This Data Processing Agreement (“DPA”) governs the processing of personal data and clinical health observations by Just Kinetics on behalf of the customer (“Clinician” or “Healthcare Organization”) in connection with the Nexus Platform. This DPA is incorporated into, and forms part of, our main Terms of Service.
1. Scope and Roles
The parties agree that:
- Customer (The Healthcare Organization): Acts as the Data Controller under GDPR/POPIA and determines the purposes and clinical reasons for processing patient measurements.
- Just Kinetics: Acts as the Data Processor under GDPR/POPIA, processing patient records and sensor logs solely on the instructions of the Customer and in accordance with this agreement.
2. Categories of Data & Special Health Caution
The processing operations concern the following categories of data subjects and data types:
Nexus processes physical measurements, strength deficits, knee translations, range of motion, and rehabilitation progress details. These are classified as Special Category Health Data under GDPR Article 9 and Special Personal Information under POPIA Section 26.
Customers are strictly instructed NOT to upload primary patient identification keys (like national identity card numbers or full residential addresses) unless explicitly pseudonymized or anonymized in accordance with local healthcare regulations.
3. Subprocessors
The Controller grants general authorization to the Processor to engage subprocessors. An active list of subprocessors is maintained in our Privacy Policy. The Processor guarantees that all subprocessors are bound by written data protection contracts that are at least as restrictive as those in this DPA.
4. Technical and Organizational Security
Just Kinetics implements industry-standard controls to prevent unauthorized access or processing, including:
- End-to-end payload encryption using TLS 1.3 in transit and AES-256 at rest.
- Role-based access permissions (RBAC) preventing developers from viewing raw health observations.
- Comprehensive log audits logging all login events, record reads, updates, and exports.
- Regular penetration testing and dependency vulnerability sweeps.
5. Breach Notification & Audit Support
- Breach Notification: In the event of a confirmed security incident affecting the Customer's data, Just Kinetics will notify the Customer without undue delay, and in no event later than 72 hours after becoming aware of the incident.
- Audit Support: Just Kinetics will make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
6. International Transfers & Deletion
- International Transfers: Where transfers cross jurisdictions (e.g. EU to South Africa, or UK to US), the parties will utilize appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions.
- Deletion or Return:Upon expiration or termination of the service agreement, Just Kinetics will, at the Customer's choice, delete or return all personal data processed under this agreement, unless local statutory laws require retention.