Data Processing Agreement
Last updated: March 2026
What this means in plain language: This agreement is for diagnostic centers who upload patient imaging to the Raydiac marketplace. It sets out how Raydiac handles the DICOM data you upload on behalf of your patients. It is required under Indian data protection law.
Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller: The diagnostic center or hospital registered on the Raydiac Platform (“Center”)
- Data Processor: [Company Legal Name], operating the Raydiac Platform (“Raydiac”)
This DPA forms part of the Raydiac Terms of Service and is effective from the date you accept the Terms of Service.
1. Background
The Center uploads patient DICOM imaging studies to the Raydiac Platform for the purpose of obtaining outsourced radiology reports. In doing so, the Center acts as a data controller in respect of patient data. Raydiac acts as a data processor, processing that data on the Center's behalf in accordance with this DPA.
2. Nature and Purpose of Processing
Nature: Storage, anonymisation, transmission to reporting radiologists, and deletion of patient DICOM imaging data.
Purpose: To facilitate outsourced radiology reporting through the Raydiac marketplace.
Type of personal data: Patient imaging data (DICOM files) containing patient identifiers prior to anonymisation.
Duration: DICOM data is processed for the period necessary to complete the reporting case, plus 90 days post-completion for report access. Data is then permanently deleted.
3. Raydiac's Obligations as Data Processor
Raydiac agrees to:
3.1 Process only on instruction: Process patient data only in accordance with the Center's documented instructions (as set out in these Terms and this DPA) and for no other purpose.
3.2 Confidentiality: Ensure that all personnel with access to patient data are bound by appropriate confidentiality obligations.
3.3 Security: Implement appropriate technical and organisational measures to protect patient data against unauthorised access, accidental loss, or destruction. These include:
- Automatic DICOM anonymisation at upload (patient identifiers stripped before data is viewable by any user)
- Encrypted transmission (TLS 1.2+) between all platform components
- Access controls restricting DICOM data access to the assigned reporting radiologist and authorised Raydiac technical personnel only
- Temporary staging files deleted immediately after DICOM processing is complete
3.4 Sub-processors: Raydiac may engage sub-processors (such as cloud infrastructure providers) to assist in providing the service. Raydiac will ensure all sub-processors are bound by equivalent data protection obligations. Current sub-processors are listed at raydiac.in/sub-processors.
3.5 Assistance with data subject rights: Assist the Center in responding to patient requests to access, correct, or delete their data, to the extent technically feasible given the anonymisation architecture.
3.6 Deletion: Delete all patient DICOM data within 90 days of case completion, unless required to retain it longer by law. Notify the Center 7 days before deletion.
3.7 Audit: Provide the Center with information necessary to demonstrate compliance with this DPA, upon reasonable written request.
4. Center's Obligations as Data Controller
The Center confirms that:
- It has a lawful basis for sharing patient imaging data with Raydiac for the purpose of obtaining a radiology report
- It has complied with all applicable notice requirements to patients regarding the use of third-party radiology services
- It has appropriate policies and safeguards in place to protect patient data in accordance with applicable Indian law
- It will not upload any patient data that is not strictly necessary for the radiology consultation being requested
5. Data Breach Notification
Raydiac will notify the Center without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting patient data uploaded by the Center. The notification will include a description of the nature of the breach, the approximate number of data subjects affected, and the measures taken or proposed to address it.
6. Anonymisation
The Center acknowledges that Raydiac's automatic anonymisation process removes patient identifiers from DICOM files at the point of upload. After anonymisation, Raydiac treats the imaging data as anonymised data outside the scope of personal data protection obligations. The Center is responsible for ensuring that the clinical history and case details it enters when posting a case do not include patient-identifying information.
7. Governing Law
This DPA is governed by Indian law. Any disputes shall be resolved in accordance with the dispute resolution clause in the Terms of Service.
8. Contact
For data processing queries: [email protected]