Routiq executes a Data Processing Agreement (DPA) with every subscribing clinic. The DPA governs how we process personal and health information on your behalf under the Privacy Act 1988 (Cth), the Australian Privacy Principles, and applicable state health-records legislation.
01Scope
What the DPA covers
- —Parties, roles and definitions (Routiq as Processor; Customer as Controller)
- —Scope and purpose of processing
- —Types of personal and health information involved
- —Subprocessor approval, register, and notice rights
- —Security obligations (encryption in transit and at rest, access controls, logging, OWASP ASVS annual self-assessment)
- —Data residency (primary database Australia; disclosed cross-border flows with contractual protections)
- —Breach-notification timelines and cooperation
- —Right-to-audit
- —Certification roadmap (dated commitments embedded contractually)
- —Data retention, export and deletion on termination
- —International-transfer mechanisms (Standard Contractual Clauses where applicable)
- —Liability, indemnity, governing law (New South Wales, Australia)
02Request
Request the DPA
We’ll send you our current DPA template within 1 business day. If you’d like to propose amendments, we can turn around redlines same-day for most requests.
The full text of an executed DPA is shared with the signing Customer at execution.