Last Updated: Jul 1, 2026

Data Processing Agreement

This DPA outlines how PIMSPlus processes personal data on behalf of our customers in connection with the services we provide.

This Data Processing Agreement ("DPA") forms part of the agreement between PIMSPlus ("Processor," "we," "our," or "us") and the subscribing clinic or healthcare organization ("Controller," "you," or "your") that uses the PIMSPlus platform.
Back to Home

1. Definitions

For the purposes of this Agreement:

  • Personal Data refers to any information relating to an identified or identifiable individual, including patient, employee, and user information processed through PIMSPlus.
  • Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transmission, or deletion.
  • Controller (or Personal Information Controller) refers to the clinic or healthcare organization that determines the purposes and means of processing Personal Data.
  • Processor (or Personal Information Processor) refers to PIMSPlus, which processes Personal Data solely on behalf of the Controller.

2. Controller and Processor Roles

The subscribing clinic acts as the Data Controller and retains ownership of all Personal Data entered into PIMSPlus.

PIMSPlus acts solely as the Data Processor on behalf of the Controller and processes Personal Data only to provide, maintain, secure, support, and improve the PIMSPlus platform in accordance with the Controller's documented instructions and applicable law.

PIMSPlus does not use customer data for advertising, marketing, or any purpose unrelated to providing the agreed services unless required by law or authorized by the Controller.

3. Processing Instructions

PIMSPlus processes Personal Data only in accordance with:

  • The Controller's documented instructions;
  • The applicable Terms of Service;
  • This Data Processing Agreement; and
  • Applicable laws and regulations.

Where PIMSPlus is required by law to process Personal Data in a manner inconsistent with the Controller's instructions, PIMSPlus will notify the Controller unless prohibited from doing so by law.

The Controller is responsible for ensuring that all Personal Data collected and uploaded into PIMSPlus has been obtained and processed lawfully, including obtaining any required patient consents.

4. Security Measures

PIMSPlus maintains reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.

These safeguards may include, as appropriate:

  • User authentication and password protection
  • Role-based access controls
  • Secure cloud infrastructure
  • Encrypted data transmission using industry-standard protocols
  • System monitoring and logging
  • Regular software updates and security maintenance
  • Limited access to production systems by authorized personnel only

While we employ commercially reasonable security measures, no system can guarantee absolute security.

5. Subprocessors

PIMSPlus may engage carefully selected third-party service providers ("Subprocessors") to support the delivery of our services, such as cloud hosting, email delivery, backup services, and infrastructure management.

Where Subprocessors are used, PIMSPlus ensures that they are contractually obligated to maintain appropriate confidentiality and security standards consistent with this Agreement.

PIMSPlus remains responsible for the performance of its authorized Subprocessors.

A current list of material Subprocessors will be made available to Controllers upon reasonable request.

6. Data Breach Notification

If PIMSPlus becomes aware of a confirmed Personal Data breach affecting customer data, we will notify the affected Controller without undue delay after becoming aware of the incident.

  • A description of the nature of the incident
  • The categories of data affected;
  • The measures taken or proposed to address the incident; and
  • Recommendations, where appropriate, to help mitigate potential risks.

7. Cross-Border Transfers

PIMSPlus may store or process Personal Data using secure cloud infrastructure that may involve data processing in jurisdictions outside the Philippines.

Where cross-border processing occurs, PIMSPlus will take reasonable steps to ensure that Personal Data continues to receive an appropriate level of protection consistent with applicable data protection laws.

8. Data Retention and Deletion

Personal Data is retained only for as long as necessary to provide the subscribed services, comply with legal obligations, resolve disputes, and enforce contractual agreements.

Upon termination of the subscription, the Controller may request an export of its data.

Following the applicable retention period or expiration of any legally required retention obligations, PIMSPlus may securely delete customer data unless retention is required by law.

9. Audit Rights

Upon reasonable written request, and subject to appropriate confidentiality obligations, the Controller may request information regarding PIMSPlus' security practices relevant to the processing of Personal Data.

To protect the confidentiality and security of all customers, audit requests must be reasonable in scope, frequency, and duration and must not interfere with normal business operations.

PIMSPlus may satisfy reasonable audit requests by providing relevant security documentation, certifications, policies, or summaries in lieu of permitting on-site inspections where appropriate.

10. Contact Us

IFor questions regarding this Data Processing Agreement or the processing of Personal Data, please contact us:

Email: hello@pimsplus.com

We are committed to supporting our customers in meeting their data protection responsibilities and maintaining the confidentiality, integrity, and security of the information entrusted to us.