NDPA 2023 Compliant

Data Processing Agreement

This agreement governs how VirtuCare processes personal data on behalf of hospitals using the platform, in line with the Nigeria Data Protection Act 2023.

Last updated: 9 June 2025

1. Introduction and Definitions

This Data Processing Agreement (“DPA”) forms part of the agreement between VirtuCare (“Processor”) and the hospital or healthcare organisation that subscribes to the platform (“Controller”). It governs the processing of personal data by VirtuCare on behalf of the Controller, in accordance with the Nigeria Data Protection Act (NDPA) 2023.

This DPA is incorporated into and subject to the Terms of Service. In the event of conflict between this DPA and the Terms of Service on matters relating to personal data, this DPA prevails.

Key Definitions

  • "Controller" — the hospital or healthcare organisation that determines the purposes and means of processing patient and staff data through VirtuCare
  • "Processor" — VirtuCare, which processes personal data on behalf of the Controller
  • "Data Subject" — the individual whose personal data is being processed (e.g. patients, hospital staff)
  • "Personal Data" — any information relating to an identified or identifiable natural person
  • "Sensitive Personal Data" — personal data revealing health or medical information, processed under stricter protections
  • "Processing" — any operation performed on personal data, including collection, storage, use, disclosure, or deletion
  • "Sub-Processor" — a third party engaged by VirtuCare to process personal data in connection with the service

2. Details of Processing

2.1 Subject Matter

VirtuCare processes personal data for the purpose of providing the hospital management platform described in the Terms of Service.

2.2 Duration

Processing occurs for the duration of the Controller's active subscription and for the 30-day data retrieval period following termination.

2.3 Nature and Purpose of Processing

  • Storing and retrieving patient health records on behalf of the hospital
  • Managing appointment scheduling and queue workflows
  • Processing laboratory test requests and result records
  • Managing pharmacy inventory and dispensing records
  • Coordinating drug delivery orders
  • Generating billing records and invoices
  • Providing staff account management and role-based access control

2.4 Categories of Personal Data

The following categories of personal data are processed under this DPA:

  • Patient identification data: full name, date of birth, sex, contact details, patient ID
  • Patient health data (sensitive): medical history, diagnoses, clinical notes, vital signs, allergies
  • Clinical transaction data: prescriptions, dispensing records, lab test requests and results
  • Financial data: billing records, invoice details, payment status
  • Staff data: names, email addresses, roles, access logs
  • Operational data: appointment records, delivery tracking, department assignment

2.5 Categories of Data Subjects

  • Patients receiving care at the hospital
  • Hospital administrators, consultants, pharmacists, lab staff, and other authorised personnel
  • Any other individuals whose data the Controller inputs into the platform

3. Obligations of VirtuCare (Processor)

VirtuCare agrees to:

3.1 Process Only on Instructions

Process personal data only on documented instructions from the Controller, including in relation to transfers of personal data, unless required to do so by Nigerian law. We will promptly inform the Controller if, in our opinion, an instruction infringes applicable data protection law.

3.2 Confidentiality

Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations and receive adequate data protection training.

3.3 Security

Implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. See Section 7 for detail on specific measures.

3.4 Sub-Processor Management

Not engage sub-processors without prior written authorisation from the Controller (general authorisation is given at the time of subscription, subject to the notification process in Section 5). Ensure sub-processors are bound by equivalent data protection obligations.

3.5 Assistance

Assist the Controller in fulfilling its obligations to respond to data subject rights requests, taking into account the nature of the processing and the information available to VirtuCare.

3.6 Deletion and Return

At the Controller's choice, delete or return all personal data upon termination of the service, and delete existing copies unless retention is required by law.

3.7 Audit Cooperation

Make available all information necessary to demonstrate compliance with this DPA and contribute to audits or inspections by the Controller or its authorised auditor, subject to reasonable notice and confidentiality protections.

