Markus Santé

    Personal Data Processing Agreement (DPA)

    Translation for information only. The legally binding version of this document is the original French version available at markus-sante.com/dpa.

    Between: The Client (the healthcare professional subscribing to the Markus Santé subscription), hereinafter referred to as the "Data Controller".
    And: BraimIA (publisher of the Markus Santé solution), hereinafter referred to as the "Processor".

    1. Purpose

    The purpose of this agreement (DPA) is to define the conditions under which BraimIA undertakes, on behalf of the Data Controller, the personal data processing operations defined below, as part of the use of the Markus Santé application.

    2. Description of Processing

    BraimIA is authorized to process personal data on behalf of the Data Controller according to the following characteristics:

    • Nature and purpose: Data hosting, audio-to-text transcription, semantic analysis by Artificial Intelligence, and structuring of documents (consultation notes, reports, letters) in order to assist the practitioner with administrative tasks.
    • Categories of data subjects: The Data Controller's patients.
    • Types of data: Identification data and Personal health data (voice, medical history, session notes, care pathway dictated or entered by the practitioner).

    3. Obligations of BraimIA (Processor)

    BraimIA undertakes to:

    • Process data only on the documented instructions of the Data Controller (normal use of the software).
    • Ensure strict confidentiality of the health data processed.
    • Take all technical and organizational measures required to ensure a level of security appropriate to the risk (encryption of data in transit and at rest).
    • Assist the Data Controller in fulfilling their obligation to respond to requests from patients to exercise their rights (right of access, rectification, erasure).

    4. Sub-processing (BraimIA's Providers)

    The Data Controller authorizes BraimIA to engage the following sub-processor to deliver the service:

    Google Cloud France: For hosting the overall infrastructure and running the Artificial Intelligence models. The servers are located in France and benefit from Health Data Host (HDS) certification. BraimIA guarantees that no health data is used by Google or BraimIA to train or improve external AI models.

    5. Data retention and fate of data

    Patient data is kept on secure servers as long as the Data Controller's account remains active. Upon termination or deletion of the account by the Data Controller, BraimIA undertakes to permanently delete all patients' personal data from its active databases (with a standard technical delay applying for overwriting encrypted backups).

    6. Data Protection Officer (DPO) and Notification

    BraimIA's Data Protection Officer can be contacted at: contact@markus-sante.com. BraimIA will notify the Data Controller of any personal data breach as soon as possible after becoming aware of it, to enable the Controller to meet its own notification obligations to the CNIL (French data protection authority).