Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") is entered into between Doha Dynamics ("Processor") and the healthcare institution using ShiftER ("Controller"). This DPA governs the processing of personal data in compliance with Qatar's Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR). Effective date: June 2025.

Definitions

Subject Matter

The subject matter of this DPA is the processing of healthcare staff scheduling data on behalf of the Controller using the ShiftER platform.

Duration

This DPA remains in effect for the duration of the service agreement between Controller and Processor.

Nature and Purpose

The purpose of processing is to:

• Store, organize, and optimize staff scheduling data
• Generate roster analytics and reports
• Facilitate communication regarding shift assignments
• Ensure compliance with labor regulations and institutional policies

Categories of Data

Types of personal data processed include:

• Staff names and employee identifiers
• Contact information (email, phone numbers)
• Work schedules and shift assignments
• Professional qualifications and certifications
• Shift preferences and availability
• Leave and time-off records

Data Subject Categories

Data subjects include clinical and administrative staff employed by the Controller organization, including physicians, nurses, technicians, and support personnel.

Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Obtain prior written consent before engaging sub-processors
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance

Sub-Processors

The Processor currently engages the following sub-processors:

• Vercel Inc. — Infrastructure hosting and content delivery
• Web3Forms — Contact form processing (web3forms.com)

The Controller will be notified of any changes to sub-processors at least 30 days in advance and may object to the appointment of new sub-processors.

Security Measures

The Processor implements the following security measures:

• Encryption of data at rest and in transit (TLS 1.3, AES-256)
• Role-based access controls and multi-factor authentication
• Comprehensive audit logging of all data access
• Regular security assessments and penetration testing
• Qatar-hosted infrastructure with physical security controls
• Incident response procedures with 24-hour notification requirement

Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing. The Processor will respond to Controller requests within the timeframes required by applicable law.

Data Transfers

All personal data remains within Qatar-hosted infrastructure. No international transfers of data will occur without the Controller's prior written consent and appropriate safeguards as required by Qatar PDPL and GDPR.

Termination

Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all personal data within 14 days. Deletion certificates will be provided upon request. Data required to be retained for legal compliance purposes will be securely isolated and deleted after the retention period expires.

Liability

Each party shall be liable for its respective obligations under this DPA. The Processor's liability is subject to the limitations set forth in the Terms of Service.

Governing Law

This DPA is governed by the laws of the State of Qatar.

Contact Us

For questions about this Data Processing Agreement, please contact us: