Data Processing Agreement

Last updated: May 21, 2026

This DPA forms part of the Terms & Conditions between the clinic ("Customer") and Infinia Care ("Infinia") and governs the processing of personal data carried out by Infinia on the Customer's behalf.

1. Roles of the parties

The Customer (clinic / branch) is the data controller and determines the purposes and means of processing. Infinia acts as the data processor and processes personal data only on behalf of, and under the documented instructions of, the Customer.

2. Permitted processing & instructions

Infinia processes personal data only:

  • to provide and support the Service (scheduling, patient management, billing, session recording, AI transcription/summaries, analytics);
  • in accordance with the Customer's documented instructions, including the Terms and this DPA;
  • as required by applicable law, informing the Customer unless legally prohibited.

Infinia will not process personal data for its own purposes or sell it, and will inform the Customer if an instruction appears to infringe applicable data protection law.

3. Confidentiality

Infinia ensures that any person authorised to process personal data is bound by an obligation of confidentiality and processes the data only as instructed.

4. Security measures

Infinia implements appropriate technical and organisational measures, including: encryption in transit (TLS) and at rest; row-level security (RLS) isolating each branch's data; role-based access control; least-privilege access; logging and monitoring; and regular review of safeguards appropriate to the risk.

5. Sub-processors

The Customer authorises Infinia to engage sub-processors to deliver the Service:

  • Supabase — authentication, database, file storage, edge functions
  • Fireworks AI — AI transcription and summarisation (data not retained beyond the API call)
  • Resend — transactional email
  • Sentry — error monitoring (no personal health data)

Infinia imposes data-protection obligations on each sub-processor no less protective than this DPA, remains liable for their performance, and gives prior notice of any new or replacement sub-processor with a reasonable opportunity to object.

6. Breach notification

Infinia will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data, and provide information reasonably necessary for the Customer to meet its own notification obligations.

7. Deletion or return of data

On termination or expiry, Infinia will, at the Customer's choice, delete or returnall personal data processed on the Customer's behalf and delete existing copies within 30 days — except where retention is required by law. Backups are purged on their normal rotation cycle (30–90 days).

8. Audit rights

Infinia will make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Customer or its mandated auditor, subject to reasonable notice, confidentiality, and frequency limits.

9. International transfers

Personal data is hosted in the region selected for the Customer's project. Infinia will not transfer it outside that region except as necessary to provide the Service and with appropriate safeguards required by applicable law (including Qatar Law No. (13) of 2016 Concerning the Protection of Personal Data).

10. Assistance to the Customer

Taking into account the nature of processing, Infinia will assist the Customer with data-subject requests (access, correction, deletion), data protection impact assessments, and consultations with the competent authority.

11. Staff access controls

Access to the Customer's personal data is restricted to authorised Infinia personnel on a need-to-know basis, enforced through role-based access control and least-privilege principles, and is logged. Within the Customer's own organisation, access to patient data is governed by the Service's roles (Supervisor, Specialist) and row-level security.

12. Governing law

This DPA is governed by the laws of the State of Qatar, including Law No. (13) of 2016 Concerning the Protection of Personal Data. In case of conflict with the Terms regarding data protection, this DPA prevails.

13. Contact

Data protection: privacy@sanady.care