Back to Home

Data Processing Agreement

Last updated: July 2026 (revision 1)

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions and the Privacy Policy of Baselayer.med (the "Company", "we", "us", or "our"). It sets out how we process Personal Information on behalf of a subscribing Practice when the Practice uses the Baselayer.med platform (the "Platform" or "Service").

By creating an Account, accepting the Terms, or otherwise using the Service, the Practice agrees to this DPA. Where the Practice processes Personal Information of individuals in the European Economic Area, the United Kingdom or other jurisdictions that require a controller–processor contract, this DPA is intended to satisfy those requirements in addition to the Protection of Personal Information Act 4 of 2013 ("POPIA").

1. Parties and Scope

1.1 This DPA is between Baselayer.med (as Data Processor / operator) and the Practice that subscribes to the Service (as Data Controller / responsible party).

1.2 It applies only to Personal Information that we process on behalf of the Practice in the course of providing the Service (including patient, clinical, billing, appointment, telehealth, communication and practice-configuration data as described in the Privacy Policy).

1.3 It does not apply to: (a) Personal Information we process as an independent controller (for example, Practice Account contact details for our own billing, support and marketing where separately consented); or (b) public marketing-site analytics that do not receive patient or clinical data.

2. Definitions

2.1 Capitalised terms not defined in this DPA have the meanings given in the Terms. In addition:

Applicable Data Protection Law
means POPIA and, where applicable to the Practice's processing, the EU GDPR, UK GDPR, and any other data-protection law that applies to the processing under this DPA.
Data Controller / Responsible Party
means the Practice, which determines the purposes and means of processing Patient Personal Information and Practice data through the Platform.
Data Processor / Operator
means Baselayer.med, to the extent we process Personal Information on behalf of the Practice under documented instructions.
Personal Information / Personal Data
has the meaning given in Applicable Data Protection Law and includes special personal information / special-category data such as health information where applicable.
Sub-Processor
means a third party engaged by Baselayer.med to process Personal Information on behalf of the Practice in connection with the Service.
Security Incident
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information processed under this DPA.

3. Roles and Responsibilities

3.1 Practice (Controller / Responsible Party). The Practice:

  • determines the purposes and means of processing Patient Personal Information;
  • is responsible for establishing a lawful basis under Applicable Data Protection Law (including consent where required);
  • provides appropriate privacy notices to Patients and other data subjects;
  • ensures Content entered into the Platform is accurate and limited to what is necessary;
  • manages User access, kiosk-device security, and any external systems the Practice connects (for example accounting or calendar services); and
  • remains responsible for responding to data-subject requests in the first instance.

3.2 Baselayer.med (Processor / Operator). We:

  • process Personal Information only to provide, secure, support and improve the Service as described in the Terms and Privacy Policy;
  • process Personal Information only on documented instructions from the Practice, unless Applicable Data Protection Law requires otherwise (in which case we will inform the Practice unless legally prohibited);
  • implement appropriate technical and organisational measures as described in section 7; and
  • ensure persons authorised to process Personal Information are bound by confidentiality.

3.3 Nothing in this DPA makes Baselayer.med a healthcare provider, or creates a practitioner–patient relationship between Baselayer.med and any Patient.

4. Nature of Processing

4.1 Subject matter. Provision of the Baselayer.med cloud practice-management Platform, including consent and clinical document workflows, appointments, clinical records, charting, telehealth (on supported verticals), billing, communications, analytics and related features described in the Terms.

4.2 Duration. For the term of the Practice's Subscription and thereafter for the retention periods in the Privacy Policy (including the minimum 7-year medical-record retention where applicable) or until deletion / anonymisation under section 12.

4.3 Nature and purpose. Hosting, storing, transmitting, displaying, generating documents, sending communications on the Practice's behalf, facilitating integrations elected by the Practice, providing AI-assisted drafting tools subject to Practitioner review, logging for security and audit, and related support.

4.4 Types of Personal Information. As listed in the Privacy Policy, including identity and contact details, medical and clinical information, signatures and photographs, appointment data, billing and medical-aid claim data, telehealth metadata and (where opted in) recordings / transcripts, account authentication data, and technical / audit logs.

4.5 Categories of data subjects. Patients and dependants / guardians; Practice Users (Admins, Practitioners and staff); and, where relevant, specialists, laboratories and other contacts entered by the Practice into directories.

5. Documented Instructions

5.1 The Practice instructs us to process Personal Information as necessary to: (a) deliver the Service configured by the Practice; (b) perform the Practice's in-product actions (for example generating a PDF, sending WhatsApp, submitting a medical-aid claim, starting a telehealth session, or requesting a Practice Export); and (c) comply with the Terms, Privacy Policy and this DPA.

5.2 Additional written instructions may be agreed in writing. We will inform the Practice if, in our opinion, an instruction infringes Applicable Data Protection Law.

5.3 AI features process only the content required for the specific task and do not use patient or clinical data for model training where our providers' APIs are configured not to do so, as described in the Privacy Policy. The Practitioner must review and accept AI drafts before they become clinical Content.

6. Confidentiality

6.1 We will treat Personal Information as confidential and will not disclose it except: (a) to Sub-Processors under section 8; (b) to the Practice and its authorised Users; (c) as required by law; or (d) with the Practice's documented instruction or consent.

6.2 We ensure that personnel with access to Personal Information are subject to appropriate confidentiality obligations and receive relevant training.

