Clinic-MediFlow Data Processing Agreement

1. Definitions

Capitalised terms not defined here have the meaning given in the Data Privacy Act.

"Personal Information" means any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, as defined in Section 3(g) of the Data Privacy Act.

"Sensitive Personal Information" or "SPI" has the meaning in Section 3(l) of the Data Privacy Act, including health and medical information.

"Personal Data Breach" has the meaning in NPC Circular 16-03.

"Sub-processor" means a third party engaged by MediFlow to assist in processing Personal Information on behalf of the Clinic.

"Personnel" means MediFlow's employees, officers, contractors, and agents who have access to Personal Information.

"Data Subject" means an individual to whom Personal Information relates, including patients of the Clinic.

"Clinic User" means a natural person the Clinic has authorised to access the Clinic Account, including clinicians, nurses, receptionists, and billing staff.

"Documented Instructions" means the instructions the Clinic gives MediFlow in this DPA, the Service Agreement, the documented configuration of the Clinic Account, and any written instruction the Clinic sends through dpo@mediflow.ph or another agreed channel.

"Service" has the meaning in the Service Agreement and includes the MediFlow web application, the iOS application, the API, and the supporting infrastructure.

2. Roles, scope, and duration

Roles. With respect to Personal Information that the Clinic or its Clinic Users record into the Service, the Clinic acts as Personal Information Controller ("PIC") and MediFlow acts as Personal Information Processor ("PIP"). MediFlow processes Personal Information only on the Clinic's Documented Instructions and only for the purposes set out in Annex A.

For four data processing systems (audit logs, transactional email, file attachments and the CDN, and the real-time channel system), MediFlow's role is hybrid (PIP for the Clinic-instructed flow and PIC for MediFlow's own platform-operations flow, including security monitoring and statutory record-keeping). The hybrid split is described in Annex A and in MediFlow's Privacy Manual Chapter 15.

Subject matter. Processing of Personal Information for the operation of the Service: patient registration, clinical documentation, prescriptions, lab and imaging orders, appointments and queues, file attachments, and related operational activities.

Duration. This DPA remains in force for so long as MediFlow processes Personal Information on the Clinic's behalf, and survives the termination of the Service Agreement to the extent necessary for return or deletion under Section 12.

Categories of Data Subjects, Personal Information, and Sensitive Personal Information are set out in Annex A.

3. MediFlow obligations under Section 14, RA 10173

MediFlow shall:

(a) Process only on Documented Instructions. Process Personal Information only on the Clinic's Documented Instructions, including transfers to a third country, unless required by Philippine law to do otherwise. If MediFlow is required by law to act outside the Clinic's Documented Instructions, MediFlow will inform the Clinic of that legal requirement before processing, unless the law prohibits the notice on important grounds of public interest.

(b) Confidentiality. Ensure that Personnel authorised to process Personal Information are bound by a contractual or statutory obligation of confidentiality, are informed of the confidential nature of the data, and have completed privacy and security training.

(c) Security. Implement and maintain the organisational, physical, and technical security measures described in Annex C, in line with Sections 20 and 25 of the Data Privacy Act and NPC Circular 16-01.

(d) Sub-processors. Engage Sub-processors only in accordance with Section 4 below.

(e) Assistance with data-subject rights. Assist the Clinic, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Clinic's obligation to respond to requests for access, correction, deletion, blocking, portability, and objection from Data Subjects, on the timelines in Section 7 below and in NPC Advisory No. 2021-01.

(f) Assistance with Personal Data Breach. Notify the Clinic without undue delay and in any case within twenty-four (24) hours of becoming aware of a Personal Data Breach affecting the Clinic's data; assist the Clinic in meeting its 72-hour obligation to the National Privacy Commission ("NPC") and to affected Data Subjects under NPC Circular 16-03; and cooperate with the Clinic on investigation, containment, mitigation, and reporting.

(g) DPIA assistance. Provide reasonable assistance to the Clinic with Privacy Impact Assessments and prior consultations with the NPC where required, taking into account the information available to MediFlow.

(h) Return or deletion. At the Clinic's choice, return or delete Personal Information at the end of the provision of the Service, in line with Section 12 below.

(i) Compliance evidence. Make available to the Clinic, on reasonable written request, the information needed to demonstrate compliance with this DPA, including the audit and inspection rights in Section 11.

(j) Inform on instruction conflict. Inform the Clinic immediately if, in MediFlow's opinion, an instruction infringes the Data Privacy Act, its Implementing Rules, or the issuances of the NPC.

4. Sub-processors

General authorisation. The Clinic gives MediFlow general written authorisation to engage Sub-processors for the operation of the Service, subject to this Section 4.

Approved Sub-processors at the effective date. The list of approved Sub-processors and their function is set out in Annex B. MediFlow has executed a written DPA with each approved Sub-processor that imposes data-protection obligations no less protective than those in this DPA.

Changes. MediFlow will give the Clinic at least thirty (30) days' notice through the Service or by email before adding or replacing a Sub-processor that handles Personal Information. The Clinic may object on reasonable data-protection grounds within that 30-day period. If the Parties cannot agree on a resolution, the Clinic may terminate the affected portion of the Service Agreement, with a pro-rated refund of pre-paid fees for the unused term.

Liability. MediFlow remains responsible to the Clinic for the acts and omissions of its Sub-processors as if they were its own.

5. Personnel

MediFlow shall:

• (a) limit access to Personal Information to Personnel with a documented business need, on least-privilege terms;
• (b) require Personnel to be bound by a written confidentiality undertaking;
• (c) require Personnel to complete privacy and security awareness training before access is granted, and refresh the training at least annually;
• (d) revoke access promptly on a change of role or end of engagement; and
• (e) maintain records of who has had production access, when, and for what purpose.

6. Cross-border transfer

MediFlow processes Personal Information primarily in the Republic of Singapore, on Vultr Holdings Corporation's infrastructure, under a Data Processing Addendum that incorporates the standard contractual clauses required under RA 10173 and the equivalent overseas regimes. Two flows leave Singapore:

(a) Transactional email is processed by Resend (United States) for the events identified in Annex A. Where the Clinic instructs MediFlow to send a clinical notification, the recipient address, subject, and body of the email pass through Resend.

(b) DNS, TLS termination, and edge mitigation are provided by Cloudflare, Inc. (global edge). Cloudflare sees encrypted application traffic and request metadata; it does not store decrypted clinical content.

Each transfer is covered by a written DPA with the Sub-processor that contains data-protection clauses no less protective than those in this DPA. The Clinic may opt out of the Resend flow on written request to dpo@mediflow.ph; MediFlow will configure the Clinic Account on a Philippine-only mail path, with the operational trade-offs documented in the Privacy Policy.

7. Data subject rights

The Clinic remains responsible for fulfilling Data Subject requests under Sections 16, 17, 18, and 34 of the Data Privacy Act. MediFlow shall assist the Clinic by:

• (a) providing access, correction, deletion, blocking, portability, and objection mechanisms in the Service;
• (b) responding to a request that a Data Subject sends directly to MediFlow by routing it to the Clinic and notifying the Clinic within 2 business days, and by acting on the Clinic's instruction within 15 calendar days of the Clinic's instruction (NPC Advisory No. 2021-01);
• (c) executing a verified erasure request within 5 business days at the soft-delete stage, 30 calendar days at the hard-delete stage, and 90 calendar days at the backup-purge stage, subject to any applicable statutory retention floor (Section 9 below);
• (d) maintaining a Data Subject Rights Register for at least 3 years and making the Clinic's entries available on request.

8. Personal Data Breach

Notification to the Clinic. MediFlow shall notify the Clinic without undue delay and in any case within twenty-four (24) hours of becoming aware of a Personal Data Breach affecting the Clinic's Personal Information. The notice will include, to the extent then known: the nature of the breach, the categories and approximate number of affected Data Subjects and records, the categories of Personal Information involved, the likely consequences, the measures taken or proposed, and the contact details of the MediFlow incident lead.

Cooperation. MediFlow shall cooperate with the Clinic in containment, investigation, mitigation, and notification, including the Clinic's notifications to the NPC and to affected Data Subjects under NPC Circular 16-03 within seventy-two (72) hours of the Clinic's discovery.

