Terms of Use

Data Processing Agreement

Introduction

This appendix (the “Data Processing Agreement”) regulates the rights and obligations between the Data Controller and the Data Processor when the Data Processor processes personal data on behalf of the Data Controller in connection with the provision of the Mednotes service.

The agreement is designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation/GDPR).

This data processing agreement includes three appendices:

• Details of the processing of personal data
• Security measures
• Sub-processors

Parties to the agreement

The Customer is the Data Controller and is responsible for the processing of personal data, including ensuring that personal data is processed in accordance with applicable regulations and with adequate protection.

Carenode AS is the Data Processor, and processes personal data on behalf of the Data Controller in connection with the provision of the Mednotes service.

Purpose

The purpose of processing all data, including personal data and business-related information, is to deliver a service that simplifies clinical documentation for the Data Controller. This is described in more detail in Appendix A.

All data processed through Mednotes, including personal data and information related to patient consultations, is treated confidentially and with high information security requirements. This also includes any strategic, professional or patient-related information shared by the Customer in connection with use of the Service.

Data Controller's obligations and rights

The Data Controller confirms the following:

• There is a sufficient legal basis for the processing of personal data.
• The Data Controller has the right and responsibility to lawfully transfer personal data to the Data Processor.
• The Data Controller is responsible for the accuracy, completeness, content, lawfulness and reliability of the personal data being processed.
• The Data Controller has informed data subjects in accordance with applicable legislation.
• The Data Controller shall ensure that personal data is processed in accordance with GDPR, handle requests from data subjects, and implement sufficient technical and organisational measures to protect personal data in accordance with Article 32 of the GDPR.
• The Data Controller is obliged to notify the Data Protection Authority and, where applicable, the data subjects without undue delay if a breach of personal data security occurs, in accordance with applicable regulations.
• The Data Controller shall not register or store personal data beyond what is necessary for the defined purpose.

Data Processor's obligations and rights

• The Data Processor does not own the personal data, but processes it on behalf of the Data Controller, as regulated in this data processing agreement.
• The Data Processor shall secure personal data both technically and organisationally in accordance with Article 32 of the GDPR. This includes conducting risk and vulnerability assessments that form the basis for internal procedures and security measures.
• The Data Processor confirms that all persons authorised to process personal data are subject to a duty of confidentiality.
• The Data Processor shall, upon request, assist the Data Controller in fulfilling its obligations under data protection legislation, including Chapter III and Articles 32–36 of the GDPR. The Data Processor shall also assist the Data Controller by making necessary documentation available to demonstrate compliance with Article 28, including in the event of any audits or inspections. All such assistance shall be provided upon written request and invoiced on a time-spent basis.
• The Data Processor shall notify the Data Controller without undue delay if there is a breach of personal data security, or suspicion of such a breach.
• The Data Processor shall immediately inform the Data Controller if it receives instructions that the Data Processor believes are in breach of the GDPR or other applicable data protection legislation.

Processing of audio recordings and clinical data

Audio recordings are processed solely for the purpose of transcribing and generating clinical notes for the practitioner. Transcriptions and clinical notes are stored temporarily in infrastructure provided by Carenode AS and are automatically deleted after 24 hours.

The data is never used for analysis, machine learning or other purposes beyond what is necessary to deliver the service to the user.

Data location and transfers

All audio data, transcriptions and clinical notes are processed and stored exclusively within the EU/EEA. Mednotes never transfers such data outside the EU/EEA.

Security

The Data Processor's security measures are described in Appendix B. The Data Processor may make ongoing changes to its security measures without prior notice, provided that such changes do not reduce the overall level of security described in Appendix B.

Data processing and security

• Audio recordings and associated transcribed data are encrypted in transit (TLS) and stored temporarily in encrypted form (AES-256) in the database.
• Audio files are deleted immediately after transcription is completed.
• Transcriptions, clinical notes and any referrals are stored for up to 24 hours in our database (hosted in the EU) before being automatically and permanently deleted.
• No data is used for machine learning, analysis or purposes other than delivery of the service.

