Data Processing Agreement
Last Updated: May 2026
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between HebaAI ("Data Processor") and the Clinic/Pharmacy using our services ("Data Controller").
1. Definitions
- Data Controller: The healthcare entity (Client) that determines the purposes and means of processing Personal Data.
- Data Processor: HebaAI, acting on behalf of the Data Controller to process Personal Data.
- Personal Data: Any information relating to an identified or identifiable natural person (patients).
2. Processing of Personal Data
The Data Processor shall process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the laws of Trinidad and Tobago.
The nature of operations involves automated appointment booking, AI-assisted triage and response routing, and secure document access via patient portals.
3. Data Controller Obligations
The Data Controller is solely responsible for ensuring that it has a valid legal basis to process the Personal Data of its patients and that patients have been adequately informed about the use of third-party platforms like HebaAI to facilitate their care.
4. Security Measures
The Data Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, secure access controls, and regular vulnerability assessments.
5. Sub-processors
The Data Controller grants the Data Processor general authorization to engage sub-processors (such as cloud hosting providers and messaging gateways like WhatsApp/Meta). The Data Processor will ensure that any sub-processor is bound by data protection obligations materially similar to those in this DPA.
6. Data Breach Notification
In the event of a Personal Data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of it, providing sufficient information to allow the Data Controller to meet any obligations to report the breach to authorities or affected individuals.
7. Return or Deletion of Data
Upon termination of the Service, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless law requires storage of the Personal Data.
8. Governing Law
This DPA is governed by the laws of Trinidad and Tobago.