Data Processing Agreement
Effective Date: December 2024 | Last Updated: December 2024
This Data Processing Agreement ("DPA") governs the processing of personal data in professional-client relationships facilitated through Swasth, in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA).
1. Definitions
- "Data Principal" means the individual (client/patient) whose personal data is being processed.
- "Data Fiduciary" means Laxhar Tech Private Limited, which determines the purposes and means of processing.
- "Data Processor" means healthcare professionals who process data on behalf of clients.
- "Personal Data" means any data about an individual who is identifiable from that data.
- "Sensitive Personal Data" means health data, biometric data, genetic data, and other categories specified under DPDPA.
2. Roles and Responsibilities
2.1 Laxhar Tech (Platform Provider)
As the platform provider, Laxhar Tech:
- Acts as Data Fiduciary for user account data and platform operations
- Provides the technical infrastructure for data processing
- Implements security measures to protect personal data
- Facilitates consent management and privacy controls
2.2 Healthcare Professionals (Data Processors)
Professionals accessing client data:
- Act as Data Processors for client health data
- Process data only for authorized professional purposes
- Maintain confidentiality and security of accessed data
- Comply with professional data protection obligations
2.3 Clients (Data Principals)
Clients retain control over their personal data:
- Grant or withdraw consent for data sharing
- Control which data categories professionals can access
- Exercise rights under DPDPA
3. Lawful Basis for Processing
Personal data is processed based on:
- Consent: Explicit consent for sensitive health data sharing
- Contractual Necessity: Processing needed to provide professional services
- Legitimate Interests: Professional record-keeping and service improvement
- Legal Obligation: Compliance with healthcare regulations
4. Data Processing Scope
4.1 Categories of Data Processed
Subject to client consent, professionals may access:
| Data Category | Examples | Default Sharing |
|---|---|---|
| Health Profile | BMI, weight goals, dietary preferences | Enabled |
| Weight Logs | Weight measurements, body composition | Enabled |
| Nutrition Logs | Meals, calories, macronutrients | Enabled |
| Meal Plans | Meal templates, dietary schedules | Enabled |
| Workout Logs | Exercises, duration, calories burned | Enabled |
| Fitness Data | Exercise library, workout templates | Enabled |
| Medical Data | Conditions, medications, vitals | Disabled (Opt-in) |
4.2 Purpose Limitation
Professionals may process client data only for:
- Providing professional healthcare/wellness services
- Creating personalized health plans and recommendations
- Monitoring client progress and health outcomes
- Professional record-keeping and documentation
- Communication related to professional services
4.3 Prohibited Processing
Professionals must NOT:
- Process data for purposes beyond the professional relationship
- Share client data with unauthorized third parties
- Use client data for marketing without explicit consent
- Retain data beyond professional necessity
- Access data after relationship termination
5. Consent Management
5.1 Obtaining Consent
Consent for data sharing is obtained through:
- Initial relationship acceptance by client
- Privacy settings configuration in client dashboard
- Specific consent for sensitive data categories
5.2 Withdrawing Consent
Clients may withdraw consent at any time by:
- Disabling specific data sharing categories
- Ending the professional relationship
- Requesting data deletion
Withdrawal of consent does not affect lawfulness of prior processing.
6. Security Measures
6.1 Technical Measures
We implement:
- End-to-end encryption for professional-client messages
- Access controls based on relationship status
- Audit logging of data access
- Secure data transmission (HTTPS/TLS)
- Encrypted storage for sensitive documents
6.2 Professional Obligations
Professionals must:
- Use secure devices and networks for accessing client data
- Not share login credentials
- Log out after sessions
- Report suspected security breaches immediately
7. Data Subject Rights
Under DPDPA 2023, clients (Data Principals) have the right to:
- Access: Request information about data processing
- Correction: Request correction of inaccurate data
- Erasure: Request deletion of personal data
- Portability: Receive data in portable format
- Grievance Redressal: File complaints about data handling
Professionals must cooperate with requests to exercise these rights.
8. Data Retention
8.1 During Relationship
Data is retained while the professional relationship is active and accessible per consent settings.
8.2 After Termination
Upon relationship termination:
- Professional access to shared data is revoked immediately
- Professional notes may be retained per legal requirements
- Client data remains with the client's account
8.3 Professional Record-Keeping
Professionals may retain necessary records as required by professional regulations, separate from platform data access.
9. Data Breach Procedures
9.1 Notification
In case of a data breach affecting client data:
- Laxhar Tech will notify affected users within 72 hours
- Professionals must report suspected breaches immediately
- Notifications will include nature of breach, data affected, and mitigation steps
9.2 Cooperation
Professionals must cooperate with breach investigations and implement remediation measures as directed.
10. Subprocessors
Laxhar Tech uses subprocessors for platform operations (cloud hosting, etc.). A list of subprocessors is available upon request. Significant changes to subprocessors will be notified in advance.
11. International Transfers
If personal data is transferred outside India, appropriate safeguards will be implemented as required by DPDPA, including adequacy decisions or standard contractual clauses.
12. Audit Rights
Upon reasonable notice, Laxhar Tech may audit professional compliance with this DPA. Professionals agree to cooperate with such audits.
13. Liability
13.1 Professional Liability
Professionals are liable for data processing violations, unauthorized access, or misuse of client data within their control.
13.2 Platform Liability
Laxhar Tech is liable for platform security measures and compliance with its Data Fiduciary obligations.
14. Term and Termination
This DPA is effective while the professional maintains an active profile. It survives termination for obligations related to previously processed data.
15. Amendments
We may amend this DPA with 30 days notice. Continued use of professional features constitutes acceptance.
16. Contact
For DPA-related inquiries:
- Data Protection Officer: [email protected]
- Privacy Team: [email protected]