Sub-processors

By entering into this data processing agreement, the Data Controller grants Carenode AS a general authorisation to use sub-processors in connection with the delivery of the Mednotes service.

Carenode AS undertakes to enter into separate data processing agreements with all sub-processors in accordance with the requirements of GDPR Article 28, and to ensure that they impose equivalent requirements for information security and data processing as described in this agreement.

If material changes occur – for example, a new sub-processor gains access to personal data, data is processed in a new geographical area, or the purpose of the processing changes – the Data Controller will be notified at least 30 days in advance. The Data Controller may then choose to terminate the agreement with 30 days' written notice if the change is not accepted.

Changes that do not entail material consequences for privacy (for example, switching to a new provider with equivalent function, location and security level) may be implemented without prior notice, but will be documented and appear in the updated list of sub-processors.

Audits and inspections

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the requirements of GDPR Article 28 and this agreement.

The Data Processor shall also allow and contribute to audits, including inspections, carried out by the Data Controller or a third party appointed by the Data Controller. Such audits shall be notified within a reasonable time and carried out in a manner that minimises disruption to the Data Processor's normal operations.

Termination

Upon termination of this agreement, the Data Processor shall, at the Data Controller's choice, either:

• delete all personal data processed on behalf of the Data Controller, or
• return all personal data and then delete existing copies, unless storage is required under EEA or national legislation.

Confirmation that deletion has been carried out shall, upon request, be documented in writing.

Appendix A: Details of the processing of personal data

A.1 Purpose

The purpose of the Data Processor's processing of personal data on behalf of the Data Controller is to simplify and streamline the writing of clinical notes following consultations between practitioner and patient. The conversation between practitioner and patient is transcribed and structured into a finished clinical note that can be used as the basis for documentation in the record system.

A.2 Nature of processing

Audio recordings from a consultation or subsequent dictation are made by the practitioner. The audio recording is transcribed into text through a dedicated transcription service. The text is then processed by a language model to generate a structured clinical note. Both the transcription and the clinical note are made available to the user for 24 hours before automatic deletion. The audio file is deleted immediately after transcription.

A.3 Types of personal data processed

Information that emerges during the consultation or dictation, which may include:

• Symptom descriptions, findings, assessments and recommendations.
• Health data (special categories of personal data under GDPR Art. 9).
• Other information that may emerge during the consultation.

Note: Mednotes never processes directly identifying information (such as names or national identification numbers), but the content of the conversation may still be considered personal data if it can be linked to an individual in context.

A.4 Categories of data subjects

• Patients who participate in consultations or are mentioned in dictation.
• Practitioners who use the solution.

A.5 Duration of processing

• Audio file: deleted immediately after the transcription is generated.
• Transcription and clinical note: stored for a maximum of 24 hours from the time of recording before automatic deletion.
• Other user data (name, email, clinic affiliation, etc.): stored for as long as the user account is active or until deletion is requested.

Appendix B: Security measures

Access control

• Access to the solution requires a registered user account and login via BankID (provided by Criipto).
• Only authorised users with valid authentication have access to functionality and clinical data.
• Administrative access is limited to a small number of technical personnel with a legitimate need.

Data security

• All data (transcriptions, clinical notes and any referrals) is encrypted in transit (TLS) and at rest (AES-256), through Supabase.
• The audio file is deleted immediately after the transcription is generated.
• Transcription and clinical notes are stored for a maximum of 24 hours before automatic deletion.
• Each consultation is handled in isolation, and data from one consultation is completely separated from others.
• Automatic logging is performed to document key processes in the solution.

Procedures

• Internal procedures have been established to safeguard information security and data processing in accordance with applicable regulations.
• Regular security scans are conducted to identify and remediate any vulnerabilities.

Cybersecurity

• Technical and organisational measures are implemented to protect the solution against unauthorised access, denial-of-service attacks, data loss and other digital threats.
• The system architecture is designed to ensure high availability and resilience against attacks.

Appendix C: Sub-processors

Approved sub-processors

By entering into this Customer Agreement and the associated Data Processing Agreement, the Data Controller approves the use of the following sub-processors: