Legal
Data Processing Agreement
1. Roles and subject-matter
Under the DPA, the Customer (the health facility, organisation or programme) is the data controller and ChartChronicle Health Technologies Limited is the data processor. We process personal data - including patient and clinical data and special categories of health data - only to provide the ChartChronicle Health service. The nature and purpose of processing is the operation of an EMR/HMIS; the duration is the term of the subscription; the categories of data subject include patients, staff and contacts; the categories of data include demographics, identifiers and clinical records.
2. Processing on documented instructions
We process personal data only on the controller's documented instructions, including as configured by the controller in the platform, unless required to do otherwise by law (in which case we inform the controller where permitted). We will tell the controller if, in our opinion, an instruction infringes applicable data-protection law.
3. Confidentiality
Our personnel authorised to process personal data are bound by confidentiality obligations and are granted access on a least-privilege, need-to-know basis.
4. Security of processing
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access control with facility/organisation scoping and database-level tenant isolation, multi-factor authentication for elevated roles, and a tamper-evident audit trail. See our Security page.
5. Sub-processors
The controller authorises us to engage the sub-processors listed on our Sub-processors page to help deliver the service. We impose data-protection obligations on each sub-processor no less protective than those in the DPA, remain responsible for their performance, and will give notice of intended changes so the controller may object on reasonable data-protection grounds.
6. Assistance to the controller
Taking into account the nature of the processing, we assist the controller with: responding to data-subject requests (the platform provides patient access, audit-of-access, correction and consent tools); security of processing; personal-data breach notification; and data-protection impact assessments and prior consultation, where applicable.
7. Breach notification
We will notify the controller without undue delay after becoming aware of a personal-data breach affecting the controller's data, with the information the controller needs to meet its own notification obligations to the Nigeria Data Protection Commission (NDPC) and to data subjects.
8. Return and deletion
On termination, the controller may export its data during the agreed retention window; thereafter we delete or anonymise the personal data, save where storage is required by law.
9. Audits and records
We make available the information necessary to demonstrate compliance with the DPA and allow for and contribute to audits, including inspections, conducted by the controller or an auditor it mandates, subject to reasonable confidentiality and security conditions.
10. International transfers
We do not transfer personal data outside its country of origin except as necessary to provide the service and with an appropriate safeguard and legal basis in place, as required by Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR) and the controller's instructions.
11. Processor identity and contact
ChartChronicle Health Technologies Limited (“ChartChronicle Health”, “we”, “us”, “our”) is a private company limited by shares incorporated in Nigeria and registered with the Corporate Affairs Commission (CAC), Nigeria under registration number RC 9585931 on 2 June 2026. Our registered office is Kilometer 10, Plot 6, Amugbekun Street, Apata, Ibadan, Oyo State, Nigeria. These terms are governed by the laws of the Federal Republic of Nigeria, and the parties submit to the exclusive jurisdiction of the courts of the Federal Republic of Nigeria.
12. Contact
For the executable DPA or any processing question, contact our Data Protection Officer at hello@chartchronicle.com.