Last updated: May 21, 2026
This DPA forms part of the Terms & Conditions between the clinic ("Customer") and Infinia Care ("Infinia") and governs the processing of personal data carried out by Infinia on the Customer's behalf.
The Customer (clinic / branch) is the data controller and determines the purposes and means of processing. Infinia acts as the data processor and processes personal data only on behalf of, and under the documented instructions of, the Customer.
Infinia processes personal data only:
Infinia will not process personal data for its own purposes or sell it, and will inform the Customer if an instruction appears to infringe applicable data protection law.
Infinia ensures that any person authorised to process personal data is bound by an obligation of confidentiality and processes the data only as instructed.
Infinia implements appropriate technical and organisational measures, including: encryption in transit (TLS) and at rest; row-level security (RLS) isolating each branch's data; role-based access control; least-privilege access; logging and monitoring; and regular review of safeguards appropriate to the risk.
The Customer authorises Infinia to engage sub-processors to deliver the Service:
Infinia imposes data-protection obligations on each sub-processor no less protective than this DPA, remains liable for their performance, and gives prior notice of any new or replacement sub-processor with a reasonable opportunity to object.
Infinia will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data, and provide information reasonably necessary for the Customer to meet its own notification obligations.
On termination or expiry, Infinia will, at the Customer's choice, delete or returnall personal data processed on the Customer's behalf and delete existing copies within 30 days — except where retention is required by law. Backups are purged on their normal rotation cycle (30–90 days).
Infinia will make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Customer or its mandated auditor, subject to reasonable notice, confidentiality, and frequency limits.
Personal data is hosted in the region selected for the Customer's project. Infinia will not transfer it outside that region except as necessary to provide the Service and with appropriate safeguards required by applicable law (including Qatar Law No. (13) of 2016 Concerning the Protection of Personal Data).
Taking into account the nature of processing, Infinia will assist the Customer with data-subject requests (access, correction, deletion), data protection impact assessments, and consultations with the competent authority.
Access to the Customer's personal data is restricted to authorised Infinia personnel on a need-to-know basis, enforced through role-based access control and least-privilege principles, and is logged. Within the Customer's own organisation, access to patient data is governed by the Service's roles (Supervisor, Specialist) and row-level security.
This DPA is governed by the laws of the State of Qatar, including Law No. (13) of 2016 Concerning the Protection of Personal Data. In case of conflict with the Terms regarding data protection, this DPA prevails.
Data protection: privacy@sanady.care