Data Processing Agreement

Processor: Clinara Pty Ltd
Applies to: Clinics and organisations subscribing to the Clinara platform

This Data Processing Agreement forms part of, and should be read together with, our Terms of Service and Privacy Policy.

1. Parties and background

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between:

• Clinara Pty Ltd (ACN 698 904 031) ("Clinara", "we", "us", the Processor); and
• The clinic or organisation that has agreed to the Clinara terms of service or a Clinara subscription/order ("Customer", "you", the Controller).

This DPA applies to the processing of Personal Information by Clinara on behalf of the Customer in connection with the Clinara services. It is enacted in accordance with our obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

This DPA borrows the controller/processor terminology used in the GDPR to support Customers who may also have GDPR obligations. It does not by itself implement GDPR-specific transfer mechanisms (such as Standard Contractual Clauses).

In the event of conflict on the subject matter of data protection, this DPA prevails.

2. Definitions

• APPs — the Australian Privacy Principles set out in Schedule 1 of the Privacy Act.
• Controller — entity that determines the purposes and means of processing Personal Information.
• Customer Personal Information — Personal Information that Clinara processes on behalf of the Customer in connection with the Services. This includes consultation audio, transcripts, AI-generated notes and coaching outputs, follow-up content, client identifiers (name, email, phone), consent records, and associated metadata.
• Personal Information — has the meaning given in the Privacy Act, and includes "Sensitive Information" (e.g. health information) where applicable.
• Privacy Act — the Privacy Act 1988 (Cth), as amended, including the APPs.
• NDB Scheme — the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
• Eligible Data Breach — has the meaning given in the Privacy Act.
• Sub-processor — a third party engaged by Clinara to process Customer Personal Information in connection with the Services (see Annex 3).
• Process / Processing — any operation performed on Personal Information, including collection, storage, use, transcription, analysis, disclosure, and deletion.

The terms "Controller" and "Processor" are used to describe the parties' respective roles in terms used by the GDPR. Under the Privacy Act both parties are "APP entities" with their own obligations.

While the Australian Privacy Act does not use the controller/processor terminology, these roles are used in this DPA for clarity and to support Customers who may also have obligations under the GDPR.

3. Roles and scope of processing

3.1 Roles. As between the parties, the Customer is the Controller of Customer Personal Information and Clinara is the Processor, processing it solely to provide and support the Services.

3.2 Subject matter, duration, nature and purpose, types of data and categories of individuals are described in Annex 1.

3.3 Customer instructions. Clinara will process Customer Personal Information only: (a) to provide, maintain, secure, and support the Services; (b) in accordance with the Customer's documented instructions (including the configuration choices the Customer makes in the platform — e.g. audio retention period); and (c) as required by Australian law (in which case Clinara will, where lawful, inform the Customer).

By default, Clinara's personnel do not have access to the content of Customer Personal Information, and optional collection is off unless the Customer enables it. Clinara accesses Customer Personal Information only as necessary to provide and support the Services, as further described in clause 5.5.

3.4 Clinara will inform the Customer if, in its opinion, an instruction infringes the Privacy Act or other applicable data protection law.

3.5 No secondary use. Clinara will not use Customer Personal Information for its own purposes, sell it, or disclose it except as permitted by this DPA. Consultation audio and transcripts are never used to train general-purpose AI models.

Where data is used for product improvement or quality assurance, it is aggregated or de-identified so individuals cannot reasonably be re-identified.

Clinara does not use Customer Personal Information for marketing, profiling, or any purpose other than providing the contracted services.

4. Customer obligations

4.1 The Customer warrants that it has a lawful basis to collect the Customer Personal Information and to authorise Clinara to process it, and that it has provided all required notices and obtained all required consents from individuals — in particular informed consent from each client before a consultation is recorded (APP 3 / APP 5).

4.2 The Customer is responsible for the accuracy of, and its own instructions concerning, Customer Personal Information, and for configuring retention, roles, and access within the platform appropriately.

4.3 Clinara provides consent-capture tooling, auto-generated consent text, privacy-notice templates, and signage templates to assist the Customer, but the Customer remains responsible for meeting its own privacy legal obligations.

