Doctor Data Processing Agreement (DPA)

Version 1.0 — Effective 19 May 2026

Made under the Nigeria Data Protection Act 2023 (NDPA) and the Medical and Dental Council of Nigeria (MDCN) Code of Medical Ethics. You must accept this DPA at registration. Acceptance is recorded electronically with your IP address, user-agent and timestamp, and is legally equivalent to a signed paper agreement (Evidence Act 2011, s.84).

1. Parties

1.1 TheHyWing — operator of the climate-health platform at thehywing.com.
1.2 Independent Medical Practitioner (the Doctor) — the person creating an account on TheHyWing.

2. Background

TheHyWing connects patients in Nigeria with licensed medical practitioners for 15-minute teleconsultations and related services. The Doctor is engaged on a non-exclusive basis. This DPA records the Parties' roles and obligations for personal data processed via the platform.

3. Roles (NDPA s.24, s.27)

Operations data (account, booking, billing, audit logs):

• TheHyWing is the Data Controller.
• The Doctor is a Data Processor acting on TheHyWing's instructions.

Clinical record (consultation notes, diagnosis, prescription, follow-up plan):

• Both Parties are Joint Controllers. The Doctor remains the author and clinical custodian of the record; TheHyWing provides secure storage, access controls, and lawful sharing with the patient.

4. Scope of processing

• Subject matter: teleconsultations and continuity of care.
• Nature: bookings, secure video consultations, clinical notes, secure messaging, alerts.
• Categories of personal data: identification, contact, location, vital signs, symptom narratives, medical history, diagnoses, prescriptions.
• Data subjects: patients of TheHyWing booking with the Doctor.
• Duration: for the Doctor's engagement on the platform, plus the retention period in clause 9.

5. The Doctor's obligations

• Process personal data only for the purpose of providing clinical services through the platform.
• Comply with NDPA 2023, the MDCN Code of Medical Ethics, and all applicable laws.
• Maintain medical confidentiality (NDPA s.36) including after termination.
• Use only TheHyWing's authorised channels — do not transfer patient data to personal devices, personal email, social-messaging apps, or external storage without TheHyWing's prior written authorisation.
• Complete clinical notes (diagnosis, treatment plan, prescription, follow-up) before locking each consultation.
• Notify TheHyWing within 24 hours of any actual or suspected personal-data breach involving platform data.
• Assist TheHyWing to fulfil data-subject requests within 14 days of being asked.
• Maintain a current MDCN annual practising licence and provide evidence on request.
• Permit reasonable audits (no more than once per calendar year unless triggered by an incident).
• Maintain professional indemnity insurance appropriate to the volume of consultations.

6. TheHyWing's obligations

• Provide a secure platform with TLS 1.2+ in transit and AES-256-GCM for sensitive fields at rest.
• Restrict access to patient data on a need-to-know basis (RBAC + audit logs).
• Verify each Doctor's MDCN credentials before activating their account.
• Provide the Doctor with secure access to the clinical records of patients they treat.
• Inform the Doctor of any data-subject request that relates to a clinical record they authored.
• Notify the NDPC within 72 hours of a notifiable breach (NDPA s.40) and inform the Doctor where they are affected.
• Process payments due to the Doctor in accordance with the separate Service Agreement.

7. Sub-processors

As at the effective date: Render Inc. (hosting), OpenAI L.L.C. (AI symptom assessment, only with patient consent), Meta Platforms Inc. (WhatsApp Business Cloud API, only with patient consent), Paystack / Flutterwave (payments), WeatherAPI / OpenWeather (weather data). TheHyWing will give at least 14 days' notice of any change that materially affects clinical records.

8. International transfers

Some sub-processors are based outside Nigeria. TheHyWing has executed Standard Contractual Clauses or equivalent safeguards in line with NDPA s.41 and informs data subjects accordingly.

9. Retention

• Clinical records: at least 7 years after the last patient contact (MDCN), or longer where required by law.
• Operations data: as set out in TheHyWing's Records of Processing Activities (RoPA).
• On termination, the Doctor must not retain copies of patient data outside the platform.

10. Security incidents

Each Party will (a) take immediate containment steps, (b) cooperate in good faith to investigate, (c) document the incident, (d) notify NDPC and affected data subjects where required, and (e) carry out a root-cause review.

11. Term & termination

This DPA runs concurrently with the Service Agreement. Material breach not remedied within 14 days of written notice entitles the other Party to suspend or terminate the engagement. Clauses 5, 9, 10, 12 and 14 survive termination.

12. Liability

Each Party is liable for its own non-compliance with this DPA and applicable law. Nothing in this DPA limits liability for fraud, gross negligence, or wilful misconduct.

13. Governing law and jurisdiction

This DPA is governed by the laws of the Federal Republic of Nigeria. Disputes are subject to the exclusive jurisdiction of the courts of Lagos.

14. Notices

Notices to TheHyWing must be sent to privacy@thehywing.com. Notices to the Doctor must be sent to the email and phone number on file in the platform.

15. Electronic acceptance

By ticking "I accept the Doctor Data Processing Agreement" during registration, the Doctor confirms they have read, understood and agree to this DPA. Acceptance is recorded with the Doctor's IP address, user-agent, timestamp and DPA version. The Doctor may request a counter-signed copy by emailing privacy@thehywing.com.