How we process patient data on your behalf.

This Data Processing Addendum ("DPA") supplements the Opstara Tech Terms of Service ("Agreement") and the Opstara Tech Privacy Policy. It applies whenever Opstara Tech processes personal data on behalf of a merchant clinic ("Customer") using the Opstara Tech platform.

By accepting the Agreement, the Customer also accepts this DPA. Where this DPA conflicts with the Agreement, this DPA controls in respect of the processing of personal data.

This DPA is designed to satisfy the controller-to-processor obligations imposed by: the Malaysia Personal Data Protection Act 2010 (including the 2024 amendments now in force); the Singapore Personal Data Protection Act 2012 (as amended through 2024); and the Hong Kong Personal Data (Privacy) Ordinance Cap. 486. Where the regimes differ, the standard most protective of the data subject applies.

Capitalised terms have the meanings given in the Agreement and the Privacy Policy. In addition:

• "Applicable Data Protection Law" means the MY PDPA, SG PDPA, and HK PDPO (each as amended from time to time), and any other data protection law applicable to a particular processing activity.
• "Customer Personal Data" means personal data that Opstara Tech processes on the Customer's behalf, including patient records, contact details, identifiers (NRIC / FIN / HKID at the Customer's discretion), clinical notes, treatment plans, dental odontograms, body charts, clinical photos, and billing records.
• "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates (typically a patient or staff member).
• "Sub-processor" means a third party engaged by Opstara Tech to process Customer Personal Data on Opstara Tech's behalf in the provision of the platform.

With respect to Customer Personal Data:

• The Customer is the data controller (or, under HK PDPO, the data user) and determines the purposes and means of processing.
• Opstara Tech is the data processor (or, under HK PDPO, the data processor as defined in DPP 2(3)) and processes Customer Personal Data only on the documented instructions of the Customer, including those instructions set out in the Agreement, this DPA, and the Customer's ordinary use of the platform.

For data about the Customer's own staff (login users, salary configurations, attendance records, payslips), Opstara Tech is also a processor on the Customer's behalf for the same purposes.

For data Opstara Tech collects about the Customer or its individual users in its own right (billing contacts, marketing communications to the Customer, support interactions), Opstara Tech is the data controller. That processing is governed by the Privacy Policy directly.

3.1 Subject matter and duration

Opstara Tech processes Customer Personal Data for the duration of the Agreement plus any retention period required by Applicable Data Protection Law, professional-board guidance, or this DPA.

3.2 Nature and purpose

Opstara Tech processes Customer Personal Data to provide the platform features the Customer subscribes to, including: scheduling appointments, storing clinical records, computing payroll, sending WhatsApp and email notifications, generating analytics digests, processing payments via Stripe, and any other platform feature the Customer enables.

3.3 Categories of Data Subject

Patients of the Customer; the Customer's staff members; the Customer's billing contacts.

3.4 Categories of personal data

Identification data (name, contact details, DOB, optional national identifiers); health data (clinical notes, diagnoses, treatment plans, dental and body charts, clinical photos); operational data (booking history, payment events, no-show events); employment data (salary configurations, attendance records, leave requests, expense claims, payslips).

3.5 Special categories

Clinical photos, odontograms, body charts, and clinical notes are sensitive personal data under MY PDPA section 2 and are treated as requiring elevated safeguards under SG PDPA healthcare-sector guidance and HK PDPO PCPD guidance on biometric and health data. The Customer is responsible for obtaining the express consent of the patient before entering sensitive personal data into the platform.

4.1 Processing instructions

Opstara Tech processes Customer Personal Data only on the Customer's documented instructions, unless required to do otherwise by law. Where Opstara Tech is required by law to process Customer Personal Data outside the Customer's instructions, Opstara Tech will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

4.2 Confidentiality

Opstara Tech ensures that personnel authorised to process Customer Personal Data are subject to written confidentiality obligations and have received appropriate training on data-protection responsibilities.

