Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the clinic subscribing to the NOXV platform (the "Controller") and NOXV (the "Processor"). This DPA supplements the Terms of Service and establishes the rights and obligations of both parties regarding the processing of personal data. It is designed to ensure compliance with Saudi Arabia's Personal Data Protection Law (PDPL) and the Saudi Data and Artificial Intelligence Authority (SDAIA) regulations.

Data Subjects: Patients who interact with the AI receptionist and clinic staff who use the admin dashboard. Data Types Processed: Patient identity data: full name. Patient contact data: phone number (E.164 format) with SHA-256 hash for identification. Appointment data: booking details, scheduling, rescheduling, and cancellation records. Communication data: conversation history and message logs. Voice data: call recordings and transcripts. Behavioral data: interaction patterns and preferences. Staff identity data: display name. Staff authentication data: email and hashed password. Audit data: admin action logs and access records. Purpose of Processing: Data is processed solely for platform operations, security, and legal obligations. Data is NOT used for: marketing, sale to third parties, or AI model training.

NOXV, as the Processor, commits to the following obligations: Process personal data only in accordance with the documented instructions of the Controller. If the Processor believes an instruction infringes applicable data protection law, it shall promptly notify the Controller. Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations. Implement appropriate technical and organizational security measures, including: TLS 1.2+ encryption for data in transit. AES-256 encryption for data at rest. AES-256-GCM encryption for OAuth tokens. scrypt hashing for passwords. Role-based access control (RBAC) with tenant isolation via tenantId. Row-level security (RLS) for database access. Comprehensive audit logging. Redis-backed rate limiting. Circuit breaker patterns for external service calls. Async queue with dead letter queue (DLQ) for reliable message processing.

In the event of a personal data breach, the Processor shall: Notify the Controller within 48 hours of becoming aware of the breach. The notification shall include: the nature of the breach, the contact point for further information, the likely consequences of the breach, and the measures taken or proposed to address and mitigate the breach. Cooperate fully with the Controller in investigating, mitigating, and remediating the breach. Document the breach in a breach register, including the facts surrounding the breach, its effects, and the remedial actions taken. Assist the Controller in meeting its obligations to notify SDAIA and affected data subjects as required by the PDPL.

The Processor shall assist the Controller in fulfilling data subject requests within the following timeframes: Right of access: 15 business days. Right to rectification: 5 business days. Right to erasure: 15 business days. Right to data portability (JSON/CSV format): 15 business days. Right to object or restrict processing: 5 business days. Upon receiving a data subject request directly, the Processor shall promptly forward it to the Controller and shall not respond without the Controller's authorization, unless legally required to do so.

The Processor engages the following sub-processors: OpenAI (USA): Enterprise API for AI conversation processing. OpenAI does not use data for model training. Google (configurable region): Calendar API for appointment scheduling. Telegram (international): Bot API for patient messaging. Twilio (configurable region): WhatsApp and Voice communication. ElevenLabs (USA/EU): Voice synthesis. SMTP Provider: Email notifications. Cloud Infrastructure: KSA/GCC region recommended for data residency. The Processor shall provide the Controller with at least 30 days notice before engaging any new sub-processor. The Controller may object to the appointment of a new sub-processor. If the objection cannot be resolved, the Controller may terminate the affected services.

Personal data shall only be transferred outside the Kingdom of Saudi Arabia with adequate protection or appropriate safeguards in place, including Standard Contractual Clauses (SCCs) where applicable. The Processor shall conduct a Transfer Impact Assessment for any cross-border data transfer. A data localization option is available for Controllers who require data to remain within KSA or GCC regions.

Data is retained in accordance with the retention periods specified in the Privacy Policy: Active patient records: subscription duration plus 12 months. Appointment records: 3 years. Conversation logs: 12 months. Voice recordings: 90 days. Admin audit logs: 24 months. LLM call logs: 12 months. Rate limit logs: 7 days. Deletion Timeline Upon Termination: Day 0-30: Data export period. Controller may export all data in JSON/CSV format. Day 31-90: Data retained as encrypted backup only. Day 91: Permanent deletion of all data, with a written certificate of deletion provided to the Controller.

The Controller has the right to: Review the Processor's security documentation and certifications. Request compliance evidence and reports. Conduct annual audits at no charge. Breach-triggered audits: no charge to the Controller. Additional audits beyond the annual audit: at the Controller's cost. The Processor shall cooperate fully with all audit activities and provide timely access to relevant documentation, systems, and personnel.