DATA PROCESSING AGREEMENT
I.
INTRODUCTION AND PURPOSE
This Data Processing Agreement ("DPA") is entered into between Moana Digital Health Pty Ltd (ACN 694 101 052 / ABN 41 694 101 052) ("Moana"), and the Client identified in the Master Services Agreement ("MSA"). This DPA forms Schedule C to the MSA and is incorporated by reference. In the event of any conflict between the MSA and this DPA regarding the processing of personal data, this DPA prevails.
This DPA is enacted in accordance with the Company's obligations under: Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the Privacy Act 1988 (Cth) ("Privacy Act") and Australian Privacy Principles; the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act; applicable health records legislation in deployment jurisdictions; and equivalent international data protection frameworks.
II.
DEFINITIONS
In this DPA, the following terms supplement the definitions in the MSA:
Term | Definition |
Australian Privacy Laws | The Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, and all state/territory health records legislation applicable to the Client's operations. |
Data Controller | The Client, who determines the purposes and means of processing Personal Data. |
Data Processor | Moana, which processes Personal Data on behalf of the Client pursuant to this DPA. |
Data Protection Laws | All applicable laws relating to the processing, privacy, and protection of personal data in relevant jurisdictions, including: the Privacy Act 1988 (Cth); GDPR (where applicable); Pacific Island data protection laws (including the Fiji Information Act, Papua New Guinea Privacy Act where applicable, and equivalent legislation); CCPA/CPRA (where applicable); and any other applicable national, regional, or state privacy law. |
Data Subject | Any identified or identifiable natural person whose Personal Data is processed under this DPA, including patients, healthcare professionals, and administrative staff. |
DPIA | A Data Protection Impact Assessment conducted in accordance with Article 35 GDPR or equivalent requirement. |
GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council and, where applicable, the UK GDPR. |
Health Data | Personal Data concerning a Data Subject's physical or mental health, including clinical records, diagnostic results, treatment history, prescriptions, and related clinical data, constituting Special Category Data under Article 9 GDPR. |
NDB Scheme | The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), requiring notification of eligible data breaches to the OAIC and affected individuals. |
OAIC | The Office of the Australian Information Commissioner, the primary Australian data protection supervisory authority. |
Personal Data | Any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws. |
Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
Processing | Any operation performed on Personal Data, whether automated or manual, including collection, storage, retrieval, use, disclosure, or deletion, consistent with Article 4(2) GDPR. |
ROPA | Record of Processing Activities, as required by Article 30 GDPR. |
SCCs | The Standard Contractual Clauses for international data transfers adopted by the European Commission (Decision 2021/914/EU). |
Special Category Data | Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (for identification), health data, or data concerning sex life or sexual orientation, as defined under Article 9(1) GDPR. |
Sub-processor | Any third party engaged by Moana to process Personal Data on Moana's behalf. |
III.
ROLES AND RESPONSIBILITIES
3.1 Data Controller
The Client is the Data Controller and is solely responsible for: (a) determining the lawful basis for collecting and processing Patient Data and Health Data; (b) obtaining all necessary consents, authorisations, and approvals from Data Subjects as required by applicable Data Protection Laws; (c) responding to Data Subject rights requests; (d) ensuring the accuracy of Personal Data submitted to the Platform; (e) complying with all Data Controller obligations under applicable Data Protection Laws; and (f) conducting DPIAs where required.
3.2 Data Processor
Moana is the Data Processor and will process Personal Data only: (a) on documented instructions from the Client as set out in this DPA and the MSA; (b) as required by applicable law (in which case Moana will inform the Client before processing unless prohibited by law); and (c) for no other purpose.
3.3 DPIA Support
Moana will, upon reasonable written request, provide the Client with reasonable information and assistance necessary for the Client to conduct DPIAs with respect to processing activities performed on the Platform. Moana will promptly notify the Client if, in Moana's assessment, a processing instruction is likely to require a DPIA.
IV.
PROCESSING DETAILS
Element | Details |
Subject Matter | Provision of electronic medical records, health information management, clinical workflow management, and health data interoperability services via the Platform. |
Duration | For the Term of the MSA and any applicable retention periods required by applicable law. |
Nature of Processing | Collection, storage, retrieval, display, transmission, sharing with authorised clinicians, integration with third-party health systems, and secure deletion of Personal Data via cloud-based and offline Platform infrastructure. |
Purpose of Processing | To enable the Client's healthcare operations including patient registration, clinical documentation, diagnostics integration, prescription management, laboratory and imaging workflows, multi-facility management, and health reporting. |
Data Categories | Health Data and Special Category Data (clinical records, diagnoses, prescriptions, lab results, imaging data); PII (name, DOB, contact details, national health identifiers); Authentication data (credentials, biometrics); Administrative data (staff records, access logs, audit trails). |
Data Subject Categories | Patients (registered and unregistered), healthcare professionals, clinical staff (doctors, nurses, allied health), administrative personnel, and any other individuals whose data is submitted to the Platform by the Client. |
Governing Privacy Laws | Privacy Act 1988 (Cth), Australian Privacy Principles, Notifiable Data Breaches scheme; applicable Pacific Island privacy laws (Fiji, PNG, Solomon Islands, Vanuatu, Samoa, Tonga, Kiribati — as applicable); GDPR / UK GDPR (where EU/UK Data Subjects are involved); CCPA/CPRA (where California residents are involved). |
V.