5. Clinara's processing obligations

Clinara will:

5.1 Confidentiality. Ensure that personnel authorised to process Customer Personal Information are bound by confidentiality obligations and access it only on a need-to-know basis.

5.2 Security. Implement and maintain the technical and organisational measures described in Annex 2, appropriate to the risk and to the nature of the (health-adjacent, sensitive) data, in accordance with APP 11.

5.3 Data minimisation in the AI pipeline. Limit the Personal Information disclosed to AI/transcription providers to what is necessary to deliver the Services. Data sent to the AI model provider (AWS Bedrock) is not retained by that provider beyond the duration of the API request and is not used for training.

5.4 Assistance. Taking into account the nature of the processing, provide reasonable assistance to the Customer in meeting its own obligations regarding security, breach notification, privacy impact assessments, and individuals' access/correction requests (clauses 9–11).

5.5 Refraining from collection and restricting access. Use technical measures to refrain from collecting, and to restrict its access to, Customer Personal Information unless instructed otherwise by the Customer, including:

• (a) Privacy-protective defaults. Optional data collection is off by default and only occurs where the Customer enables it in the platform. In-app consent records are not collected unless the Customer turns on consent capture, and immediate post-processing deletion of audio and transcripts can be enabled per clinic.
• (b) Restriction of Clinara administrator access. Clinara's internal administrative application only shows Customer data through allow-list database projections and excludes client identifiers, consultation transcripts, treatment notes, follow-up content, and coaching outputs. The administrative application displays only operational metadata (e.g. status, counts, durations) rather than the content of Customer Personal Information.
• (c) PII scrubbing in logs and error monitoring. Application logs and error monitoring data are redacted before transmission — emails, phone numbers, client names, and free text removed or masked — so that Customer Personal Information is not collected into operational telemetry.
• (d) Clinic-level data isolation. Customer Personal Information is partitioned by clinic and is accessible only to authenticated, authorised users within the Customer's own organisation, enforced by role-based access control in the platform's API layer.
• (e) Aggregated or de-identified inputs for internal use. Internal analytics and product-improvement processing use aggregated metrics and de-identified summaries rather than raw consultation transcripts or audio.

6. Security measures

6.1 Clinara maintains the technical and organisational measures set out in Annex 2, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, clinic-level data isolation, audit logging of data mutations, and PII scrubbing in logs and error monitoring.

6.2 Clinara may update its security measures from time to time provided the updates do not materially reduce the overall level of protection.

7. Sub-processors

7.1 General authorisation. The Customer provides a general authorisation for Clinara to engage the Sub-processors listed in Annex 3 to process Customer Personal Information in connection with the Services.

7.2 Flow-down. Clinara will impose data-protection obligations on each Sub-processor that are substantially equivalent to those in this DPA, by written contract (including the relevant Sub-processor's data processing agreement), and remains liable to the Customer for each Sub-processor's performance of those obligations.

7.3 Changes. Clinara may add or replace Sub-processors. Clinara will maintain an up-to-date Sub-processor register (available on request) and will notify the Customer of intended changes a reasonable time in advance, giving the Customer the opportunity to object on reasonable, data-protection-related grounds. If the parties cannot resolve a reasonable objection, the Customer may terminate the affected Services as its sole remedy.

8. Cross-border disclosure (APP 8)

8.1 Australian data residency. All patient audio recordings, transcripts, and treatment notes are stored in AWS's Sydney region in Australia. The transcription provider (AWS Transcribe), the AI note-generation provider (AWS Bedrock), object storage (AWS S3), the database (MongoDB Atlas), and application compute (Vercel functions) all operate within Australia.

8.2 Ancillary overseas processing. Certain ancillary processing occurs outside Australia, as identified in Annex 3: authentication (Clerk) and error monitoring (Sentry) are US-based. Authentication involves limited staff and administrator account information (such as the names and email addresses of Customer users); it does not include consultation audio, transcripts, or notes. Error monitoring receives diagnostic data subject to PII scrubbing (emails and phone numbers redacted before transmission).

8.3 Where Customer Personal Information is disclosed to an overseas recipient, Clinara takes reasonable steps under APP 8 to ensure the recipient handles it consistently with the APPs, including contractual obligations (Sub-processor DPAs) and technical controls (encryption in transit and at rest). The Customer is responsible for disclosing relevant cross-border processing to its clients and obtaining any required consent (clause 4.1).

