Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MyPatientScore ("we", "our", "us", or the "Processor") and healthcare providers using our platform ("you", "your", or the "Controller").

This DPA reflects the parties' agreement with respect to the processing of personal data, including health-related data, in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation ("GDPR").

2. Definitions

Terms such as "personal data", "processing", "controller", "processor", "data subject", and "special categories of personal data" shall have the meanings given to them in applicable data protection laws.

3. Scope and Purpose

This DPA applies to the processing of personal data by us on your behalf in connection with our provision of the MyPatientScore platform services.

The purpose of the processing is to enable patients to provide reviews and feedback about healthcare providers, which may include uploading images related to their healthcare experiences.

4. Nature of Processing

The personal data processed may include:

• Patient names and contact information
• Healthcare provider information
• Review content and ratings
• Images related to healthcare experiences
• Dates of healthcare services

The data subjects are patients who choose to submit reviews on the platform.

5. Our Obligations

As the Processor, we shall:

• Process personal data only on your documented instructions
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist you in responding to requests from data subjects
• Assist you in ensuring compliance with security, breach notification, impact assessment, and consultation obligations
• Delete or return all personal data to you after the end of the provision of services
• Make available to you all information necessary to demonstrate compliance with data protection obligations

6. Special Provisions for Medical Images

For images uploaded as part of healthcare reviews:

• We will process such images only with the explicit consent of the data subject
• We will implement additional security measures for storing and processing such images
• We will automatically strip metadata from images to enhance privacy
• We will provide clear guidelines to users about appropriate content for images
• We will enable data subjects to delete their images at any time

7. Your Obligations

As the Controller, you shall:

• Ensure that you have a lawful basis for processing personal data
• Provide clear information to data subjects about how their data will be processed
• Respond to data subject requests in a timely manner
• Not use the platform to process patient data outside the scope of reviews and feedback
• Notify us promptly of any data subject requests or complaints related to the platform

8. Sub-processors

You hereby provide general authorization for us to engage sub-processors for the processing of personal data. We will maintain a list of current sub-processors and will inform you of any intended changes concerning the addition or replacement of sub-processors.

9. Data Transfers

We will not transfer personal data to countries outside the European Economic Area (EEA) unless adequate safeguards are in place.

10. Audit Rights

You may audit our compliance with this DPA by requesting relevant documentation or, if necessary, by conducting an on-site audit. Such audits shall be subject to reasonable notice and shall not disrupt our normal operations.

11. Term and Termination

This DPA shall remain in effect for as long as we process personal data on your behalf. Upon termination of our services, we shall delete or return all personal data as specified in this DPA.