DPA - Controller-Processor Agreement
Art. 28 GDPR · Version 1.0 · in force since 2026-05-13. Binding document at Pediatrician account activation. External healthcare-counsel review scheduled by Q3 2026.
Recitals
This agreement governs the relationship between the free-choice pediatrician (the "Controller", per Art. 24 GDPR with respect to their patients' data) and neonatae. (the "Processor", per Art. 28 GDPR) for the processing of patient personal data via the neonatae. platform.
1. Subject and Duration
The Processor provides the Controller with structured asynchronous communication services with the Controller's panel families. This agreement enters into force upon acceptance and runs for the duration of the service contract.
2. Data Types and Data-Subject Categories
- Common data: child name, date of birth, sex, parent name, contacts.
- Special-category data (Art. 9 GDPR): minor health data - any conversation content concerning symptoms, therapies, diagnoses, clinical images, etc.
- Data subjects: children 0-36 months in the Controller's panel; parents exercising parental responsibility.
3. Processing Purposes
The Processor processes the data exclusively for: (a) executing the service commissioned by the Controller (structured chat, attachment storage, scheduling, audit log); (b) ensuring platform security; (c) providing technical support.It does not use clinical data for autonomous purposes (e.g., marketing, profiling, AI training without explicit consent).
4. Processor Obligations
The Processor undertakes to:
- Process data only on documented instruction from the Controller (including as provided in this DPA).
- Ensure authorized personnel have signed confidentiality undertakings.
- Adopt adequate technical and organizational measures (Art. 32 GDPR): encryption at rest + in transit, RLS, audit log, backups, strong authentication.
- Notify the Controller of any data breach without undue delay (within 72h, per Art. 33 GDPR).
- Assist the Controller in fulfilling data-subject requests (Art. 15-22 GDPR).
- Assist the Controller in conducting DPIAs (Art. 35 GDPR) if requested.
- Return or delete data at the end of the relationship, save legal retention obligations.
- Make available to the Controller all information needed to demonstrate compliance.
5. Authorized Sub-Processors
The complete and continuously updated list of authorized sub-processors is published at /legal/subprocessors and forms an integral part of this DPA.
Any new sub-processors will be communicated with 30-day prior notice; the Controller may object within that period for legitimate reasons.
6. Audit and Inspections
The Controller may, once a year and with 30-day prior notice, request copies of security policies, compliance certifications (where applicable ISO 27001/SOC 2), and access logs for the data of their own panel.
7. Liability and Indemnity
Pursuant to Art. 82 GDPR, each party is liable for damage caused by non-compliant processing attributable to it. The Processor is liable only if it acted contrary to the Controller's instructions or omitted adequate security measures.
8. Governing Law and Jurisdiction
Italian law applies. Competent court: Milan.
Version 1.0 in force since 2026-05-13. Binding upon Pediatrician account activation (advanced electronic signature per EU eIDAS Regulation 910/2014). External healthcare-counsel review scheduled by Q3 2026; amendments will be communicated with 30-day prior notice per Art. 13.2.f GDPR. Upon written request to privacy@neonatae.it, a countersigned PDF copy is provided.