DATA PROCESSING AGREEMENT

This Data Processing Agreement is made this ______ day of ______.

MEDXVERSE TELEMEDICINE AND VIRTUAL CARE LIMITED, a company incorporated under the laws of the Federal Republic of Nigeria with its principal office at ______________________________________ (hereinafter referred to as the “Controller”).

AND

_______________________________ of ________________________ and / or a company incorporated under the laws of the Federal Republic of Nigeria with its principal office at ___________________________ (hereinafter referred to as the “Processor”).

The Controller and Processor may be referred to individually as a “Party” and collectively as the “Parties.”

1. Purpose

MedxVerse Telemedicine and Virtual Care Limited acts as a Data Controller and engages the Processor to deliver certain services that involve the processing of personal data.

This Agreement ensures compliance with the Nigeria Data Protection Act (NDPA) 2023and other relevant data protection laws and regulations.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on Personal Data including collection, storage, use, disclosure or deletion.

Controller: MedxVerse Telemedicine and Virtual Care Limited.

Processor: Entity processing Personal Data on behalf of the Controller.

Sub-processor: A third party engaged by the Processor to process Personal Data.

Personal Data Breach: Security incident leading to accidental or unlawful destruction, loss, alteration, disclosure, or access to Personal Data.

3. Processing of Personal Data

The Processor shall:

• Process Personal Data only on documented instructions from MedxVerse Telemedicine and Virtual Care Limited.
• Ensure Processing is limited to the scope, nature and purpose defined in the Principal Agreement and the 1st Schedule.
• Immediately inform MedxVerse if any instruction infringes Data Protection Laws.
• Ensure authorized persons processing Personal Data are bound by confidentiality obligations.

4. Security of Processing

The Processor shall implement appropriate technical and organizational security measures including:

• Encryption and pseudonymization of Personal Data.
• Role-based access controls and multi-factor authentication.
• Regular vulnerability testing and patching.
• Secure backup and recovery procedures.
• Data minimization and secure disposal methods.
• Logging and monitoring of Personal Data access.

Security measures shall be regularly reviewed in accordance with NDPA Section 39.

5. Subprocessors

• The Processor shall not engage a Subprocessor without prior written consent from MedxVerse.
• Approved Subprocessors must sign agreements with the same data protection obligations.
• The Processor remains fully liable for Subprocessor actions.

6. Data Subject Rights

The Processor shall assist MedxVerse in fulfilling Data Subject rights under NDPA Sections 34-40:

• Access, rectification and erasure.
• Restriction and objection to processing.
• Data portability.
• Withdrawal of consent.

The Processor shall not respond directly to Data Subjects unless authorized by MedxVerse or required by law.

7. Personal Data Breach

In the event of a Personal Data Breach, the Processor shall notify MedxVerse within 48 hours.

• Nature and scope of the breach
• Categories and number of Data Subjects affected
• Likely consequences
• Measures taken to address the breach

8. Data Protection Impact Assessments

Where MedxVerse is required to conduct a DPIA under NDPA Section 28, the Processor shall provide necessary information and assistance.

9. Retention, Return & Deletion

Upon termination of services or written instruction from MedxVerse:

• Return all Personal Data in a structured, commonly used format.
• Securely delete all Personal Data including backups unless retention is legally required.

10. Audit & Compliance

MedxVerse may audit the Processor’s compliance directly or via an independent third party with reasonable notice.

11. International Data Transfers

The Processor shall not transfer Personal Data outside Nigeria without prior written consent from MedxVerse and must rely on lawful safeguards.

12. Confidentiality

Both parties shall keep confidential information secure and shall not disclose it without written consent, except where required by law.

13. Notices

All notices must be in writing and sent by email or registered post.

Controller Email: __________________

Processor Email: __________________

14. Governing Law

This Agreement shall be governed by the laws of the Federal Republic of Nigeria.

15. Dispute Resolution

Disputes shall first be resolved amicably. If unresolved, disputes will proceed to arbitration under the Arbitration and Conciliation Act 2023, and finally litigation in Lagos, Nigeria.

16. Force Majeure

Neither party shall be liable for delays caused by events beyond reasonable control including natural disasters, pandemics, cyber-attacks or government restrictions.

17. Entire Agreement

This Agreement, including its Schedules, constitutes the entire understanding between the Parties and supersedes all prior agreements relating to its subject matter.

Execution

IN WITNESS WHEREOF, the parties have hereunto executed this Data Processing Agreement in the manner below, the day and year first above written.

The common seal of the within-named CONTROLLER MEDXVERSE TELEMEDICINE AND VIRTUAL CARE LIMITED was hereunto duly affixed to this Agreement in the presence of:

SIGNED, SEALED AND DELIVERED by the within-named PROCESSOR

__________________________

In the presence of:

1st Schedule – Details of Processing

Categories of Data Subjects

• Patients
• Healthcare providers (doctors, nurses, consultants)
• Platform users (administrators, partners, vendors)

Types of Personal Data

• Identification data (name, gender, date of birth, address, contact details)
• Medical / health data (symptoms, prescriptions, medical history, test results)
• Financial / billing data (payment details, transaction records)
• Technical data (IP address, device ID, cookies, usage logs)

Purposes of Processing

• Delivery of telemedicine and health technology services
• Identity verification and account management
• Secure storage and transmission of medical records
• Payment processing and fraud prevention
• Customer support and service improvement

Duration of Processing

For the duration of the Principal Agreement unless otherwise required by law.

2nd Schedule – Technical and Organisational Measures

The Processor shall implement the following security measures to ensure protection of Personal Data in compliance with NDPA Section 39.

1. Organizational Measures

• Appointment of a Data Protection Officer (DPO)
• Regular staff training on data protection and incident response
• Role-based access control and least-privilege access
• Vendor due diligence and contractual safeguards

2. Technical Measures

• Encryption in transit (TLS / SSL) and at rest (AES-256)
• Pseudonymisation or anonymisation of sensitive data where possible
• Firewalls and intrusion detection systems
• Secure VPN for remote access
• Endpoint security and device encryption

3. Data Integrity & Availability

• Encrypted backups with regular recovery testing
• Business continuity and disaster recovery planning
• Data minimisation practices

4. Monitoring & Logging

• Audit logs of access to Personal Data
• Continuous monitoring for unusual activity
• Regular vulnerability assessments and penetration testing