Data Processing Agreement (DPA)

Version: V1.0 · Effective date: 4th November, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions between Fastest Healthtech Pvt Ltd (“Processor“) and the customer (“Controller“) using Processor services. This DPA describes the processing of personal data carried out by Processor on behalf of Controller and sets out the parties’ respective responsibilities.

1. Parties

Processor: Fastest Healthtech Pvt Ltd, 405 Bhoomi Landmark, sector 17, Panvel, Raigad – 410206. Contact: info@fastest.health.

Controller: As defined in the main services agreement or by the customer using the services.

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person processed under the Agreement.

Processing — any operation performed on Personal Data as defined by applicable law.

Other capitalized terms have the meaning set out in applicable data protection laws and the main Agreement.

3. Subject matter & purpose of processing

Subject matter: Processing of Personal Data to provide, maintain and improve the Processor’s services and perform obligations under the main Agreement.

Purpose: Delivery of services (including hosting, account management, billing, support and analytics) as detailed in the main Agreement.

4. Categories of personal data & data subjects

Categories of Personal Data	Examples
Identifying data	name, email, phone, job title
Account & billing data	billing address, invoice history, payment records
Technical & usage data	IP address, device identifiers, logs, usage metrics
Other data	any additional data Controller uploads to the services

Data Subjects: customers, end users, employees, contractors and other individuals whose Personal Data is provided to Processor by Controller.

5. Duration & deletion

The Processor will process Personal Data for the duration necessary to provide the services under the Agreement. Upon termination or expiry, and subject to legal retention obligations, Processor will at Controller’s choice delete or return all Personal Data within 5 years days.

6. Processor obligations

Process Personal Data only on Controller’s documented instructions.
Implement appropriate technical and organizational measures to protect Personal Data (see Section 8).
Assist Controller with responding to data subject requests, data breaches and DPIAs as required by applicable law.
Not engage other processors except as set out in Section 7.

7. Sub-processors

Controller authorizes Processor to engage sub-processors for carrying out specific processing activities. Current subprocessors include:

Sub-processor	Service provided	Location / Notes
Subprocessor	Purpose of Processing	Location	Data Categories
Amazon Web Services, Inc.	Cloud hosting and data storage	India	All categories of personal data stored within application servers
Google LLC	Email and internal productivity tools (Gmail, Drive)	USA	Business contact and communication data
Walkover Web Solutions Pvt Ltd.	SMS and WhatsApp notifications	India	Customer contact numbers, message metadata
Razorpay Software Pvt. Ltd.	Payment gateway processing	India	Customer payment data
Aspira Pathlab & Diagnostics Limited	LIMS	India	Lab
Sufalam Solutions Pvt Ltd.	LIMS	India	Lab
Razorpay Software Pvt. Ltd.	Payment gateway processing	India	Customer payment data

Processor will maintain a current list of subprocessors. Contact info@fastest.health for the latest list.

8. Security measures

Processor implements measures appropriate to the risk, including (as applicable):

Access controls and role-based permissions
Encryption at rest and in transit (TLS 1.2+)
Periodic vulnerability scanning and patching
Logging, monitoring and incident response procedures
Backups and secure deletion procedures

For details, see Processor’s Security Policy available upon request.

9. International transfers

If Personal Data is transferred outside the EEA/UK, Processor ensures appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions) are in place. For specific transfer mechanisms contact info@fastest.health.

10. Data subject rights & assistance

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to requests to exercise data subject rights.

11. Audit & inspection

Processor will make available to Controller all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, subject to reasonable notice and confidentiality protections. Where an on-site audit is requested, parties will agree scope, timing and cost allocation in advance.

12. Breach notification

Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller’s Personal Data and will provide reasonable information to enable Controller to meet any obligations to report or inform data subjects and regulators.

13. Liability

Liability for breaches of this DPA will be governed by the limitation of liability and indemnity provisions set out in the main Agreement, except where applicable law requires otherwise.

14. Changes to this DPA

Processor may update this DPA from time to time to reflect changes in law or services. Material changes will be communicated to Controller at least 30 days before they take effect. The current DPA effective date is shown at the top of this page.

15. Governing law

This DPA is governed by the law specified in the main Agreement between Controller and Processor.

16. Signatures

By executing the main Agreement or by continued use of the Services, Controller and Processor accept the terms of this DPA.

For Controller

Name: _________________________

Title: _________________________

Date: _________________________

For Processor (Fastest Healthtech Pvt Ltd)