Data Processing Agreement (DPA)

Last updated: May 1, 2026

This agreement governs the processing of patient data (patients' personal data) by 3yadtk as data processor on behalf of the subscribing clinic (data controller), per PDPL, FDPL, and other regional regulatory requirements.

1. Parties & Roles

The subscribing clinic is the Data Controller. 3yadtk is the Data Processor. 3yadtk acts only on the clinic's documented instructions regarding patient data.

2. Purpose of Processing

3yadtk processes patient data for the sole purpose of delivering clinic management services to the subscribing clinic.

3. Security Measures

Security measures include: AES-256 encryption at rest, TLS 1.3 in transit, MFA for administrative access, and data residency in the required geographic region.

4. Data Breach Notification

Upon discovering a data breach affecting patient data, we will notify the subscribing clinic within 72 hours of discovery.

5. Sub-processors

We use trusted sub-processors (Cloudflare R2 for storage, Sentry for error tracking). We notify clinics 30 days before any changes to sub-processors.

6. Data Deletion

Upon account termination, patient data is securely deleted within 90 days, unless retention regulations (e.g., NABIDH 25-year requirement) mandate longer retention.

7. Standard Contractual Clauses (SCC)

For transfers of personal data outside the European Economic Area or otherwise subject to GDPR Art. 46, 3yadtk adopts the EU Commission Standard Contractual Clauses (Module 2: Controller→Processor) as the primary international transfer mechanism.

Annex A — Description of Processing: Clinic operational data and electronic medical records for clinic management service delivery.

Annex B — Technical & Organisational Measures: AES-256 at rest, TLS 1.3 in transit, MFA, data residency, least-privilege access, immutable audit trail.

Annex C — Sub-processors: Cloudflare R2 (storage), Sentry (error monitoring). Full list available on request.

8. Regional Supervisory Authorities

If a complaint cannot be resolved internally, clinics and patients have the right to lodge a complaint with the relevant supervisory authority:

Country	Authority	Law
🇸🇦 Saudi Arabia	NDMO / SAMA	PDPL 2021
🇦🇪 UAE	TDRA	Federal DL 45/2021
🇪🇬 Egypt	MCIT	Law 151/2020
🇶🇦 Qatar	NPC	Law 13/2016
🇧🇭 Bahrain	PDPB (MOIC)	Law 30/2018
🇯🇴 Jordan	NIC	Law 24/2023
🇴🇲 Oman	NCSI	RD 6/2022
🇲🇦 Morocco	CNDP	Law 09-08
🇹🇳 Tunisia	INPDP	Law 2004-63
🇱🇧 Lebanon	MTI (pending DPA)	Law 81/2018

Request a Custom DPA

For clinics requiring a formally signed DPA or custom terms, contact: legal@3yadtk.com