Doctor Onboarding

PARTIES

Party A — Service Provider: CypherMD (operating platform: Doctat). Registered Office: Punjab Rheumatology & Immunology Centre, Near MBID Mall, Ferozepur Road, Ludhiana – 141002, Punjab, India. Email: contact@doctat.com | Website: doctat.com

Party B — Onboarding Doctor / Practitioner: As identified in the details submitted in the preceding step.

CLAUSE 1 — VOLUNTARY DATA SHARING

1.1 The Doctor acknowledges and confirms that any data shared with CypherMD during the onboarding process — including historical patient records, appointment logs, billing data, prescription records, or any other clinical information — is shared entirely at the Doctor's own discretion and volition.

1.2 CypherMD does not mandate the sharing of historical data. The Doctor is free to onboard without migrating any prior records.

1.3 The Doctor represents and warrants that they have the legal right and, where applicable under Indian law, appropriate patient consents to share any data provided to CypherMD.

CLAUSE 2 — PURPOSE OF DATA USE (MIGRATION & ANALYTICS ONLY)

2.1 Any data shared by the Doctor shall be used by CypherMD solely for the following permitted purposes:

• (a) Migration of existing records into the Doctat platform for the Doctor's own operational use;
• (b) Internal migration analytics to improve the onboarding pipeline (e.g., data format compatibility, field mapping accuracy, import success rates).

2.2 CypherMD shall not use the shared data for:

• Marketing, advertising, or promotional activities;
• Profiling of individual patients;
• Sale, lease, or transfer to any third party for commercial purposes;
• Loss of profit extraction or any commercial gain derived from the Doctor's data;
• Any purpose beyond what is expressly stated in Clause 2.1.

2.3 Upon successful migration, raw source data provided by the Doctor will be purged from CypherMD's staging environment within 30 days unless the Doctor requests otherwise in writing.

CLAUSE 3 — PATIENT PERSONAL DATA PROTECTION

3.1 CypherMD treats all patient data as sensitive personal information under the Digital Personal Data Protection Act, 2023 (DPDPA) and the IT (Reasonable Security Practices and Sensitive Personal Data) Rules, 2011.

3.2 No patient's personal information — including name, contact number, medical history, diagnosis, prescriptions, or any identifying detail — shall be shared, disclosed, or transmitted to any external party, affiliate, or third-party service provider for purposes other than those defined in Clause 2.

3.3 All patient data stored on the Doctat platform is associated with and accessible exclusively to the Doctor's account. CypherMD personnel may access such data only for technical support purposes, strictly on a need-to-know basis.

3.4 The Doctor remains the primary data fiduciary for their patients' data. CypherMD acts solely as a data processor in respect of patient records.

3.5 Patient Rights: CypherMD shall provide the Doctor with reasonable technical means to fulfil patient rights under the DPDPA, including the right of patients to access, correct, or request deletion of their personal data. Upon receiving a written request from the Doctor, CypherMD shall assist in executing such requests within 15 working days.

CLAUSE 4 — AI FEATURES & THIRD-PARTY AI SERVICES DISCLOSURE

4.1 Doctat may incorporate AI-powered features including but not limited to: pre-consultation patient history summaries, voice-based data extraction, prescription suggestions, and clinical analytics.

4.2 Certain AI features are powered by third-party AI service providers. The Doctor acknowledges and agrees to the following:

• (a) CypherMD does not transmit any patient's personally identifiable information (PII) to third-party AI providers. Any data sent for AI processing is anonymised, de-identified, or abstracted to the minimum necessary context required for the feature to function.
• (b) AI-generated outputs (summaries, suggestions, clinical notes) are indicative in nature and do not constitute medical advice, clinical diagnosis, or a substitute for professional medical judgment.
• (c) The Doctor assumes full professional responsibility for any clinical decision made in reliance on AI-generated outputs.
• (d) CypherMD disclaims all liability arising from the use of, reliance on, or errors in AI-generated outputs.
• (e) Voice & Audio Transcription: Certain voice-based features within Doctat, including pre-consultation history extraction, involve transmission of audio data to third-party transcription services (including but not limited to Google Gemini or equivalent providers). CypherMD ensures that no patient name, contact detail, medical record number, or any other identifying information is transmitted alongside such audio. These features are activated only upon the Doctor's direct use, consistent with Clause 4.5.