Breach Register. MediFlow maintains a Breach Register under NPC Circular 16-03 §20 for at least 5 years and provides the Clinic's entries on a verified request.

No public statement on the Clinic. MediFlow will not name the Clinic in any public statement about a breach without the Clinic's prior written consent, except where the law requires the disclosure.

9. Retention and deletion

Active retention. Personal Information is retained for the duration of the Clinic's active subscription.

Grace window. On termination of the subscription, a 60-calendar-day grace window applies, during which the Clinic may export records.

Hard-delete. Hard-deletion from production follows the grace window, with backup purge inside the 90-calendar-day backup rotation.

Statutory floors. Statutory retention floors override the schedule where applicable, including:

The Clinic acknowledges these floors and instructs MediFlow to enforce them, including over a Data Subject erasure request, where the law requires it.

10. Security measures

MediFlow shall implement and maintain the security measures in Annex C. The measures are reviewed at least annually and after any material incident or change. The Clinic acknowledges that the measures are appropriate to the risk, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing.

11. Audit and inspection

The Clinic may, on reasonable prior written notice (no less than thirty (30) days, except in the case of a confirmed Personal Data Breach), and no more than once in any twelve-month period (or more often where the NPC requires it):

• (a) request MediFlow's most recent audit reports, sub-processor DPAs, certifications, and Privacy Manual chapters relevant to the Clinic's data;
• (b) submit a reasonable written questionnaire that MediFlow shall respond to within thirty (30) days;
• (c) where the documents and questionnaire response are insufficient to verify compliance, conduct an on-site or remote audit, at the Clinic's cost, by a qualified independent auditor mutually agreed in writing, subject to MediFlow's confidentiality, security, and operational-continuity requirements.

The Clinic shall not disrupt the Service or the data of other clinic clients, shall keep audit findings confidential, and shall give MediFlow a reasonable opportunity to cure any finding before disclosing it to a regulator, except where the law requires immediate disclosure.

The audit right does not entitle the Clinic to MediFlow's source code, the data of other clients, or commercial information not relevant to compliance with this DPA.

12. Return and deletion at end of provision

On termination or expiry of the Service Agreement, the Clinic shall, within the 60-calendar-day grace window, export Customer Data through the Service or notify MediFlow in writing whether it requires return or deletion. Absent a written instruction, MediFlow will delete in line with Section 9.

MediFlow shall delete existing copies after return, except to the extent retention is required by Philippine law (Section 9). On request, MediFlow will provide a written confirmation of deletion.

13. Liability and indemnity

The liability of each Party under or in connection with this DPA is governed by the limitation-of-liability clause in the Service Agreement. Where the Service Agreement is silent on a question this DPA addresses, the Clinic acknowledges that MediFlow's aggregate liability under or in connection with this DPA is limited to the fees paid by the Clinic in the twelve months immediately preceding the event giving rise to the claim, except for liability that the law does not allow to be limited.

The Clinic indemnifies MediFlow against third-party claims, regulatory penalties, and reasonable defence costs arising from (i) the Clinic's failure to obtain a valid legal basis for processing under the Data Privacy Act, (ii) inaccurate or unlawful Personal Information the Clinic uploaded, (iii) breach of the Clinic's obligations under this DPA, or (iv) the Clinic's instructions to MediFlow that infringe the Data Privacy Act.

MediFlow indemnifies the Clinic against third-party claims, regulatory penalties, and reasonable defence costs arising from MediFlow's breach of its Section 14 RA 10173 obligations under this DPA.

14. Term, termination, and survival

This DPA enters into force on the effective date and remains in force for as long as MediFlow processes Personal Information on the Clinic's behalf. Sections 8, 9, 11, 12, 13, 14, and 15, together with Annex A and Annex C, survive termination to the extent necessary.

15. Governing law and venue

This DPA is governed by the laws of the Republic of the Philippines. Any dispute arising out of or in connection with this DPA shall be referred first to the Parties' respective Data Protection Officers for good-faith resolution within thirty (30) days. Disputes that remain unresolved shall be brought in the proper courts of Nueva Ecija, Philippines, to which the Parties consent. Nothing in this section limits the Clinic's or any Data Subject's right to lodge a complaint with the National Privacy Commission.

16. Notices

Notices under this DPA are sent to:

For the Clinic: the email of the Clinic Owner and the Data-Protection Contact recorded in the Clinic Account.

For MediFlow: Data Protection Officer, dpo@mediflow.ph; copy to help@mediflow.ph.

A notice is effective on receipt during business hours on a business day in the Philippines, or on the next business day if received outside that window.

17. Entire agreement and amendment

This DPA, the Service Agreement, the Privacy Policy, and any signed addendum together form the entire agreement between the Parties on the subject. Amendments are made in writing, signed by both Parties, or by a clickwrap version that the Clinic Owner accepts inside the Clinic Account.

18. Order of precedence

If there is a conflict, the order is: (i) a separately signed master agreement, (ii) this DPA, (iii) the Service Agreement, (iv) the Privacy Policy, (v) the Documentation.

Annex A — Subject matter and details of processing

Purpose. The operation of the Service for the Clinic, including patient registration; clinical documentation in normal consultations and supported specialty encounters (general medicine, family medicine, pediatrics, OB-GYN, dentistry, with further specialty modules added by MediFlow from time to time); prescription writing; lab and imaging orders; appointment and queue management; file attachments; internal team messaging; PDF document generation; subscription billing; and security and audit operations.

Nature of processing. Collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure to authorised recipients, restriction, erasure, and destruction.

Categories of Data Subjects.

• (a) Patients of the Clinic, including adults and minors. For minors, the Clinic obtains parental or legal-guardian consent under NPC Advisory No. 2022-02.
• (b) Emergency contacts nominated by the patient or by a parent or legal guardian.
• (c) Clinic Users (clinicians, nurses, receptionists, billing staff, and other authorised roles).
• (d) Referring or referred clinicians whose information the Clinic records.
• (e) Lab or imaging staff whose information the Clinic records.
• (f) Billing contacts, support requesters, and other Clinic representatives who interact with MediFlow on the Clinic's behalf.

Categories of Personal Information.

Patient demographics (full name, date of birth, age, sex, civil status, residential address, contact details, emergency contact, parental or guardian consent metadata for minors); appointment and queue data; subscription billing contact details; Clinic User profile data (name, email, mobile, hashed password, role, professional licence references where the Clinic records them); support and feedback content; audit-log metadata.

Categories of Sensitive Personal Information.

Health and medical information generated by the clinical workflow: chief complaint, history of present illness, past medical history, family and social history, allergies, current and prior medications, immunisation history, vital signs, physical examination findings, clinical assessments and diagnoses (including ICD-10 codes where captured), treatment plans, progress notes, attached lab and imaging results, referral letters, medical certificates, and clinical photographs uploaded by the attending healthcare provider; specialty-specific data (OB-GYN prenatal records, dental odontogram and treatment plan).

Frequency of processing. Continuous, for the duration of the subscription.

Data Processing Systems in scope. The fifteen Data Processing Systems declared in MediFlow's NPCRS Phase I filing dated 23 April 2026: EMR (DPS #1), Consultation Records (DPS #2), Prescription Records (DPS #3), Lab and Imaging Orders (DPS #4), Patient Demographics (DPS #5), Clinic User Accounts (DPS #6), Subscription and Billing Records (DPS #7), Audit Logs (DPS #8), Appointments and Scheduling (DPS #9), Support Tickets (DPS #10), Marketing Website and Leads (DPS #11), System Notifications and Transactional Email (DPS #12), File Attachments and CDN (DPS #13), Staff HR Records (DPS #14, MediFlow internal only), Real-time Channels (DPS #15). The Clinic's Personal Information sits in DPS #1–6, #9, and the PIP-side flow of DPS #8, #12, #13, and #15.