9. Assistance with individuals' rights (APP 12 / APP 13)

9.1 Clinara will, taking into account the nature of the processing, provide reasonable assistance (including via platform self-service features) to enable the Customer to respond to requests from individuals to access (APP 12) or correct (APP 13) their Personal Information, and to requests for deletion.

9.2 On request, Clinara will assist the Customer to compile the Personal Information it holds about an individual (sessions, notes, transcripts, and consent records) and supports deletion of an individual's data (including immediate session purge and client deletion). If Clinara receives a request directly from an individual, it will refer the individual to the relevant Customer and will not respond directly except as instructed by the Customer or required by law.

10. Data breach notification (NDB Scheme)

10.1 Clinara maintains an incident response plan aligned with the NDB Scheme.

10.2 Clinara will notify the affected Customer without undue delay after becoming aware of an Eligible Data Breach (or suspected Eligible Data Breach) affecting Customer Personal Information, and in any event in time to allow the Customer to meet its own NDB obligations. The notification will include, to the extent known, the nature of the breach, the categories and approximate volume of data and individuals affected, the likely consequences, and the measures taken or proposed.

10.3 Clinara will cooperate reasonably with the Customer in investigating, mitigating, and (where required) notifying the OAIC and affected individuals. Clinara has accepted the AWS Australian Notifiable Data Breach (ANDB) Addendum, binding AWS to notify Clinara of infrastructure-level breaches affecting Australian Personal Information.

10.4 Each party remains responsible for making its own notifications to the OAIC and affected individuals where it is required to do so under the Privacy Act.

11. Audit and information

11.1 Clinara will make available to the Customer, on reasonable written request and no more than once per 12 months (unless required by a regulator or following a breach), information reasonably necessary to demonstrate compliance with this DPA — including its security documentation, Sub-processor register, and (when available) third-party audit reports or certifications (e.g. SOC 2).

11.2 Where the Customer reasonably requires further assurance, the parties will discuss a proportionate audit, subject to reasonable confidentiality, scope, timing, and cost arrangements, and conducted so as not to compromise the security or data of other customers.

12. Retention, return, and deletion

12.1 Retention. Clinara retains Customer Personal Information only as long as needed to provide the Services or as required by law:

• Audio recordings — retention is configurable per clinic (default 14 days), after which they are automatically deleted by the retention process.
• Transcripts and notes — retained for the duration of the clinic's configured retention period; notes are also retained in the clinic's management platform per the clinic's own policies.
• Usage metadata / logs — retained for a limited period (system metrics ~90 days) then purged.

12.2 On termination. On expiry or termination of the Agreement, Clinara will, at the Customer's choice, return and/or delete Customer Personal Information within a reasonable period, except to the extent retention is required by law or for the limited period needed to complete deletion across backups, after which it is overwritten or rendered inaccessible.

12.3 The Customer may request deletion of its data at any time by contacting Clinara at the address in clause 15.

13. Liability

The parties' liability under this DPA is subject to, and counts toward, the limitations and exclusions of liability set out in the Agreement.

14. Term and governing law

14.1 This DPA takes effect on the date the Customer agrees to it (or to the Agreement) and continues for as long as Clinara processes Customer Personal Information.

14.2 This DPA is governed by the laws of New South Wales, Australia, and the parties submit to the exclusive jurisdiction of the courts of that jurisdiction. Nothing in this DPA limits either party's obligations under the Privacy Act.

15. Contact

Data protection / privacy enquiries and DPA requests: privacy@clinara.ai

Annex 1 — Details of processing

Annex 2 — Technical and organisational measures

Key measures include (but are not limited to):

• Encryption in transit and at rest.
• Role-based access control (admin, member, front-desk roles).
• Clinic-level data isolation.
• Multi-factor authentication.
• Session management.
• Kiosk access secured via PIN verification and time-limited tokens.
• Application-level audit logging.
• Real-time error monitoring.
• Core processing in Australia.
• Automated audio retention and deletion.
• Per-clinic configurable retention supporting session/client deletion and immediate session purge for erasure requests.

Annex 3 — Approved Sub-processors