCIPAL RIGHTS - ALLOCATION OF RESPONSIBILITY

The parties agree to the following allocation of responsibility for responding to Data Principal (patient) rights requests:

Data Principal Right
Controller's Responsibility
Processor's Obligation
Right of Access
Assess and respond to patient access requests.
Provide access to relevant data upon Controller's written instruction within 15 days.
Right to Correction
Instruct the Processor to correct specific data.
Correct identified data within 10 business days of instruction.
Right to Erasure
Determine whether erasure is lawful (subject to retention obligations) and instruct.
Execute erasure within 30 days of instruction, subject to statutory retention.
Right to Data Portability
Facilitate data export to patient or another processor.
Provide data in JSON or CSV format within 15 days of instruction.
Right to Withdraw Consent
Manage patient consent withdrawal and determine downstream effects.
Cease the relevant processing within 5 business days of instruction.
Right to Grievance Redressal
Primary point of contact for patient grievances.
Cooperate with Controller investigations; provide data and technical information as needed.

  1. TERM AND TERMINATION

10.1 Term
This Agreement is effective from the date of execution and remains in force for as long as the Processor processes Patient Personal Data on behalf of the Controller under the Principal Agreement.

10.2 Termination on Termination of Principal Agreement
This Agreement terminates automatically upon termination of the Principal Agreement. Clauses 8 (Data Retention and Deletion), 11 (Liability), 12 (Governing Law), and the Schedules survive termination.

10.3 Termination for Cause
Either party may terminate this Agreement immediately by written notice if the other party:
Commits a material breach of this Agreement that is incapable of remedy, or that is not remedied within 30 days of written notice of the breach.
Becomes insolvent, enters liquidation, or ceases to trade.
Is required by Applicable Law or a regulatory direction to cease processing Patient Personal Data.

10.4 Effect of Termination
Upon termination of this Agreement: (a) the Processor shall comply with its data deletion obligations under Clause 8.2; (b) the Processor shall provide the Controller with a summary of all Patient Personal Data retained under mandatory legal obligations and the applicable retention period for each category; (c) the Processor shall provide reasonable assistance to the Controller in migrating Patient Personal Data to a successor processor.

  1. LIABILITY

11.1 Processor Liability
The Processor shall be liable to the Controller for direct losses and damages suffered by the Controller as a result of the Processor's breach of its obligations under this Agreement, subject to the limitations set out in Clause 11.3.

11.2 Controller Liability
The Controller shall be liable to the Processor for direct losses and damages suffered by the Processor as a result of the Controller's breach of its obligations under this Agreement or the provision of unlawful processing instructions.

11.3 Limitation of Liability
Except for breaches of confidentiality obligations, data security obligations, or obligations arising from the mandatory provisions of the DPDP Act:
Neither party's total aggregate liability to the other under this Agreement shall exceed the total fees paid by the Controller to the Processor under the Principal Agreement in the six (6) months preceding the event giving rise to the claim. Nothing in this Agreement limits liability for death or personal injury caused by a party's gross negligence or wilful misconduct.
Neither party shall be liable for indirect, consequential, special, punitive, or exemplary damages.

11.4 Patient Claims
If a patient brings a claim against the Controller or the Processor arising from a Security Incident or unlawful processing: (a) the parties shall cooperate in defending the claim; (b) liability shall be allocated between the parties in proportion to their respective responsibility for the incident causing the claim; (c) each party shall indemnify the other to the extent the claim is attributable to the indemnifying party's breach of this Agreement or Applicable Law.

  1. GOVERNING LAW AND DISPUTE RESOLUTION
    12.1 Governing Law
    This Agreement shall be governed by and construed in accordance with the laws of India, without regard to conflict of law principles.

12.2 Dispute Resolution
Any dispute arising out of or in connection with this Agreement shall first be attempted to be resolved by senior representatives of both parties through good faith discussions within 30 (thirty) days of written notice. If unresolved, the dispute shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996 (as amended). The seat and venue shall be Hyderabad, Telangana, India. The language shall be English. The arbitral award shall be final and binding.

12.3 Jurisdiction
Subject to the arbitration clause, the courts at Hyderabad, Telangana, India shall have exclusive jurisdiction over disputes arising out of this Agreement.

  1. GENERAL PROVISIONS
    13.1 Entire Agreement
    This Agreement, together with its Schedules, constitutes the entire agreement between the parties with respect to the processing of Patient Personal Data and supersedes all prior agreements on this subject. In the event of conflict between this Agreement and the Principal Agreement, this Agreement shall prevail with respect to data protection matters.

13.2 Severability
If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.3 Amendments
This Agreement may only be amended by written agreement signed by authorised representatives of both parties, except that the Processor may update Schedule 4 (Sub-Processor List) in accordance with Clause 3.4, and the Processor may update Schedule 3 (Security Measures) to reflect improvements to security, provided such improvements do not reduce the level of protection below the minimum required by this Agreement.

13.4 No Waiver
No failure or delay by either party in exercising any right under this Agreement constitutes a waiver of that right.

13.5 Assignment
Neither party may assign or transfer its rights or obligations under this Agreement without the prior written consent of the other party, except that the Processor may assign this Agreement in connection with a merger, acquisition, or sale of substantially all its assets, provided the assignee assumes all obligations under this Agreement.

