Data Processing Agreement

Kairo GP Practice Management System

Effective Date: 1 February 2026

Operated by: Medpro Essentials Ltd

This Data Processing Agreement (“DPA”) forms part of the agreement between the GP Practice (“Controller”) and Medpro Essentials Ltd (Company Number: 16569098), registered in England and Wales, trading as Kairo (“Processor”), and sets out the terms on which Kairo processes personal data on behalf of the Practice. This DPA complies with UK GDPR, the Data Protection Act 2018, and the Zimbabwe Data Protection Act.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Patient Data” means personal data and protected health information relating to patients of the Practice
  • “Processing” means any operation performed on personal data including collection, storage, use, and deletion
  • “Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data

2. Scope of Processing

Kairo processes the following categories of personal data on behalf of the Practice, as detailed in the Privacy Policy.

3. Kairo's Obligations as Processor

Kairo agrees to:

  • Process personal data only on documented instructions from the Practice, as set out in the Terms & Conditions and this DPA
  • Ensure all Kairo staff with access to Practice data are bound by confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures including: bcrypt password hashing, JWT authentication, role-based access control, device fingerprinting and approval, SSL/TLS encryption in transit, multi-tenant data isolation via practiceId scoping
  • Not engage sub-processors without the Practice's knowledge; current sub-processors are listed in the Privacy Policy (Twilio, SMTP provider, PostgreSQL)
  • Assist the Practice in responding to data subject rights requests within legally required timeframes
  • Notify the Practice of a data breach within 72 hours of becoming aware of it
  • Delete or return all personal data upon termination of the subscription, at the Practice's choice, within 30 days
  • Make available all information necessary to demonstrate compliance with this DPA

4. Practice's Obligations as Controller

The Practice agrees to:

  • Ensure there is a lawful basis for processing patient personal data within Kairo
  • Obtain appropriate patient consent for data collection and processing
  • Maintain and publish their own Privacy Notice to patients referencing Kairo as a data processor
  • Ensure staff are trained on data protection obligations when using Kairo
  • Manage device approvals and promptly revoke access for departing staff
  • Notify Kairo immediately of any suspected data breach or security incident
  • Ensure billing PIN access control is managed appropriately

5. Security Measures

Kairo maintains the following security controls:

5.1 Access Controls

  • JWT-based authentication with 7-day token expiry
  • Seven defined staff roles with role-based access enforcement
  • Device registration, fingerprinting, and mandatory admin approval before access
  • Billing PIN protection (bcrypt hashed) for financial data
  • Three-layer security: JwtAuthGuard, RolesGuard, DeviceGuard
  • Super Admin accounts with 2FA support and separate authentication

5.2 Data Isolation

  • All patient and practice data scoped by practiceId at every database query
  • Service layer enforces practiceId from authenticated JWT on all operations
  • No cross-practice data access except by authorised Super Admins

5.3 Encryption

  • Passwords and PINs stored as bcrypt hashes — never in plain text
  • Data in transit protected by SSL/TLS via Let's Encrypt (managed by Nginx)
  • Database encryption at rest dependent on infrastructure configuration

6. Sub-Processors

Kairo currently uses the following sub-processors that may process Practice data. Full details are available in the Privacy Policy.

7. Data Breach Procedure

In the event of a confirmed or suspected data breach:

  • Kairo will notify the affected Practice within 72 hours
  • Notification will include: nature of the breach, approximate number of records affected, likely consequences, and measures taken or proposed
  • Kairo will cooperate fully with any investigation and provide all relevant information
  • The Practice is responsible for notifying their patients and relevant authorities as required by the Zimbabwe Data Protection Act
  • Kairo will maintain a record of all data breaches regardless of whether notification was required

8. Audit Rights

The Practice may request evidence of Kairo's compliance with this DPA, including:

  • Security policy documentation
  • Records of sub-processor agreements
  • Evidence of security control implementation

Audit requests should be submitted in writing to the contact details below. Kairo may charge a reasonable fee for extensive audit support.

9. Duration & Termination

This DPA is effective for the duration of the subscription agreement. Upon termination, Kairo will delete all Practice data within 30 days unless a longer retention period is required by law. A deletion confirmation will be provided in writing.

10. Governing Law

This DPA is governed by the laws of England and Wales. Medpro Essentials Ltd is incorporated in England and Wales (Company Number: 16569098). The parties agree to the exclusive jurisdiction of the courts of England and Wales for any disputes arising from this DPA.

11. Contact