4.3 Security

Opstara Tech implements the technical and organisational measures set out in Schedule A (Security Measures). Opstara Tech may update these measures from time to time provided the level of protection is not materially reduced.

4.4 Assistance to the Customer

Opstara Tech assists the Customer, taking into account the nature of the processing and the information available to Opstara Tech, to fulfil the Customer's obligations to:

• respond to Data Subject access, correction, and deletion requests;
• conduct data-protection impact assessments where required;
• notify regulators and Data Subjects of personal data breaches.

For Data Subject access and correction requests routed through the Customer, Opstara Tech will provide the requested data or perform the requested update within five (5) business days of the Customer submitting the request to Opstara Tech, where the request is technically deliverable through the platform.

4.5 Records of processing

Opstara Tech maintains records of processing activities undertaken on the Customer's behalf and provides those records to the Customer on reasonable written request.

5.1 Authorised sub-processors

The Customer authorises Opstara Tech to engage the sub-processors listed in the Opstara Tech Privacy Policy, Section 6 (and any sub-processor changelog maintained at /privacy).

5.2 Changes to sub-processors

Opstara Tech provides at least thirty (30) days' prior notice by email to the Customer's registered billing contact before adding or replacing a sub-processor that materially affects the processing of Customer Personal Data. The Customer may object on reasonable data-protection grounds within fourteen (14) days of notice; in that case the parties will work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected services for convenience on thirty (30) days' written notice.

5.3 Sub-processor obligations

Opstara Tech enters into a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA, and remains responsible to the Customer for the acts and omissions of its sub-processors as if performed by Opstara Tech.

Opstara Tech may transfer Customer Personal Data outside the Customer's home jurisdiction (typically to the United States, the European Union, or other regions where Opstara Tech's sub-processors maintain infrastructure). Each such transfer is covered by:

• the relevant sub-processor's standard data-protection terms (e.g. Neon DPA, Vercel DPA, Stripe DPA, Twilio DPA, SendGrid DPA, Railway DPA, Google Cloud DPA), each incorporating European Union Standard Contractual Clauses (2021/914) where applicable; and
• where required by MY PDPA 2024 Section 129A, the Customer's express consent to transfer to a destination without an adequacy determination, given by the Customer's acceptance of this DPA and reflected in the Privacy Notice the Customer provides to its patients.

The full transfer schedule, naming each destination region and the corresponding safeguard, is set out in Schedule B (Cross-Border Transfer Schedule).

Opstara Tech will notify the Customer of a personal data breach affecting Customer Personal Data without undue delay and in any event within twenty-four (24) hours of Opstara Tech confirming the breach.

The notification will include, to the extent then known:

• the nature of the breach and the categories of personal data affected;
• the approximate number of Data Subjects affected;
• the likely consequences of the breach;
• the measures Opstara Tech has taken or proposes to take to address and mitigate the breach;
• the contact point for further information.

Opstara Tech will cooperate with the Customer in good faith to enable the Customer to meet its notification obligations to regulators (within 72 hours under MY PDPA 2024 Section 12B; within 3 calendar days under SG PDPA Section 26B and the PDPA Notification of Data Breach Regulations; on a voluntary basis under HK PDPO, transitioning to mandatory if the PCPD enforces the published amendment) and to affected Data Subjects.

Opstara Tech's incident response procedures are documented at docs/incident-response.md within the Opstara Tech source repository, and are summarised in the Security Posture document at /security once published.

On reasonable prior written notice (not less than thirty (30) days, save in the case of a genuine emergency or a regulator-mandated audit), the Customer may once per calendar year audit Opstara Tech's compliance with this DPA. Opstara Tech will make available the information and personnel reasonably necessary to demonstrate compliance.

In lieu of an on-site audit, Opstara Tech may satisfy this clause by providing: (a) then-current independent third-party reports (e.g. SOC 2 Type 1 or Type 2, ISO 27001) when issued; and (b) Opstara Tech's then-current Security Posture document.

