Praxxos
ES ← Back to Praxxos

Data Processing Agreement (DPA)

Last updated: 8 June 2026 · Version: 1.0

Article 28 GDPR — Customer (Controller) and Praxxos (Processor)

1. PARTIES

Controller (the “Customer”):

The legal entity or self-employed professional that has entered into the Praxxos Terms of Service or an Order Form with Praxxos, identified in such Order Form or Account registration.

Processor (“Praxxos”):

Praxxos Technologies, S.L., a Spanish company with registered office at C/ Antoni Jaume, 2, 1ª Planta 1, 07800 Eivissa (Ibiza), Illes Balears, Spain, Spanish Tax ID (NIF/CIF) B88768882, inscribed at the Commercial Registry of Eivissa (Ibiza), sheet IB-23361, Electronic Folio IRUS 100KM74747678.

The Customer and Praxxos are individually referred to as a “Party” and together as the “Parties”.

2. BACKGROUND AND INCORPORATION

The Customer has subscribed to or is using the Praxxos service (the “Service”) under the Praxxos Terms of Service (the “Agreement”). In connection with the Service, Praxxos processes personal data on behalf of the Customer. This Data Processing Agreement (the “DPA”) governs that processing in accordance with Article 28 GDPR and applicable Spanish data protection law (LOPDGDD).

This DPA is incorporated by reference into the Agreement and forms an integral part of it. In the event of conflict between the Agreement and this DPA in relation to the processing of personal data, this DPA prevails.

3. DEFINITIONS

Capitalised terms not defined herein have the meaning given in the Agreement or in GDPR. In particular: “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, “Supervisory Authority”, and “Sub-processor” have the meanings given in Article 4 GDPR.

“Customer Personal Data” means Personal Data processed by Praxxos on behalf of the Customer in connection with the Service, including health-related data of Patients.

“Patient” means a natural person whose Personal Data is processed by the Customer using the Service, including for clinical, scheduling and administrative purposes.

4. SUBJECT MATTER AND DETAILS OF PROCESSING

The subject matter, duration, nature, purpose, type of Personal Data and categories of Data Subjects are set out in Annex A.

5. ROLES AND COMPLIANCE

5.1 Roles

The Customer is the Controller of Customer Personal Data. Praxxos is the Processor.

5.2 Customer responsibilities

The Customer warrants that:

5.3 Praxxos undertakings

Praxxos undertakes to process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, except where required by EU or Member State law to which Praxxos is subject (in which case Praxxos shall, where lawful, inform the Customer of that legal requirement before processing).

The Agreement, this DPA, and the Customer's use of the Service constitute the Customer's documented instructions. If Praxxos believes an instruction violates data protection law, it shall inform the Customer.

6. CONFIDENTIALITY

Praxxos shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to what is necessary for the performance of the Service.

7. SECURITY OF PROCESSING

Praxxos shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex C, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

8. SUB-PROCESSORS

8.1 Authorisation

The Customer grants Praxxos general written authorisation to engage Sub-processors to carry out specific processing activities on its behalf. The current list of Sub-processors is set out in Annex B and is also kept up to date in the Service or made available on request.

8.2 Changes

Praxxos shall inform the Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, giving the Customer the opportunity to object on reasonable grounds related to data protection. If the Customer reasonably objects and the Parties cannot agree on a solution, the Customer may terminate the affected portion of the Service without penalty.

8.3 Obligations on Sub-processors

Praxxos shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. Praxxos remains fully liable to the Customer for the performance of each Sub-processor's obligations.

9. INTERNATIONAL TRANSFERS

Praxxos shall not transfer Customer Personal Data outside the European Economic Area unless an adequate level of protection is ensured, in particular through:

Where SCCs are used, the Parties agree to enter into them as required and to implement supplementary measures where necessary, following a transfer impact assessment.

10. ASSISTANCE TO THE CONTROLLER

10.1 Data subject rights

Taking into account the nature of the processing, Praxxos shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

If Praxxos receives a request directly from a Data Subject relating to Customer Personal Data, Praxxos shall forward it to the Customer without undue delay and shall not respond directly unless authorised to do so.

10.2 Other obligations

Praxxos shall assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of processing and the information available to Praxxos.

11. PERSONAL DATA BREACHES

Praxxos shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent reasonably available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences and the measures taken or proposed to address it and mitigate possible adverse effects.

