Medicasimple Healthcare Technologies - Data Processing Addendum

Version: 1.0
Effective Date: 11 December 2025

This Data Processing Addendum ("DPA") forms part of the customer agreement governing use of the Medicasimple Services (the "Agreement") and applies where MEDICASIMPLE HEALTHCARE TECHNOLOGIES LIMITED processes Personal Data on behalf of a customer.

1. Parties

1.1 Customer (Controller)
The legal entity that has entered into the Agreement with MEDICASIMPLE HEALTHCARE TECHNOLOGIES LIMITED ("Customer").

1.2 Processor
MEDICASIMPLE HEALTHCARE TECHNOLOGIES LIMITED (company no. 15485001) ("Medicasimple").

2. Definitions

2.1 UK GDPR Terms
Terms such as Personal Data, Processing, Controller, Processor, and Special Category Data have the meanings given in the UK GDPR.

2.2 Services
The Medicasimple software and related support/services provided under the Agreement.

2.3 Sub-processor
Any processor engaged by Medicasimple to process Personal Data on behalf of Customer.

3. Scope and Roles

3.1 Roles

• Customer: Controller
• Medicasimple: Processor

3.2 Processing Instructions
Medicasimple will process Personal Data only as necessary to provide the Services and in accordance with Customer's documented instructions, including as set out in this DPA and the Agreement.

4. Details of Processing (Article 28(3))

4.1 Subject matter
Provision of the Services (hosting, account administration, support, maintenance, service monitoring, and customer communications).

4.2 Duration
For the term of the Agreement, plus any period required for return/deletion under Clause 11.

4.3 Nature and purpose
Secure operation of the Services; user authentication; support and troubleshooting; service monitoring; billing and account management; security and fraud prevention.

4.4 Categories of data subjects
Customer staff; clinic staff; authorised users; end-users/patients where applicable.

4.5 Categories of Personal Data
Identification/contact data; account data; authentication data; usage logs; audit logs; support tickets; uploaded files/documents/images; and other data entered into the Services by Customer.

4.6 Special Category Data
The Services may process health data and other Special Category Data depending on Customer's use. Customer is responsible for ensuring a valid lawful basis and Article 9 condition.

5. Medicasimple Obligations

Medicasimple shall:

• (a) Processing instructions: Process Personal Data only on documented instructions from Customer (including as necessary to provide the Services)
• (b) Confidentiality: Ensure persons authorised to process Personal Data are subject to confidentiality obligations
• (c) Security measures: Implement appropriate technical and organisational measures (see Annex 1)
• (d) Data subject requests: Assist Customer, taking into account the nature of processing, with responding to data subject requests (Clause 8)
• (e) Security assistance: Assist Customer with security, breach notifications, DPIAs and consultations with the ICO where required (Clauses 9–10)
• (f) Compliance demonstration: Make available information necessary to demonstrate compliance with this DPA and allow audits in accordance with Clause 12
• (g) Unlawful instructions: Notify Customer if Medicasimple believes an instruction infringes the UK GDPR (unless prohibited by law)

6. Customer Obligations

6.1 Lawful Basis
Customer shall ensure it has all rights, notices, consents (if required), and lawful bases required to provide Personal Data to Medicasimple for processing.

6.2 Service Configuration
Customer is responsible for configuring the Services and user permissions appropriately.

7. Sub-processors

7.1 Authorisation
Customer authorises Medicasimple to engage Sub-processors listed in Annex 2.

7.2 Sub-processor Terms
Medicasimple shall ensure each Sub-processor is bound by written terms that are no less protective than this DPA regarding security, confidentiality and data protection.

7.3 Changes to Sub-processors

• Medicasimple will provide at least 30 days' prior notice of any intended changes to the Sub-processor list
• If Customer objects on reasonable data protection grounds, the parties will work in good faith to resolve the objection
• If unresolved, Customer may terminate the affected Service(s) as its sole remedy

8. Data Subject Requests

8.1 Notification
Medicasimple will, where legally permitted, promptly notify Customer if it receives a request from a data subject relating to Customer Personal Data.

8.2 Assistance
Medicasimple will provide reasonable assistance to Customer to fulfil such requests, to the extent Customer cannot do so through the Services' functionality.

9. Security

9.1 Implementation
Medicasimple will implement and maintain the security measures described in Annex 1.

9.2 Updates
Medicasimple may update Annex 1 from time to time, provided updates do not materially degrade the overall security of the Services.

10. Personal Data Breaches

10.1 Notification
Medicasimple will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

10.2 Information Provision
Medicasimple will provide information reasonably required for Customer to meet its breach notification obligations under UK GDPR.