4.3 Third-party AI providers engaged by CypherMD are governed by their own terms of service and data processing agreements. CypherMD shall take reasonable efforts to engage only providers who maintain commercially acceptable data privacy standards.

4.4 No AI Training on Doctor's Data: CypherMD shall not use the Doctor's data — including patient records, prescription data, or any clinic-level information — for training, fine-tuning, or improving any AI or machine learning model, whether proprietary or third-party, without the Doctor's explicit prior written consent.

4.5 AI Features — Opt-In by Usage: AI-powered features within the Doctat platform are activated only when the Doctor actively uses them. No patient data is processed through AI systems passively or without the Doctor's direct action. The Doctor may choose not to use any AI feature at any time without affecting other platform functionality. CypherMD does not use patient personal data to train, fine-tune, or improve its own or any third-party AI systems.

CLAUSE 5 — LIMITED LIABILITY

5.1 "AS IS" BASIS: The Doctat platform is provided on an "as is" and "as available" basis. CypherMD makes no representations or warranties — express, implied, statutory, or otherwise — including but not limited to warranties of merchantability, fitness for a particular purpose, uninterrupted availability, or error-free operation.

5.2 No Liability for Indirect Losses: To the maximum extent permitted under applicable Indian law, CypherMD shall not be liable for any indirect, incidental, consequential, special, or punitive damages — including loss of revenue, loss of patients, data loss, or reputational harm — arising from the use of or inability to use the platform.

5.3 Cap on Liability: CypherMD's total aggregate liability to the Doctor for any claim under this Agreement shall not exceed the total fees paid by the Doctor to CypherMD in the three (3) calendar months immediately preceding the event giving rise to the claim.

5.4 No Medical Liability: CypherMD is a technology platform and does not practice medicine. CypherMD shall have no liability for clinical outcomes, medical errors, missed diagnoses, or treatment decisions made by the Doctor through or with the assistance of the platform.

5.5 Data Loss: The Doctor is solely responsible for maintaining independent backups of critical records. CypherMD shall not be liable for data loss resulting from factors outside its reasonable control including hardware failure, cyberattacks, force majeure events, or user error.

5.6 Downtime & Interruptions: CypherMD does not guarantee uninterrupted platform access. Scheduled maintenance or third-party infrastructure failures may cause temporary unavailability. CypherMD shall not be liable for losses arising from such interruptions.

CLAUSE 6 — CONFIDENTIALITY

6.1 Both parties agree to maintain strict confidentiality of any proprietary or sensitive information exchanged under this Agreement.

6.2 The Doctor agrees not to reverse-engineer, copy, sublicense, or redistribute any component of the Doctat platform.

6.3 CypherMD agrees not to disclose the Doctor's operational data, patient statistics, or any business-sensitive information to any third party without the Doctor's prior written consent, except as required by law or court order.

CLAUSE 7 — DATA SECURITY

7.1 CypherMD shall implement and maintain industry-standard security measures to protect data on its platform, including: Encryption of data in transit (TLS/HTTPS) and at rest; Role-based access controls; Periodic internal security audits.

7.2 Security Standards: CypherMD follows security practices aligned with industry benchmarks. Upon written request by the Doctor, CypherMD shall provide a summary of its current security practices and audit findings. CypherMD is not ISO 27001 certified at the time of this Agreement but shall work towards obtaining such certification or equivalent in due course.

7.3 Data Location: All patient and clinic data processed and stored under this Agreement shall reside on servers located within the territory of India. CypherMD shall not transfer, replicate, or allow access to such data from servers located outside India without the Doctor's prior written consent, except where required by applicable law.

7.4 Incident Response: In the event of a data breach or security incident materially affecting the Doctor's patient records, CypherMD shall notify the Doctor as soon as reasonably possible, and in no case later than 72 hours of becoming aware of such breach. CypherMD shall also provide reasonable assistance to the Doctor in informing affected patients and relevant regulatory authorities as required under applicable Indian law.