Praxxos shall reasonably cooperate with the Customer in investigating and remediating the breach.

12. AUDIT AND INFORMATION

Praxxos shall make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA. On reasonable prior written notice, and no more than once per calendar year (unless following a Personal Data Breach or where required by a Supervisory Authority), the Customer may, at its own expense, carry out an audit of Praxxos's compliance, conducted during business hours, subject to confidentiality obligations and without undue disruption to Praxxos's operations. Praxxos may satisfy audit obligations by providing recognised third-party certifications or audit reports (e.g., ISO 27001, SOC 2) where available.

13. RETURN AND DELETION OF DATA

Upon termination of the Service, at the choice of the Customer, Praxxos shall return all Customer Personal Data to the Customer or delete it, and delete existing copies, unless EU or Member State law requires storage of the Personal Data. The Customer may request return of its data in a structured, commonly used and machine-readable format within thirty (30) days of termination, after which Praxxos shall securely delete it within ninety (90) days, subject to legal retention obligations.

Backups containing Personal Data shall be deleted in accordance with Praxxos's standard backup rotation cycle.

14. LIABILITY

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except where GDPR requires otherwise. Nothing in this DPA limits a Data Subject's rights to compensation under Article 82 GDPR.

15. TERM AND TERMINATION

This DPA enters into force on the effective date of the Agreement and remains in force for as long as Praxxos processes Customer Personal Data. The obligations relating to confidentiality, return/deletion, audit and liability survive termination.

16. GOVERNING LAW AND JURISDICTION

This DPA is governed by the laws of Spain. Any dispute is subject to the exclusive jurisdiction of the courts agreed in the Agreement.

ANNEX A — DETAILS OF PROCESSING

Field

Description

Subject matter

Processing of personal data necessary for Praxxos to provide the Service to the Customer.

Duration

For the duration of the Subscription Term, plus any retention period set out in this DPA.

Nature and purpose

Hosting, storing, transmitting, displaying and otherwise processing Customer Personal Data to enable the features of the Service, including online booking, patient record management, appointment scheduling, automated reminders, billing support, analytics for the Customer's clinic, and customer support.

Type of personal data

Identification data (name, surname), contact data (email, phone, address), appointment data, demographic data (date of birth, gender), health-related data (clinical notes, treatment history, conditions reported by the patient), billing data, communication data with the Customer's clinic, and any other data the Customer chooses to record in the Service.

Categories of data subjects

Patients of the Customer's clinic, the Customer's Authorised Users, and any other natural persons whose data the Customer chooses to record.

Special category data

YES — health data within the meaning of Article 9(1) GDPR may be processed. The Customer must ensure a valid condition for processing under Article 9(2) GDPR (typically Article 9(2)(h)) and applicable national law.

Obligations and rights of the Customer

As set out in this DPA, the Terms of Service, and GDPR.

ANNEX B — AUTHORISED SUB-PROCESSORS

The following sub-processors are engaged by Praxxos to support the provision of the Service. The list is current as of the date of this DPA; an up-to-date version is made available in the Service or on request.

To be confirmed and finalised before launch with the actual list of providers.

ANNEX C — TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

Measure

Description

Encryption in transit

TLS 1.2+ for all connections to the Service. Internal traffic between core services encrypted.

Encryption at rest

Disk-level encryption on hosting infrastructure. Sensitive fields encrypted at application level where applicable.

Access control

Role-based access control (RBAC), unique user accounts, strong password requirements, multi-factor authentication available, least-privilege principle for staff.

Network security

Network segmentation, firewall rules, intrusion detection, regular vulnerability scans.

Backups

Regular automated backups, encrypted, retained for a defined period and periodically tested for restorability.

Logging and monitoring

Application and infrastructure logs retained for security and audit purposes, with monitoring and alerting on anomalies.

Pseudonymisation / anonymisation

Used where compatible with the purposes of processing (e.g., analytics).

Personnel

Confidentiality undertakings, security awareness training, background checks where applicable.

Sub-processor management

Due diligence prior to onboarding, written contracts imposing GDPR-compliant obligations, regular review.

Incident response

Documented incident response procedure, breach notification process, lessons-learned reviews.

Business continuity

Disaster recovery plan, redundancy of critical components, periodic testing.

Data deletion

Defined retention and deletion procedures, secure deletion at end of contract.