The auditing party bears its own costs. The audit will be conducted under reasonable confidentiality obligations and without unreasonable disruption to Opstara Tech's operations.

On termination or expiry of the Agreement, the Customer has thirty (30) days from termination to export Customer Personal Data using the in-platform export tooling (Settings → Data Export). After thirty (30) days, Opstara Tech deletes Customer Personal Data in accordance with the Privacy Policy Section 8 retention rules: account data is deleted via the automated data-retention sweep; clinical records are preserved for seven (7) years from last clinical activity per professional-board guidance, then deleted; billing and tax records are preserved for seven (7) years as required by tax law.

On the Customer's request and at Opstara Tech's reasonable cost, Opstara Tech will provide written certification of deletion.

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement.

This DPA is governed by the law specified in the Agreement (Singapore law). Notwithstanding the foregoing, the Customer may pursue claims arising under mandatory provisions of the Applicable Data Protection Law in its home jurisdiction where required by law.

The technical and organisational measures Opstara Tech implements to protect Customer Personal Data are documented in detail at /security and summarised here:

• Encryption in transit: TLS 1.2+ on all customer-facing endpoints; HSTS enforced.
• Encryption at rest: AES-256 in Neon (Postgres), Vercel Blob (photos and attachments), and Redis (background-job state).
• Authentication: JWT session tokens with rotation on impersonation; bcrypt password hashing; Redis-backed rate limiting on sign-in and password-reset endpoints; refusal to boot in production without critical secrets present.
• Access control: role-based access (owner, manager, clinician, staff) enforced on every server-side route; merchant scoping enforced on every query against merchant data.
• Audit logging: every clinical-record read and write captured in the clinical_record_access_log table; super-admin impersonation writes attributed to the actor; booking-record edits captured per-field.
• Private blob storage: payslip PDFs, claim receipts, supplier invoices, and clinical photos stored in private object storage with download mediated by an authenticated server-side proxy.
• Retention enforcement: automated daily sweep of cancellation-driven deletion; 7-year clinical retention preserved by schema design.
• Vendor management: written data-protection agreement with each sub-processor listed in the Privacy Policy.

Customer Personal Data is processed by the following sub-processors in the following destinations, under the following safeguards:

• Neon (managed Postgres) — primary region US-East; EU-Central and AP-Southeast available on Customer request. Safeguard: Neon DPA incorporating EU SCCs (2021/914).
• Vercel (web application hosting and edge delivery) — global edge with primary in US. Safeguard: Vercel DPA incorporating EU SCCs.
• Vercel Blob (private object storage for clinical photos, payslips, receipts, supplier invoices) — US. Safeguard: Vercel DPA incorporating EU SCCs.
• Railway (API hosting and managed Redis) — US-West. Safeguard: Railway DPA.
• Stripe (payments) — US and Ireland. Safeguard: Stripe DPA incorporating EU SCCs.
• Twilio (WhatsApp and SMS delivery) — US. Safeguard: Twilio DPA incorporating EU SCCs.
• SendGrid (transactional email delivery) — US. Safeguard: SendGrid DPA incorporating EU SCCs.
• Google Cloud (analytics digest generation via Gemini) — US. Safeguard: Google Cloud DPA. The prompt sent to Gemini contains aggregate clinic KPIs and merchant operational metadata; it does not contain patient identifiers.

Sub-processors underlying these vendors (e.g. AWS underneath Vercel and Stripe) are covered by the parent vendor's DPA. A complete and current sub-processor list is maintained at /privacy.

Questions about this DPA, audit requests, breach notifications, and any other data-protection enquiry:

dpo@opstaratech.com (Opstara Tech's Data Protection Officer) or privacy@opstaratech.com.

The Customer's acceptance of the Agreement constitutes acceptance of this DPA in its then-current form. Material changes will be notified to the Customer's billing contact at least thirty (30) days before they take effect.