4. Obligations of the Hospital (Controller)

The Controller agrees to:

  • Ensure it has a valid legal basis under the NDPA 2023 for processing patient and staff data through VirtuCare
  • Provide patients with appropriate notice of how their data will be used, including that it is processed by VirtuCare
  • Only instruct VirtuCare to process data in ways that are lawful and consistent with this DPA
  • Ensure staff are granted appropriate access roles and that access is reviewed regularly
  • Promptly notify VirtuCare if the Controller becomes aware of any suspected breach or misuse involving platform data
  • Not input data into VirtuCare for which the Controller does not have lawful authority to process

5. Sub-Processors

The Controller grants VirtuCare general authorisation to engage sub-processors to support the operation of the platform. VirtuCare currently engages sub-processors in the following categories:

  • Cloud infrastructure and hosting providers
  • Payment processing services
  • Email notification and transactional communication providers
  • Application monitoring and error tracking services

VirtuCare will notify the Controller at least 14 days before adding or replacing a sub-processor. The Controller may object in writing within that period. If no resolution is reached, the Controller may terminate the service without penalty.

All sub-processors are bound by contractual data protection obligations equivalent to this DPA. A current list of sub-processors is available on request at privacy@virtucare.io.

6. Data Subject Rights

Where VirtuCare receives a request from a data subject directly, we will forward it to the Controller within 5 business days, as the Controller is responsible for responding to such requests.

VirtuCare will provide reasonable technical assistance to the Controller in fulfilling data subject rights requests, including:

  • Right of access — generating data exports for individual patient or staff records
  • Right to rectification — correcting inaccurate records at the Controller's instruction
  • Right to erasure — deleting records at the Controller's instruction, subject to legal retention requirements
  • Right to restriction — restricting access to specific records at the Controller's instruction
  • Right to data portability — providing structured data exports in standard formats

7. Security Measures

VirtuCare implements the following technical and organisational security measures to protect personal data:

Technical Measures

  • AES-256 encryption for all data at rest
  • TLS 1.3 for all data in transit between clients and servers
  • Role-based access controls enforced at the API level — not just the UI
  • Secure, isolated database architecture
  • Automated backups with encryption and point-in-time recovery
  • Intrusion detection and security monitoring on cloud infrastructure

Organisational Measures

  • Access to production systems limited to authorised personnel on a need-to-know basis
  • Staff data protection training and confidentiality obligations
  • Tamper-resistant audit logs for all access and actions on the platform
  • Incident response procedures for detecting, reporting, and managing data breaches
  • Regular review of security practices and third-party sub-processor compliance

8. Personal Data Breaches

In the event of a personal data breach affecting data processed under this DPA, VirtuCare will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide a description of the nature of the breach, categories and approximate number of data subjects and records affected
  • Describe the likely consequences of the breach and the measures taken or proposed to address it
  • Cooperate with the Controller in meeting its notification obligations to the Nigeria Data Protection Commission (NDPC) and affected data subjects

Where VirtuCare cannot provide complete information within the initial 72-hour notification, information will be provided in phases without undue further delay.

9. Data Deletion and Return

Upon termination or expiry of the subscription, VirtuCare will:

  • Make all data available for export by the Controller for a period of 30 days following termination
  • Permanently delete all personal data from active systems within 30 days of the export period closing
  • Securely delete all copies held by sub-processors on request
  • Provide written confirmation of deletion to the Controller on request

VirtuCare may retain certain data beyond this period where required by Nigerian law (e.g. financial records under relevant tax and accounting legislation). The Controller will be informed of any such retention.

10. Audit Rights

VirtuCare will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits or inspections of VirtuCare's data processing activities, subject to:

  • At least 30 days' prior written notice specifying the scope of the audit
  • Reasonable confidentiality protections for VirtuCare's proprietary information
  • The audit taking place during normal business hours and without disrupting operations
  • Reasonable audit costs borne by the Controller for on-site visits

In lieu of a direct audit, VirtuCare may provide third-party security certifications, penetration testing reports, or independent audit reports as evidence of compliance.

11. Duration and Termination

This DPA takes effect from the date the Controller activates a VirtuCare subscription and remains in force for the duration of the subscription agreement.

On termination of the subscription for any reason, this DPA automatically terminates, except that obligations relating to data deletion, confidentiality, and liability survival remain in force in accordance with their respective terms.

12. Contact Information

For questions relating to this Data Processing Agreement or to exercise your rights under it, contact VirtuCare's data protection function:

  • Data protection enquiries: privacy@virtucare.io
  • Security incidents: security@virtucare.io
  • General enquiries: hello@virtucare.io

Complaints about VirtuCare's data processing may also be directed to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.