SECURITY OBLIGATIONS
5.1 Technical Security Measures
Moana implements and maintains the following technical security measures:
• AES-256 encryption of all Personal Data at rest within AWS S3 and database storage
• TLS 1.2 or higher encryption for all Personal Data in transit
• AWS Key Management Service (KMS) for encryption key lifecycle management
• Multi-factor authentication (JWT, OTP, biometric, PIN) for all Platform access
• Role-based access control (RBAC) with principle of least privilege
• Automated security event logging, monitoring, and alerting
• Intrusion detection and prevention systems
• Vulnerability scanning and regular third-party penetration testing
• Secure software development lifecycle (SDLC) including code reviews and security testing
• AWS-signed URLs for time-limited secure access to stored files
• CORS configuration and input validation pipelines to prevent injection attacks
5.2 Organisational Security Measures
• Formal Information Security Policy, reviewed and updated annually
• Mandatory security awareness training for all personnel with access to Personal Data
• Background checks for personnel in roles with access to Personal Data (where permitted by law)
• Confidentiality obligations in all employment contracts and contractor agreements
• Documented incident response and data breach notification procedures
• Annual BCDR plan testing with documented results available to clients on request
• Periodic review and update of the ISMS aligned to ISO/IEC 27001
5.3 Health Data Controls
Moana applies additional controls for Health Data and Special Category Data, including: (a) enhanced access logging for any access to Health Records; (b) separation of Health Data from other data categories at the storage layer; (c) minimum access time windows for administrative access to Health Data; and (d) clinical data access restricted to Authorised Users with verified professional roles.
VI.
SUB-PROCESSORS
6.1 Authorised Sub-processors
The Client authorises Moana to engage the following sub-processors:
Sub-processor | Purpose | Location | Certifications |
Amazon Web Services (AWS) | Cloud infrastructure, storage (S3), computing, CDN (CloudFront), KMS | Global (primary: ap-southeast-2 Sydney) | ISO 27001, SOC 2 Type II, HIPAA BAA available |
[Additional sub-processors] | To be specified per deployment | TBD | To be specified |
6.2 New Sub-processors
Moana will provide thirty (30) days' advance written notice before engaging new sub-processors that will process Personal Data. Where the Client reasonably objects on data protection grounds and the Parties cannot resolve the objection within thirty (30) days, the Client may terminate the affected Order Form without penalty.
6.3 Sub-processor Obligations
Moana will ensure all sub-processors are bound by data processing agreements imposing obligations at least equivalent to those in this DPA. Moana remains fully liable to the Client for sub-processors' acts and omissions in relation to Personal Data.
6.4 Sub-processor Chains
Where a sub-processor engages further sub-processors ("downstream sub-processors"), Moana will ensure each is bound by equivalent data protection obligations and Moana assumes full liability for their compliance. Moana will maintain an up-to-date register of all sub-processors and downstream sub-processors processing Client Data.
VII.
DATA SUBJECT RIGHTS
Moana will provide the Client with timely and reasonable technical and operational assistance to enable the Client to fulfil its obligations to respond to Data Subject rights requests, including requests for:
• Access — providing the Client with the ability to extract and review Personal Data held for a specific Data Subject
• Rectification — enabling the Client to correct inaccurate or incomplete Personal Data
• Erasure — enabling the Client to delete or anonymise Personal Data subject to applicable legal retention obligations
• Restriction — enabling the Client to flag and restrict processing of disputed data
• Portability — exporting Personal Data in FHIR R4-compliant structured format
• Objection — enabling the Client to suspend automated processing for specific Data Subjects
Moana will promptly forward any Data Subject requests received directly by Moana to the Client and will not respond to Data Subjects directly without the Client's prior written authorisation. Moana will provide assistance within timeframes that enable the Client to respond within applicable legal deadlines (30 days under GDPR; 45 days under CPRA; 30 days under the Privacy Act).
VIII.
PERSONAL DATA BREACH NOTIFICATION
8.1 Notification to Client
Upon becoming aware of a confirmed or suspected Personal Data Breach, Moana will notify the Client without undue delay and within seventy-two (72) hours. Notification will include, to the extent then available: (a) nature and scope of the breach; (b) categories and approximate number of Data Subjects and records affected; (c) likely consequences; (d) measures taken or proposed; and (e) Moana's dedicated data breach contact details.
8.2 NDB Scheme Compliance
Where a Personal Data Breach may constitute an "eligible data breach" under Part IIIC of the Privacy Act 1988 (Cth) (the NDB Scheme), Moana will: (a) cooperate with the Client in assessing whether the breach is notifiable; (b) provide all information required by the Client to prepare notifications to the OAIC and affected individuals; and (c) implement containment and remediation measures as directed by the Client.
8.3 Pacific Jurisdiction Breach Notification
For deployments in Pacific Island nations where specific breach notification laws apply (including Fiji's Electronic Transactions Act and any applicable health data security regulations), Moana will provide equivalent cooperation in preparing regulatory notifications. Where no specific notification framework exists in a jurisdiction, Moana will apply the standards of the Australian NDB scheme as a minimum.
8.4 Client Notification Responsibility
The Client is solely responsible for determining whether and when to notify Data Subjects and regulatory authorities. Moana's notification to the Client does not constitute a determination that notification is required.
IX.
CROSS-BORDER DATA TRANSFERS
9.1 Transfer Safeguards
Where Personal Data is transferred to a jurisdiction that does not provide equivalent data protection, Moana will ensure transfers are covered by appropriate safeguards including:
• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU) — for transfers from EU/EEA jurisdictions
• UK International Data Transfer Agreement (IDTA) — for transfers from the United Kingdom
• Data Transfer Agreement consistent with the Privacy Act 1988 (Cth) — for transfers from Australia
• Equivalent mechanisms under applicable Pacific Island or other national laws
9.2 Data Localisation
Where an Order Form specifies a particular data residency requirement (e.g., all data to remain within a named country), Moana will use commercially reasonable efforts to implement that requirement. Data localisation commitments must be expressly agreed in writing in the applicable Order Form, as they may affect Platform availability, performance, and pricing.
9.3 Government Access
Moana will not disclose Personal Data to any government authority or law enforcement agency except as required by a binding legal obligation. Where legally permissible, Moana will promptly notify the Client of any such request prior to disclosure.
X.
RECORD OF PROCESSING ACTIVITIES
Moana will maintain, on behalf of the Client with respect to processing performed on the Platform, a Record of Processing Activities (ROPA) as required by Article 30(2) GDPR. The ROPA will include: (a) contact details of the Data Processor; (b) categories of processing carried out on behalf of each Client; (c) international transfers and safeguards; and (d) a general description of technical and organisational security measures. Moana will make the ROPA available to the Client and relevant supervisory authorities on request.
XI.
DATA RETENTION AND DELETION
11.1 Retention During Term
Moana will retain Client Data for the duration of the MSA. Moana will not delete Client Data during the Term without the Client's instruction, except as required by law.
11.2 Post-Termination
Following termination: (a) Client Data will be available for export for thirty (30) days; (b) after that period or upon the Client's earlier written instruction, Moana will securely delete all Client Data using industry-standard data destruction methods (NIST SP 800-88 or equivalent); and (c) Moana will provide written certification of deletion within thirty (30) days of completion.
11.3 Health Records Retention
The Parties acknowledge that applicable health records legislation in various deployment jurisdictions prescribes minimum retention periods for health records. By way of example: (a) Australia — Health Records Act 2001 (Vic) and equivalent state/territory legislation generally require retention of adult records for 7 years; (b) PNG and other Pacific jurisdictions may have specific health records regulations. The Client is responsible for ensuring that its retention instructions comply with all applicable health records legislation. Moana's deletion obligations are subject to any lawful retention instruction from the Client.
11.4 Legal Hold
Notwithstanding the above, either Party may issue a legal hold instruction requiring preservation of specific data in connection with actual or reasonably anticipated litigation or regulatory investigation. Moana will comply with any such instruction from the Client and will notify the Client of any legal hold obligation imposed on Moana by law.
XII.
AUDIT AND COMPLIANCE
Moana will: (a) maintain all records necessary to demonstrate compliance with this DPA; (b) make such records available to the Client and relevant supervisory authorities on reasonable request; (c) cooperate with audits conducted in accordance with Clause XIII of the MSA; (d) promptly inform the Client if any Client instruction infringes applicable Data Protection Laws; and (e) notify the Client of any request or inquiry from a supervisory authority in relation to the Client's Personal Data.
XIII.
CONTACT
Data Processor (Moana) | Moana Digital Health Pty Ltd |
ACN / ABN | ACN 694 101 052 / ABN 41 694 101 052 |
Registered Office | St Kilda Road, Melbourne, Victoria 3004, Australia |
Data Protection Contact | contact@moanadigitalhealth.com |
Website | moanadigitalhealth.com |