Data Processing Agreement
First Step Investments (Pty) Ltd t/a MediScan | Version 1.0 | Effective: 1 June 2025
This Agreement is a binding contract entered into between the Facility and MediScan. It governs the processing of personal information under POPIA. The Facility must complete the signature block before going live.
Parties
Responsible Party ("Controller")
Facility name: _______________________________________________
Registration number: ___________________________________________
Physical address: ________________________________________________
Information Officer: _____________________________________________
Email: ___________________________________________________________
Operator ("Processor")
First Step Investments (Pty) Ltd t/a MediScan
Registration: [to be inserted upon incorporation]
Address: PO Box XXX, Johannesburg, 2000
Information Officer: information.officer@medi-scan.co.za
The Responsible Party and MediScan are each referred to as a "Party" and together as the "Parties".
1. Background
The Responsible Party operates a healthcare facility ("Facility") and has contracted MediScan to provide a patient identity verification and encounter management platform ("Service"). In providing the Service, MediScan will Process Personal Information (including Special Personal Information) on behalf of the Responsible Party. This Agreement sets out the terms on which MediScan processes such information in compliance with POPIA.
2. Definitions
| Term | Meaning |
|---|
| POPIA | Protection of Personal Information Act 4 of 2013 and subordinate regulations, as amended. |
| Personal Information | Has the meaning in POPIA s 1 and includes Special Personal Information. |
| Special Personal Information | Biometric data, health and medical information as defined in POPIA s 26–32. |
| Process / Processing | Has the meaning in POPIA s 1 (collection, use, storage, modification, deletion, etc.). |
| Data Subject | A patient or staff member whose Personal Information is processed under this Agreement. |
| Sub-operator | A third party engaged by MediScan to process Personal Information under this Agreement. |
| Security Incident | Any actual or reasonably suspected unauthorised access, loss, destruction, or disclosure of Personal Information. |
3. Subject Matter, Nature, Purpose and Duration of Processing
| Item | Detail |
|---|
| Subject matter | Patient identity and clinical encounter data managed through the MediScan Platform. |
| Nature | Collection, storage, retrieval, verification, transmission to HMS, audit logging, anonymised reporting. |
| Purpose | Biometric patient identification to prevent medical identity fraud; encounter management; POPIA-compliant consent capture. |
| Categories of data subjects | Patients registered at the Facility; Facility staff with Platform access. |
| Categories of personal information | Identity (name, ID number, DOB), biometric templates, health encounter records, consent records, audit events. |
| Duration | For the term of the Service Agreement plus any statutory retention obligations (minimum as set out in the Patient Privacy Notice). |
4. MediScan's Obligations as Operator
MediScan shall:
- Process Personal Information only on the documented instructions of the Responsible Party, except where required to do so by South African law.
- Ensure that personnel authorised to process Personal Information are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures as required by POPIA s 19, including those described in Schedule A.
- Not engage Sub-operators without prior written authorisation from the Responsible Party, and when authorised, impose equivalent data protection obligations on each Sub-operator (see Schedule B).
- Provide reasonable assistance to the Responsible Party to respond to Data Subject rights requests (access, correction, deletion, objection) within 10 business days of receipt.
- Provide reasonable assistance in ensuring compliance with POPIA ss 19 (security), 22 (breach notification), and 14 (retention).
- At the Responsible Party's choice, securely delete or return all Personal Information on termination of the Service Agreement, and delete existing copies unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this Agreement, and permit audits or inspections by the Responsible Party or its authorised auditor, on 30 days' written notice, at MediScan's normal business premises.
5. Security Incident Notification
- MediScan will notify the Responsible Party of a Security Incident within 24 hours of becoming aware of it, via the Information Officer email specified above.
- The notice will include (to the extent known): nature of the incident; categories and approximate number of data subjects and records affected; likely consequences; measures taken or proposed to address it.
- MediScan will keep the Responsible Party informed as further information becomes available.
- The Responsible Party remains solely responsible for notifying the Information Regulator under POPIA s 22 within the prescribed period (as soon as reasonably possible), unless MediScan is instructed in writing to give notice on its behalf.