SCHEDULES

SCHEDULE 1 - DETAILS OF THE PARTIES

Data Processor
Company Name
Pranik Technologies Private Limited
Brand Name
Pranik.ai / P4D

DPO Name
[Name of DPO to be inserted]
DPO Email
dpo@pranik.ai
Support Email
support@pranik.ai
Website
https://pranik.ai

Data Fiduciary (Controller)
Full Name of Doctor / Entity
[To be completed by the Controller]
NMC / State Council Reg. No.
[To be completed]
Registered Address
[To be completed]
Contact Email
[To be completed]
Contact Mobile
[To be completed]
Clinic / Hospital Name
[If applicable]
GST Number
[If applicable]

SCHEDULE 2 - CATEGORIES OF PATIENT PERSONAL DATA

Category
Data Points
Sensitivity
Identity Data
Name, date of birth, gender, contact details, government ID reference
Personal Data
Health History
Medical history, current diagnoses, allergies, chronic conditions, surgical history
Sensitive Personal Data - Health
Medication Data
Current medications, dosages, prescription history, refill records
Sensitive Personal Data - Health
Diagnostic Data
Lab test results, radiology reports, diagnostic reports, immunization records
Sensitive Personal Data - Health
Pre-Consultation Summary
PHA Avatar-generated SOAP summary of patient's health intake
Sensitive Personal Data - Health
Consultation Records
Audio/video/text of teleconsultation (where recorded); doctor's notes; post-consultation summary
Sensitive Personal Data - Health
Prescription Data
Draft and finalized prescriptions generated through P4D
Sensitive Personal Data - Health / Financial
Payment Data
Transaction records, consultation fee receipts (no card details stored)
Personal Data - Financial
Location Data
Patient location at time of consultation booking (if provided)
Personal Data
Emergency Data
Emergency contact details provided by patient; emergency event logs
Personal Data

SCHEDULE 3 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This Schedule sets out the minimum security measures maintained by the Processor. The Processor may implement additional or enhanced measures at any time.

Security Control
Description
Data Encryption
All Patient Personal Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Keys managed through a dedicated key management service.
Access Controls
Role-based access controls with least-privilege principles. Access to Patient Personal Data limited to personnel with documented need-to-know. Access reviewed quarterly.
Authentication
Multi-factor authentication mandatory for all personnel with access to systems processing Patient Personal Data. Password policies enforce complexity and rotation.
Data Segregation
Patient Personal Data logically segregated by Controller (Doctor) to prevent cross-access between different Controllers' patient data.
Security Audits
Annual third-party penetration testing and vulnerability assessments. Internal security reviews conducted quarterly. Results reported to the Processor's senior management.
Incident Response
Documented incident response plan with defined escalation procedures, breach containment protocols, and notification obligations. Plan tested annually through simulated exercises.
Physical Security
Processor infrastructure hosted in data centres with physical security controls including access control, CCTV, and environmental monitoring. Data centres located within India.
Employee Training
All personnel with access to Patient Personal Data trained on data protection and security obligations at onboarding and annually thereafter.
Backup and Recovery
Regular automated backups of Patient Personal Data with tested recovery procedures. Backup data encrypted to the same standard as primary data.
Secure Deletion
Patient Personal Data securely deleted using methods that prevent recovery upon expiry of retention period or upon receipt of deletion instruction.
Sub-Processor Controls
All Sub-Processors contractually required to implement security measures at least equivalent to those in this Schedule.

SCHEDULE 4 - CURRENT SUB-PROCESSORS

This Schedule is updated on an ongoing basis. The current version is always available at pranik.ai/subprocessors. The Processor will provide 30 days' prior notice of any addition or change to Sub-Processors processing Patient Personal Data.

Sub-Processor Category
Purpose
Data Location
Data Transferred
Cloud Infrastructure Provider
Data storage and application hosting
India
All Patient Personal Data categories
Payment Processing Partner
Consultation fee disbursement
India
Payment and transaction data only
Credential Verification (KYC) Provider
NMC / State Council API verification
India
Doctor identity data only
Communication Service Provider
SMS, email, push notification delivery
India
Name, contact details (no health data)
Analytics / Crash Reporting
Platform performance monitoring
India
Anonymized usage data only

SCHEDULE 5 - DATA RETENTION SCHEDULE

Data Category
Retention Period
Legal / Regulatory Basis
Consultation Records and EHR
Minimum 7 years from last consultation
Telemedicine Practice Guidelines 2020; Clinical Establishments Act; Medical Council regulations
Prescription Records
Minimum 5 years
Drugs and Cosmetics Act; Medical Council regulations
CDSS Lite Interaction Logs (identifiable)
1 year
Operational necessity; legal compliance
CDSS Lite Interaction Logs (anonymized)
3 years
Legitimate use - clinical AI improvement
Live Scribe Transcripts (approved)
As part of consultation records - 7 years
Telemedicine Practice Guidelines 2020
Payment / Transaction Records
Minimum 8 years
Income Tax Act; GST regulations; PMLA
Audit Logs of Clinical Activity
Minimum 1 year
IT Act; DPDP Act; regulatory compliance
Patient Identity and Contact Data
Duration of patient account + 3 years
DPDP Act; KYC regulatory requirements
Emergency Event Logs
2 years
Operational necessity; legal compliance
Anonymized / Aggregate Data
Indefinite (no longer Personal Data post-anonymization)
Not subject to erasure obligations once anonymized

EXECUTION
IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the date first written above.

FOR PRANIK TECHNOLOGIES PRIVATE LIMITED (Data Processor):

Authorised Signatory: _______________________________
Name: _____________________________________________
Designation: ________________________________________
Date: ______________________________________________

FOR THE DATA FIDUCIARY (Controller - Doctor / Healthcare Entity):

Full Name: _________________________________________
NMC / State Council Registration No.: __________________
Clinic / Hospital Name (if applicable): __________________
Designation / Specialization: ___________________________
Digital Signature / Signature: ___________________________
Date: ______________________________________________