Legal Template
Data Processing Agreement
Standard DPA template for hospitals deploying M4NG0 OS. Covers data processing obligations under the NDPA, GDPR, and equivalent frameworks.
This template is provided for reference. Contact legal@m4ng0.com for a countersigned copy.
1. Parties & Scope
This Data Processing Agreement ("DPA") forms part of the service agreement between:
- Data Controller: The hospital or healthcare facility ("Customer") deploying M4NG0 OS
- Software Vendor: M4NG0 Inc. ("M4NG0")
This DPA applies to all personal data and Protected Health Information (PHI) that may be processed through M4NG0 OS software. It supplements the Terms of Service and any additional service agreements between the parties.
Architecture Classification
M4NG0 OS operates as locally-installed software on the Customer's own hardware. Under standard deployment (Tier 1), M4NG0 acts as a software vendor — not a Data Processor — because M4NG0 does not access, transmit, receive, or store any patient data. All processing occurs on the Customer's premises under the Customer's sole control.
If the Customer opts into cloud-backed services (Tier 2), M4NG0 may act as a Data Processor for encrypted backup storage only. In this case, the additional terms in Section 6 apply.
2. Categories of Data
The following categories of data may be processed within M4NG0 OS:
| Category | Examples | Protection |
|---|---|---|
| Patient Identity | Name, phone, address, next of kin | AES-256 field-level encryption |
| Clinical Records | Diagnoses, prescriptions, vitals, lab results | Encrypted + RBAC + audit logging |
| Staff Data | Usernames, roles, authentication credentials | Hashed passwords, MFA, session management |
| Audit Records | Access logs, modification history | Hash-chained, immutable, separate database |
| Financial Records | Payment amounts, methods, revenue logs | Access restricted to authorized roles |
3. Customer Obligations (Data Controller)
As the Data Controller, the Customer is responsible for:
- Obtaining appropriate patient consent for data collection and processing
- Ensuring staff are trained on data protection and system usage
- Maintaining physical security of hardware running M4NG0 OS
- Managing encryption key security and backup procedures
- Responding to data subject access requests from patients
- Reporting data breaches to the relevant supervisory authority (e.g., NITDA within 72 hours under NDPA)
- Conducting Data Protection Impact Assessments as required
4. M4NG0 Obligations (Software Vendor)
M4NG0 commits to:
- Providing software that enables technical compliance with applicable data protection regulations
- Maintaining AES-256 encryption for PHI at rest
- Implementing and maintaining role-based access controls
- Providing immutable, hash-chained audit logging
- Delivering security patches and updates in a timely manner
- Not accessing, collecting, or transmitting any Customer data to M4NG0's systems
- Providing data export tools (FHIR R4 JSON, CSV) to support data portability
- Cooperating with reasonable security audits upon Customer request
5. Data Subject Rights
M4NG0 OS provides built-in tools to assist the Customer in fulfilling data subject rights:
- Right of access: Patient data export in structured formats
- Right to rectification: Record amendment capabilities with audit trail
- Right to erasure: Secure deletion tools with cryptographic verification
- Right to data portability: FHIR R4 JSON export for interoperability
- Consent management: Per-patient, per-type consent tracking with revocation support
The Customer remains responsible for receiving and responding to data subject requests. M4NG0 provides the technical tools; the Customer executes the operational process.
6. Cloud-Backed Services (Tier 2, If Applicable)
If the Customer opts into M4NG0's cloud-backed services (encrypted backup, multi-facility sync, or license management), the following additional terms apply:
- M4NG0 acts as a Data Processor for encrypted backup data only
- All data transmitted to cloud services is encrypted with Customer-held keys before transmission
- M4NG0 cannot decrypt Customer data under any circumstances
- Cloud storage providers (AWS, Azure) maintain their own compliance certifications and will sign separate BAAs
- M4NG0 will notify the Customer of any sub-processor changes at least 30 days in advance
- Customer may object to sub-processor changes and terminate affected services without penalty
7. Cross-Border Data Transfers
Under standard on-premise deployment, no cross-border data transfer occurs — all data resides on the Customer's local hardware within their country of operation.
If cloud-backed services involve data storage in a different jurisdiction, M4NG0 ensures that adequate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) for GDPR transfers
- NDPA adequacy assessments for transfers from Nigeria
- End-to-end encryption ensuring data remains inaccessible to the storage provider
8. Breach Notification
In the event of a confirmed data breach affecting cloud-backed services, M4NG0 will:
- Notify the Customer within 24 hours of confirmed breach discovery
- Provide a detailed incident report including scope, affected data categories, and remediation steps
- Cooperate with the Customer's breach response and regulatory notification obligations
- Implement corrective measures to prevent recurrence
For on-premise deployments, breach detection and response is the Customer's responsibility. M4NG0 OS provides audit logs and integrity verification tools to support breach investigation. See the Breach Response Plan for detailed procedures.
9. Term & Termination
This DPA remains in effect for the duration of the service agreement. Upon termination:
- All Customer data remains on the Customer's local hardware (on-premise deployments)
- Cloud-backed data is deleted within 30 days of termination, with written confirmation
- M4NG0 provides reasonable assistance for data export and migration
- Audit logs are retained per applicable retention policies before secure deletion
Template version 1.0 — March 30, 2026