Legal
Data Processing Agreement
Last updated: June 2026
1. Parties and Purpose
This Data Processing Agreement ("DPA") is between Simplx (operator of Sahelli, "Processor") and the clinic or healthcare provider subscribing to the Sahelli platform ("Controller"). It governs how Sahelli processes personal data — including patient data — on behalf of the clinic in the course of providing the platform services.
This DPA forms part of the overall agreement between the Controller and Processor as established by the Sahelli Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data processing matters.
2. Roles and Responsibilities
Controller (Clinic): The clinic is the data controller. It determines the purposes and means of processing patient personal data, and is responsible for ensuring that it has a lawful basis to collect and process patient data, and that it complies with all applicable data protection laws in its jurisdiction.
Processor (Simplx / Sahelli): Simplx processes personal data only on documented instructions from the Controller, solely for the purpose of providing the platform services described in the Terms of Service. Simplx will not process personal data for any other purpose, and will not sell or share it with third parties except as required to provide the service (see Sub-processors, Section 5).
3. Categories of Personal Data Processed
In the course of providing the Sahelli platform, Simplx processes the following categories of personal data on behalf of the Controller:
- Patient identifiers — name, phone number, email address.
- Medical and clinical data — SOAP notes, prescriptions, vital signs, diagnoses, treatment plans, dental/physiotherapy records, medical history, allergies.
- Financial data — invoice amounts, payment status, applied discounts.
- Appointment data — booking dates, times, types, status, rooms.
- Communication data — WhatsApp messages between patients and the clinic.
- File attachments — uploaded patient documents such as X-rays, lab results, and consent forms.
- Staff account data — names, email addresses, roles, and access logs.
4. Processing Instructions and Lawful Basis
Simplx processes personal data only on the instructions of the Controller (as defined by the features and configuration the clinic has set up). The Controller is responsible for ensuring it has a valid lawful basis under applicable law for each category of data it stores in Sahelli — such as the patient's consent, a contractual obligation (e.g., the treatment relationship), or another recognized basis.
If Simplx is required by law to process data in a manner not covered by the Controller's instructions, Simplx will inform the Controller before doing so unless prohibited by law.
5. Sub-processors
Simplx uses the following sub-processors to provide the Sahelli platform. By agreeing to this DPA, the Controller authorizes the use of these sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Primary clinic database storage | Global (US / EU) |
| Amazon Web Services (AWS) | Cloud infrastructure, patient file storage (S3), scheduled events | Global (US / EU) |
| Meta (WhatsApp Business API) | Patient and AI agent messaging | Global |
| OpenAI | AI receptionist — conversation processing | United States |
| Google Firebase | Real-time chat delivery in the clinic dashboard | Global |
| Kashier | Payment processing (subscription and patient invoices) | Egypt |
Simplx will notify the Controller of any intended changes to this sub-processor list that may materially affect the processing of patient data, giving reasonable advance notice where possible.
6. International Data Transfers
Some sub-processors operate servers outside the Arab Republic of Egypt, including in the United States and Europe. By subscribing to Sahelli, the Controller acknowledges and authorizes that patient personal data may be transferred to and processed in these countries as necessary to provide the platform services.
Simplx ensures that all international transfers are made only to sub-processors who maintain appropriate security standards and, where applicable, provide contractual protections for personal data.
7. Data Security
Simplx implements and maintains appropriate technical and organizational measures to protect personal data against accidental loss, destruction, alteration, unauthorized disclosure, or access, including:
- Complete data isolation — each clinic has its own dedicated database with no cross-clinic data access.
- Encryption in transit (TLS/HTTPS) and encryption at rest for all stored data.
- Role-based access control limiting staff access to only the data their role requires.
- Secure credential storage — API keys and access tokens stored in AWS Secrets Manager, never in the application database.
- Patient file access controlled via time-limited signed URLs — no public file exposure.
- HMAC-SHA256 signature validation on all inbound webhooks.
- Password hashing using bcrypt.
- Session management via httpOnly secure cookies with expiry.
8. Data Subject Rights
The Controller (clinic) is responsible for handling data subject rights requests from patients (such as access, correction, deletion, or portability requests). Simplx will assist the Controller in responding to such requests by providing the following:
- Data export — clinics can export their full clinic data at any time during an active subscription.
- Data deletion — upon request, Simplx will delete a clinic's data following the process described in Section 9.
- Access to records — clinic staff can access, correct, and manage all patient data directly through the platform dashboard.
For requests that cannot be fulfilled through the platform, the Controller may contact Simplx directly and we will provide reasonable assistance within 30 days.
9. Data Retention and Deletion
Simplx retains clinic and patient data for as long as the clinic has an active subscription. Upon cancellation, data is retained for a grace period of 30 days, during which the clinic may request a full data export. After the grace period, data may be permanently deleted.
The Controller may request deletion of all their clinic's data at any time by contacting Simplx. Permanent deletion is irreversible and includes the clinic's dedicated database, uploaded files, and all associated records. Billing records may be retained for a longer period as required by applicable Egyptian law.
10. Confidentiality
Simplx ensures that all personnel who process personal data under this DPA are subject to appropriate confidentiality obligations. Access to clinic data is restricted to personnel who need it to provide or support the platform services.
11. Data Breach Notification
In the event of a personal data breach affecting clinic or patient data, Simplx will notify the affected Controller without undue delay after becoming aware of the breach. Notification will include:
- A description of the nature of the breach and the categories of data affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
The Controller remains responsible for any notifications to patients or regulatory authorities required by applicable law.
12. Audits and Compliance
Simplx will make available to the Controller, upon written request, information reasonably necessary to demonstrate compliance with this DPA. Simplx may fulfill audit requests by providing documentation, security certifications, or written answers to security questionnaires rather than on-site audits, at Simplx's reasonable discretion.
13. Term and Termination
This DPA is effective for the duration of the clinic's subscription to Sahelli and terminates automatically when the subscription ends. Upon termination, Simplx will delete or return all personal data in accordance with Section 9.
14. Governing Law
This DPA is governed by the laws of the Arab Republic of Egypt. Any disputes arising from this DPA shall be subject to the jurisdiction of the competent courts in Egypt.
15. Contact
For data processing inquiries, DPA-related questions, or to request a signed copy of this agreement:
- WhatsApp / Phone: +20 113 070 7982
- Email: simplx.business.main@gmail.com