7. Security Measures

7.1 Taking into account the nature, scope, context and purposes of processing, and the risk to data subjects, we implement appropriate technical and organisational measures, including those described in the Privacy Policy, such as:

  • encryption in transit (HTTPS/TLS) and encryption at rest provided by our cloud partners;
  • practice-scoped object storage accessed via short-lived signed URLs;
  • database-level isolation between practices;
  • authenticated API access, practice-membership checks and role-based access controls;
  • server-side-only handling of sensitive credentials (for example payment-card and medical-aid switch credentials);
  • input validation, rate limiting and browser security headers; and
  • activity logging and an immutable audit trail of access to and modification of patient data.

7.2 The Practice remains responsible for the security of its own devices, User credentials, kiosk mode, and any third-party accounts it connects.

8. Sub-Processors

8.1 The Practice authorises us to engage Sub-Processors to support the Service. Categories currently include: cloud database, storage and hosting providers; authentication; email delivery; messaging (WhatsApp); AI and voice-transcription providers; the Telehealth Video Provider; MedPrax; medical-aid switching; optional accounting and calendar providers connected by the Practice; and the Subscription Provider. The current description appears in section 7 of the Privacy Policy.

8.2 We will impose data-protection obligations on Sub-Processors that are no less protective, in substance, than those in this DPA, to the extent applicable to the services they provide.

8.3 We will use reasonable efforts to notify Admins of material changes to Sub-Processors (for example via the Platform or email). Continued use of the Service after notice constitutes authorisation of the change. If the Practice reasonably objects to a new Sub-Processor on data-protection grounds, the parties will discuss in good faith; if no resolution is reached, the Practice may terminate the affected Subscription under the Terms.

8.4 Where the Practice elects to connect an external accounting service, calendar provider or similar integration, that provider acts under the Practice's own relationship with that provider in addition to any Sub-Processor role arising through the Platform.

9. International Transfers

9.1 Some Sub-Processors may process Personal Information outside South Africa (and, where GDPR applies, outside the EEA / UK). We require equivalent data-protection standards and processing only on documented instructions, as described in the Privacy Policy.

9.2 Where GDPR / UK GDPR requires a transfer mechanism, we will rely on appropriate safeguards (such as Standard Contractual Clauses or successor mechanisms offered by the relevant Sub-Processor), or another lawful transfer basis.

10. Data Subject Rights

10.1 The Practice is primarily responsible for responding to access, correction, deletion, objection, restriction, portability and consent-withdrawal requests from Patients and other data subjects.

10.2 Taking into account the nature of processing, we will provide reasonable assistance to the Practice (including via Platform features such as Practice Export, record editing and User-access controls) so the Practice can meet its obligations under Applicable Data Protection Law.

10.3 If we receive a request directly that relates to Practice-controlled data, we will, where practicable, redirect the requester to the Practice or notify the Practice, unless Applicable Data Protection Law requires us to respond directly.

11. Breach Notification

11.1 We will notify the Practice without undue delay after becoming aware of a Security Incident affecting Personal Information processed under this DPA.

11.2 Notification will include, to the extent reasonably available: a description of the nature of the incident; the categories and approximate number of data subjects and records concerned; likely consequences; and measures taken or proposed to address the incident.

11.3 The Practice remains responsible for any notifications to regulators or data subjects required of a Controller / Responsible Party under Applicable Data Protection Law, unless the law requires us to notify directly.

12. Retention, Return and Deletion

12.1 During the Subscription, authorised owners / admins may initiate a Practice Export from the Platform. On reasonable written request and subject to verification of identity and authority, we will also assist the Practice in exporting its data in a usable format.

12.2 After termination, we may delete or anonymise Platform-side Personal Information after a reasonable notice period, except where retention is required by law (including the medical-record retention period referenced in the Privacy Policy) or necessary for legitimate purposes such as dispute resolution, security and compliance.

12.3 MedPrax reference cache rows are not Practice clinical records and are purged under the applicable licence TTL. Voice dictation audio is not retained after transcription.

13. Audits and Assistance

13.1 On written request, and no more than once per twelve (12) months unless a Security Incident or regulator request reasonably requires more frequent review, we will make available information reasonably necessary to demonstrate compliance with this DPA.

13.2 Where an on-site or deeper audit is reasonably required, it will be conducted during business hours, on reasonable notice, under confidentiality, and without disrupting the Service or other customers. We may satisfy audit rights through third-party certifications, SOC / security summaries, or similar reports where available.

13.3 We will provide reasonable assistance with data-protection impact assessments and prior consultations with regulators, to the extent the Practice cannot reasonably perform them alone given the information available in the Platform, Privacy Policy and this DPA.

14. Liability and Precedence

14.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Terms, except to the extent Applicable Data Protection Law prohibits such limitation.

14.2 If there is a conflict between this DPA and the Terms or Privacy Policy on a data-protection matter, this DPA prevails for that matter. For all other matters, the Terms prevail.

14.3 This DPA is governed by the laws of the Republic of South Africa, and disputes are subject to the jurisdiction of the South African courts, consistent with the Terms — without prejudice to mandatory rights of data subjects under Applicable Data Protection Law.

15. Term and Changes

15.1 This DPA remains in force for as long as we process Personal Information on behalf of the Practice under the Terms.

15.2 We may update this DPA when features, Sub-Processors or legal requirements change. Material changes will be posted on this page with an updated revision date and, where appropriate, communicated to Admins. Continued use of the Service after the effective date constitutes acceptance.

16. Contact

16.1 Data protection / POPIA enquiries (Information Officer): hello@baselayer.med

16.2 General enquiries: hello@baselayer.med