Data Processing Addendum
Last updated April 1, 2026
Legal

Data Processing Addendum

Effective April 1, 2026

Parties

This Data Processing Addendum (“DPA”) is entered into between The Clinic FZ-LLC (“Processor”) and the customer identified in the applicable Order Form or online sign-up (“Controller”). It forms part of the Terms of Service or Master Subscription Agreement (the “Agreement”) between the parties and governs processing of Personal Data in connection with the Services.

Definitions

Capitalized terms not defined here have the meanings given in the Agreement or in applicable Data Protection Law. For this DPA:

  • Data Protection Law means the EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR, the UAE Federal Decree-Law No. 45 of 2021, the KSA Personal Data Protection Law, and other applicable laws governing the processing of Personal Data.
  • Personal Data means data relating to an identified or identifiable natural person processed by Processor on behalf of Controller under the Agreement.
  • Subprocessor means any third party engaged by Processor to process Personal Data in the course of providing the Services.

Subject Matter and Duration

The subject matter of the processing is the provision of the Services as described in the Agreement. The duration of processing is the term of the Agreement, plus any period reasonably required for return or deletion of Personal Data. The nature and purpose of processing, the types of Personal Data, and the categories of data subjects are set out in Annex A of this DPA.

Processor Obligations

The Processor will:

  • Process Personal Data only on documented instructions from Controller, including those given through the use of the Services, and as required by law;
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations;
  • Implement and maintain the technical and organizational measures described in Annex B;
  • Assist Controller in responding to data-subject requests and fulfilling its obligations under Articles 32 to 36 GDPR and equivalent provisions of other Data Protection Law;
  • Make available information necessary to demonstrate compliance with this DPA.

Subprocessors

Controller provides general authorization for Processor to engage Subprocessors, subject to the following: (i) Processor maintains a current list of Subprocessors available at theclinic.com/legal/subprocessors; (ii) Processor will provide at least thirty (30) days' notice of any intended addition or replacement of a Subprocessor; (iii) each Subprocessor is bound by written terms no less protective than this DPA; and (iv) Controller may object to a new Subprocessor on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection.

International Transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (Commission Decision 2021/914) are incorporated by reference, with Module Two (Controller to Processor) or Module Three (Processor to Processor) applying as appropriate. The UK International Data Transfer Addendum applies to transfers originating in the UK. For transfers from the United Arab Emirates and the Kingdom of Saudi Arabia, Processor implements the safeguards recognized by the UAE Data Office and the Saudi Data & AI Authority (SDAIA), respectively.

Security Measures

Processor maintains an information-security program aligned with ISO/IEC 27001 and SOC 2 Type II. Controls include:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
  • Role-based access controls and least-privilege enforcement;
  • Network segmentation and intrusion-detection monitoring;
  • Quarterly vulnerability scans and annual third-party penetration tests;
  • Secure software-development lifecycle, including code review and dependency scanning;
  • Documented business-continuity and disaster-recovery plans, tested at least annually;
  • Security-awareness training for all personnel on hire and annually thereafter.

Data Subject Requests

Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures in fulfilling Controller's obligation to respond to requests for exercising data-subject rights under Data Protection Law. Where Processor receives a request directly from a data subject, it will forward the request to Controller without undue delay and will not respond substantively unless directed to do so.

Personal Data Breach Notification

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data. The notification will include, to the extent known, a description of the nature of the breach, affected categories and approximate numbers of data subjects and records, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

Audits

Processor will make available to Controller its most recent SOC 2 Type II report, ISO/IEC 27001 certificate, and summary penetration-test results once per year. Controller may request an additional audit no more than once in any twelve (12)-month period (unless required by a regulator), on thirty (30) days' notice, during business hours, subject to reasonable confidentiality obligations and without disrupting Processor's operations. Audit costs are borne by Controller, except where the audit reveals material non-compliance.

Return and Deletion

On termination of the Agreement, Processor will, at Controller's election, return or delete all Personal Data, and will delete existing copies within ninety (90) days, except where retention is required by applicable law. Backups are purged in accordance with Processor's standard disaster-recovery schedule.

Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. The parties agree that any reference to the liability of a party in this DPA means aggregate liability of all entities within that party's group.

Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.

Contact

Data-protection notices and requests under this DPA should be sent to dpo@theclinic.com.