6. Responsible Party's Obligations
The Responsible Party shall:
- Ensure it has a valid lawful basis for processing each category of Personal Information before instructing MediScan to process it.
- Obtain patients' explicit informed consent for biometric and health data before each registration, in the form provided or approved by MediScan.
- Promptly inform MediScan of any change in applicable law that affects the instructions given under this Agreement.
- Train all Authorised Users on the Staff Terms of Use and POPIA obligations before granting Platform access.
- Ensure Authorised Users do not access the Platform from unsecured devices or share credentials.
- Notify MediScan promptly when an Authorised User's access should be revoked (resignation, dismissal, role change).
7. Sub-operators
The Responsible Party grants general written authorisation for MediScan to use the following Sub-operators, subject to equivalent data protection obligations:
| Sub-operator | Service provided | Data transferred | Location |
|---|
| Google LLC (Firebase / Firestore) | Cloud data storage & authentication | All patient and audit data | US (us-central1); SCC in place |
| Google LLC (Firebase Hosting) | Static web application hosting | None (static assets only) | Global CDN |
MediScan will inform the Responsible Party of any intended change to the above list at least 14 days in advance, giving the Responsible Party the opportunity to object.
8. Cross-Border Transfers
Processing of Personal Information outside South Africa (Google Firebase in the US) is governed by Google's Standard Contractual Clauses as approved under GDPR Article 46(2)(c). MediScan has carried out a Transfer Impact Assessment and determined that the level of protection is adequate for the purposes of POPIA s 72. A copy of this assessment is available on request.
9. Liability
- Each Party is responsible for its own compliance with POPIA and this Agreement.
- MediScan's total aggregate liability under this Agreement is limited to the amounts set out in the Service Agreement.
- Neither Party shall be liable for the other's breach of POPIA obligations except to the extent caused by that Party's own failure.
10. Term and Termination
This Agreement commences on the date of last signature and continues for the duration of the Service Agreement. Either Party may terminate this Agreement immediately on written notice if the other Party materially breaches its obligations and fails to remedy the breach within 15 business days of notice.
11. Governing Law
This Agreement is governed by the laws of the Republic of South Africa. Disputes shall be submitted to binding arbitration under AFSA rules before a single arbitrator in Johannesburg, without prejudice to the right to approach the courts for urgent relief.
Schedule A - Technical and Organisational Security Measures
| Measure | Implementation |
|---|
| Encryption in transit | TLS 1.2+ on all API and web traffic; HSTS enforced. |
| Encryption at rest | Google Cloud Firestore AES-256 encryption at rest. |
| Access control | Role-based access (staff / admin / super_admin); facility-scoped Firestore security rules. |
| Authentication | Firebase Auth (email/password + optional MFA); WebAuthn/FIDO2 for biometric device binding. |
| Biometric protection | Fingerprint templates stored as one-way hashed vectors (SHA-256 with per-patient salt); original images never retained. |
| Audit logging | Append-only audit_log collection in Firestore; all access, mutations, and administrative actions logged with user, timestamp, and action type. |
| Penetration testing | Annual third-party penetration test; results shared with Responsible Party under NDA. |
| Vulnerability management | Dependency scanning on every CI run (Dependabot / OWASP Dependency Check). |
| Incident response | Documented IRP; 24-hour notification SLA; post-incident reports within 5 business days. |
| Business continuity | Firebase multi-region read replication; daily Firestore exports to Cloud Storage; RTO 4h, RPO 24h. |
Schedule B - Approved Sub-operator Template Clauses
Each Sub-operator agreement must include:
- An obligation to process Personal Information only on documented instructions from MediScan.
- Confidentiality obligations at least as stringent as those in this Agreement.
- Technical and organisational security measures meeting or exceeding Schedule A.
- A 24-hour Security Incident notification obligation to MediScan.
- Audit rights for MediScan on 30 days' notice.
- Data deletion / return obligations on termination.
Signatures
The duly authorised representatives of each Party sign this Agreement as follows:
RESPONSIBLE PARTY
Signed by:
Name:
Title:
Date:
On behalf of:
MEDISCAN (PTY) LTD
Signed by:
Name:
Title:
Date:
Information Officer