11. Return and Deletion

11.1 Post-Termination
Upon termination or expiry of the Agreement, Medicasimple will:

• At Customer's choice and where available via the Services, enable export/return of Customer Personal Data
• Delete Customer Personal Data within 30 days of Customer's written request or account closure, unless retention is required by law

11.2 Backups/Logs Carve-out
Customer Personal Data may remain in encrypted backups and security logs for a limited period in accordance with Medicasimple's backup retention and security policies, provided such data is:

• Not actively processed
• Securely overwritten/deleted in the ordinary course

12. Audit and Compliance

12.1 Remote-First Audits
Audits will be remote-first and limited to information reasonably necessary to confirm compliance with this DPA, for example:

• Policies and procedures
• Security evidence packs
• Penetration test summaries
• Certifications/assurance reports where available

12.2 Frequency
Customer may conduct an audit no more than once per calendar year, unless a material breach or Personal Data Breach requires additional verification.

12.3 On-site Audits
On-site audits are permitted only where:

• Remote evidence is insufficient to address a material concern
• Subject to reasonable notice and confidentiality

13. International Transfers (UK IDTA)

13.1 Transfer Authorisation
Customer authorises Medicasimple to transfer Personal Data internationally as necessary to provide the Services, including to Sub-processors located outside the UK.

13.2 Transfer Mechanism
Where required for international transfers, the parties agree that the UK IDTA (Annex 3) or an equivalent lawful transfer mechanism will apply.

13.3 Transfer Risk Assessment
Medicasimple will maintain a transfer risk assessment for such transfers and will provide a summary upon reasonable request.

14. Liability

14.1 Liability Provisions
Liability under this DPA will follow the liability provisions in the Agreement, unless applicable law requires otherwise.

14.2 Non-excludable Liability
Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

15. Order of Precedence

15.1 Conflict Resolution
If there is any conflict between this DPA and the Agreement regarding processing of Personal Data, this DPA will prevail.

16. Contact

Privacy Contact: security@medicasimple.com

ANNEX 1 – SECURITY MEASURES (SUMMARY)

Access control

• MFA/SSO (where available), least privilege, role-based access, periodic access reviews

Encryption

• TLS in transit; encryption at rest for supported stores

Endpoint security for admin access

• Managed devices, disk encryption, patching

Monitoring

• Centralised logging and alerting

Backups & recovery

• Encrypted backups; periodic restore testing

Vulnerability management

• Regular scanning and remediation process; periodic external testing where appropriate

Incident response

• Documented playbooks; breach notification process

Training

• Staff security and data protection training

ANNEX 2 – APPROVED SUB-PROCESSORS

Initial list, subject to change notice under Clause 7

Google Cloud EMEA Limited

• Service: Hosting/infrastructure
• Location: UK

Amazon Web Services EMEA SARL

• Service: Hosting/infrastructure (if used)
• Location: UK region

Atlassian (Jira/Bitbucket)

• Service: Issue tracking and source control
• Location: EU/Global

Sentry

• Service: Error monitoring
• Location: EU/Global

Intercom

• Service: In-app support and messaging
• Location: EU/Global

Mixpanel

• Service: Product analytics (if enabled/configured)
• Location: EU/Global

Klaviyo

• Service: Transactional/marketing email (if enabled/configured)
• Location: EU/Global

HubSpot

• Service: Marketing automation/CRM activities (if enabled/configured)
• Location: EU/Global

Make

• Service: Workflow automation/integration platform (if enabled/configured)
• Location: EU/Global

Medicasimple Sağlık Teknolojileri A.Ş.

• Service: Engineering/support/operations assistance under Medicasimple's instructions
• Location: Türkiye

ANNEX 3 – UK INTERNATIONAL DATA TRANSFER AGREEMENT (IDTA)

The parties agree that where Personal Data is transferred from the UK to a country not covered by UK adequacy regulations, the transfer will be governed by the UK International Data Transfer Agreement (UK IDTA) on the following terms:

Exporter (Controller)
Customer

Importer (Processor)
MEDICASIMPLE HEALTHCARE TECHNOLOGIES LIMITED (UK)

Non-UK recipient(s) (Sub-processor(s))
Any Sub-processor located outside the UK as listed/updated under Annex 2

Transfer purpose
Provision of the Services

Data
As described in Clause 4 (including possible health data depending on Customer use)

Frequency
Continuous/as needed

Security measures
Annex 1

Transfer Risk Assessment
Maintained by Medicasimple (summary available on request)

‍