Data Processing Agreement (DPA) - January 2026

Between: The Client, user of services, acting as the Data Controller.
And: Dupraz Informatique Sàrl, Place de la Gare 9, 1260 Nyon, acting as Sub-processor (hereinafter the Publisher).

1. Purpose and scope

This agreement defines the terms and conditions under which the Processor agrees to carry out, on behalf of the Client, the personal data processing operations necessary for the provision of the SaaS service.

2. Nature and Purpose of the processing

Data is processed only for the following purposes:

  • Patient medical record management.
  • Medical and/or service billing management.
  • Online appointment booking and professional calendar management.
  • Maintenance and Optimization : Technical data processing to improve service reliability, optimize automated processing workflows (e.g., document indexing and sorting), and develop new features.

3. Categories of data processed

The Publisher is required to store and process the following categories of data:

  • Healthcare professional data

    Gender, last name, first name, federal identification numbers (UID, GLN), bank details, contract number with third parties.

  • Patient Data

    Gender, last name, first name, contact details, insurance, highly sensitive health data (diagnostics, reports, imaging).

4. Obligations of the Publisher (Processor)

The Publisher undertakes to:

  • Support

    The Publisher shall assist the Client, as far as possible, in responding to requests for the exercise of patient rights (access, rectification, portability).

  • Instructions

    Process data only upon the Client's instruction and for the proper execution of the service, including the technical testing phases necessary to guarantee the software's performance and security.

  • Privacy

    Ensure that all personnel authorized to process data are subject to strict professional secrecy (Art. 321 of the Swiss Criminal Code).

  • Sovereignty

    The hosting of the software infrastructure and medical databases is provided exclusively by the Publisher on its own servers in Switzerland.

  • Location and Transfers

    All data storage is located in Switzerland.
    For the execution of optional functions enabled by the Client (e.g., SMS, electronic invoicing, payments), the Publisher may use specialized subsequent subcontractors. The list of these partners is kept up to date in the Data Protection Declaration (DPD).

  • Transfer Protection

    No health data transfers outside of Switzerland are carried out by the Publisher.
    Limited transfers of administrative data (e.g., SaaS billing, technical notifications) to the partners mentioned in point 8 of the DPD are governed by appropriate confidentiality guarantees.

5. Technical and Organizational Measures (TOM)

In accordance with Art. 8 nFADP, the Publisher implements the following measures:

  • Encryption

    Secure streams (HTTPS/TLS) and encrypted data at rest.

  • Access Segregation

    Application mechanisms ensuring strict data isolation between each firm. No user can access another client's data, in accordance with the software's security rules.

  • Availability

    Daily backup policy replicated across three distinct geographical sites in Switzerland.

  • Access Security

    Strong authentication (2FA) and technical access logging.

  • Hardware end of life

    Server access restricted to authorized personnel.
    Any storage medium (hard drives, SSDs) containing or having contained health data is physically destroyed as soon as it leaves the active infrastructure, whether due to technical failure, obsolescence, or preventive replacement. No media is returned to the manufacturer (Non-Returnable Disk warranty) or resold on the second-hand market.

6. Data breach notification

The Publisher undertakes to notify the Client in writing of any data security breach (unauthorized access, loss, or leak) within a maximum of 48 business hours after becoming aware of it. This notification must enable the Client to fulfill its own reporting obligations to the Federal Data Protection and Information Commissioner (FDPIC).

7. Data disposal and retention

Activity period
Data is retained as long as the subscription is active.

End of contract
Upon termination, patient data is stored securely for 10 years (the legal retention period for medical records in Switzerland), unless the Client provides written instructions requesting immediate deletion under their own responsibility.

Restoration
The Client may export their data at any time using the tools provided in the application interface.

8. Audit Rights

The Publisher allows security audits to be carried out by the Client or a mandated Third Party (limited to one annual audit, subject to 30 days' notice and at the Client's sole expense). The audit must be conducted during business hours and must not disrupt service continuity for other users.

9. Applicable Law and Jurisdiction

This agreement is governed by Swiss law. In the event of a dispute, the exclusive legal venue shall be Nyon, Switzerland.

Looking for a medical consultation? Click here to access the directory.
Copyrights © 2016 - 2026 All Rights Reserved by Dupraz Informatique Sàrl.
Terms and Conditions / Data Protection / Data Processing Agreement (DPA)