7.5 Sub-Vendor Notification: CypherMD shall notify the Doctor at least 15 days in advance before onboarding any new sub-vendor that will have access to the Doctor's data. The Doctor shall have a 10-day window to raise objections in writing. CypherMD shall take such objections into reasonable consideration before proceeding.

CLAUSE 8 — FREE TRIAL PERIOD

8.1 CypherMD hereby grants the Doctor a complimentary usage period of three (3) calendar months, commencing from the date of acceptance of these terms, regardless of when the Doctor's data migration is initiated or completed.

8.2 The free trial period shall not be extended under any circumstances, including delays in data migration caused by the Doctor's failure to provide data in a timely manner. The Doctor acknowledges that the three-month period runs from the date of acceptance and is a fixed window.

8.3 Doctor's Obligation for Timely Data Submission: The Doctor agrees to provide all data required for migration within 15 days of accepting these terms. Failure to do so shall not entitle the Doctor to any extension of the free trial. Any loss of trial period resulting from the Doctor's delay in submitting migration data shall be solely the Doctor's responsibility.

8.4 During the free trial period, the Doctor shall have access to all standard features of the Doctat platform at no charge. CypherMD reserves the right to define the scope of features available under the free tier.

8.5 Early Termination by CypherMD: CypherMD reserves the right to terminate the free trial at any time before the three-month period expires, for any reason including but not limited to: misuse of the platform, breach of any clause of this Agreement, or at CypherMD's sole discretion. In such an event, CypherMD shall provide the Doctor with 7 days' written notice prior to termination, except in cases of material breach where immediate termination shall apply.

8.6 CypherMD shall notify the Doctor at least 15 days prior to expiry of the free trial regarding applicable subscription plans for continued access.

8.7 If the Doctor chooses not to continue after the free trial, they may request a full data export and the account will be closed with no financial liability on either party.

8.8 Upon expiry of the free trial period, and should the Doctor elect to continue using the Doctat platform, the mutually agreed subscription price shall be applicable from the first day immediately following the conclusion of the three-month trial period. No charges shall be levied for or during the free trial period under any circumstances.

CLAUSE 9 — TERM & TERMINATION

9.1 This Agreement is effective from the date of acceptance and remains in force for the duration of the Doctor's active subscription with Doctat.

9.2 Either party may terminate this Agreement by providing 30 days' written notice.

9.3 Upon termination, the Doctor may request a full export of their data within 15 working days. CypherMD reserves the right to delete the Doctor's data from its primary servers after 60 days of account closure. All copies shall be purged from backup systems within 90 days. CypherMD shall provide written confirmation upon completion of such deletion, unless legally required to retain it.

9.4 Clauses 3, 4, 5, and 6 shall survive termination of this Agreement.

CLAUSE 10 — GOVERNING LAW & DISPUTE RESOLUTION

10.1 This Agreement shall be governed by and construed in accordance with the laws of the Republic of India.

10.2 Any dispute shall first be attempted to be resolved through good-faith negotiation within 30 days.

10.3 If unresolved, disputes shall be referred to arbitration under the Arbitration and Conciliation Act, 1996, with a sole arbitrator mutually appointed by both parties. The seat of arbitration shall be Punjab, India.

10.4 Subject to the arbitration clause above, the courts of Ludhiana shall have exclusive jurisdiction over any matters not subject to arbitration.

CLAUSE 11 — MISCELLANEOUS

11.1 Entire Agreement: This document constitutes the entire agreement between the parties and supersedes all prior discussions.

11.2 Amendments: Any modification must be in writing and signed by authorised representatives of both parties.

11.3 Severability: If any provision is found unenforceable, the remaining provisions continue in full force.

11.4 No Waiver: Failure to enforce any right shall not constitute a waiver of that right.

11.5 Force Majeure: Neither party shall be liable for failure to perform due to circumstances beyond reasonable control.

Jurisdiction: Punjab, India | Governing Law: Information Technology Act, 2000; Indian Contract Act, 1872; Digital Personal Data Protection Act, 2023 (DPDPA)