Data Processing Addendum

1. Roles under GDPR

For the purposes of GDPR:

• The User (Clinic / Professional) acts as the Data Controller
• The Application Provider acts as a Data Processor only when transient data is processed during cloud operations

2. Nature of Data Processing

The application may temporarily process the following categories of data:

• File names (which may include patient identifiers)
• Folder and directory structures
• Operational commands (rename, delete, move, list operations)

No medical content, images, or files are stored or retained.

3. Purpose of Processing

Data is processed solely for the purpose of:

• Enabling file management operations
• Relaying requests between the user and Microsoft Graph API
• Supporting integration with third-party storage services

No other purposes (analytics, profiling, advertising) are used.

4. Data Storage

• No personal data is stored on application servers
• No database of user or patient data exists
• All data is processed in memory only and discarded immediately after processing

5. Sub-processors

The following sub-processors may be involved:

• Microsoft (OneDrive, Graph API, Azure AD)

These providers operate under their own GDPR-compliant frameworks.

6. Data Transfers

If data is processed, it may be transmitted to:

• Microsoft cloud infrastructure (as part of OneDrive operations)

No other third-country transfers are performed by the application.

7. Security Measures

The application implements:

• Encryption in transit (TLS)
• OAuth-based authentication
• Stateless backend architecture
• No persistent storage of personal data

8. Data Retention

We do not retain personal data.

All transient processing occurs only during active requests and is immediately discarded.

9. Data Subject Rights Support

Since we do not store personal data, requests for:

• Access
• Rectification
• Erasure

should be directed to the data controller (the clinic / user organization) or Microsoft where applicable.