Annex B — Approved Sub-processors

Notes:

• The real-time messaging service is open-source software self-hosted by MediFlow on its cloud-hosting infrastructure in the Singapore region. The publisher of that software is not a Sub-processor.
• PayMongo Philippines, Inc. is not a Sub-processor; it is a separate Personal Information Controller for payer data collected through its hosted-checkout flow.
• The current public list is at mediflow.ph/legal/sub-processors.

Annex C — Security measures (Section 20, RA 10173)

Organisational

1. Designated Data Protection Officer with notarised Affidavit of Designation dated 22 April 2026. DPO contact: dpo@mediflow.ph.
2. Privacy Manual v1.0 (16 chapters, 2 appendices), reviewed annually.
3. Privacy Impact Assessments v1.0 covering the five highest-sensitivity Data Processing Systems; PIA template applied to the remaining DPS on a rolling basis before each annual NPC registration renewal.
4. Personal Data Breach Response Procedure v1.0 aligned with NPC Circular 16-03, including severity classification, the 72-hour NPC notification workflow, and templates for NPC and Data Subject notifications.
5. Annual Breach Response tabletop drill (BRP §10.1).
6. Confidentiality undertakings binding all Personnel; least-privilege production access.
7. Privacy and security awareness training on engagement and at least annually thereafter.
8. Documented retention and disposal schedule (Privacy Manual Ch. 7); Breach Register, DSR Register, and Incident Log maintained and reviewed quarterly.

Physical

1. Production infrastructure hosted in Vultr's Singapore data centre under Vultr's certified physical security controls (perimeter access control, CCTV, visitor logging, environmental controls, fire suppression, 24/7 on-site personnel).
2. MediFlow does not operate any on-premises server room. No patient or system data is stored on workstations, removable media, or paper.
3. Administrative workstations enforce full-disk encryption, automatic screen lock, and inventory tracking.

Technical

1. Transport. TLS 1.2 or higher with HSTS at the edge.
2. Encryption at rest. AES-256 on the production database and on the encrypted storage volumes that hold backups and snapshots.
3. Authentication. A modern adaptive password-hashing algorithm with per-user salt, a 10-character minimum, and a common-password blocklist; two-factor authentication enforced on every proprietor and DPO infrastructure account (cloud hosting, edge and CDN, domain registrar, transactional email, source-control). In-app two-factor authentication for clinic admin, doctor, and staff accounts is a pre-launch delivery item before the first paying clinic onboards, and is mandatory at launch for accounts with broad access to billing, audit logs, support, transactional email, file attachments, and HR.
4. Access control. Role-based access at the application layer; tenant-level isolation enforced by application logic; least-privilege for Personnel.
5. Audit logging. Append-only semantics; reader-accountability events on access to clinical content; retained per the schedule in Section 9.
6. Origin lockdown. Origin servers accept traffic only from Cloudflare edge ranges, verified independently.
7. DDoS. Cloudflare L3/L4 mitigation; no Web Application Firewall is currently engaged or claimed.
8. Application security. Pre-deployment security review covering OWASP Top-10 categories on every release; formal third-party penetration testing scheduled prior to commercial launch.
9. Backups. Encrypted block-storage snapshots on a 90-calendar-day rolling window with periodic restore testing.
10. Lifecycle controls. 30-calendar-day soft-delete with administrator undo, 5-business-day erasure on verified DSR, scheduled hard-delete, 90-calendar-day backup purge.
11. Monitoring. A self-hosted monitoring and metrics platform, with anomaly and threshold alerts delivered to the DPO's monitored alert channel for 24/7 visibility.
12. Real-time messaging. A self-hosted real-time messaging service running on MediFlow infrastructure; no third-party real-time provider has access to channel content or metadata.
13. Secrets management. Application secrets stored outside source control and rotated on Personnel change or suspected exposure.
14. Email-specific (DPS #12). SPF, DKIM, and DMARC configured on mediflow.ph with aggregate-report monitoring; Resend API keys scoped to send-only and rotated on schedule.
15. Attachment-specific (DPS #13). Cache-bypass headers (no-store, private) on clinical and identity content; short-lived signed URLs (under 15 minutes interactive); cryptographic hash per object; scheduled orphan-sweep reconciliation as a pre-launch delivery item.