Your data. Our obligations.
This Data Processing Agreement ("DPA") is entered into between LabSync Solutions ("Processor", "we") and the laboratory that subscribes to the LabSync Service ("Controller", "you"). It becomes effective the moment you enter or upload personal data into your Tenant. It supplements the Terms of Service and is executed in furtherance of the Data Privacy Act of 2012 (Republic Act No. 10173, the "DPA Law") and NPC issuances.
1.Parties and purpose
This DPA governs our processing of Personal Data on your behalf in connection with the Service. It does not apply to data we collect from you directly as Controller (for example, your account email or billing data) — that is covered by the Privacy Policy.
2.Definitions
Capitalized terms not defined here have the meanings given in the DPA Law, NPC Circular 16-03 (Personal Data Breach Management), and our Terms of Service. In particular:
- Personal Data — any information relating to an identified or identifiable natural person, including Sensitive Personal Information under Sec. 3(l) of the DPA Law.
- Processing — any operation performed on Personal Data, automated or not.
- Sub-processor — a third party engaged by the Processor to process Personal Data on the Controller's behalf.
- Security Incident — an actual or suspected event that may compromise confidentiality, integrity, or availability of Personal Data.
- Personal Data Breach — a Security Incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
3.Scope of processing
A summary of the processing we perform on your behalf is set out in Annex A. In brief, we process Personal Data for the sole purpose of providing and supporting the Service as you direct. We do not use your Personal Data for product development, benchmarking, analytics that identify patients, advertising, or the training of artificial intelligence models.
4.Processor obligations
We will:
- Process Personal Data only on your documented instructions — which include your configured use of the Service and any separately agreed Order Form.
- Ensure personnel authorized to process Personal Data are subject to confidentiality obligations of no less stringency than those set out in this DPA and the Terms.
- Implement appropriate technical and organizational measures as set out in Annex B.
- Engage Sub-processors only under a written contract imposing obligations no less protective than this DPA and notify you before any change.
- Assist you in responding to Data Subject requests and in meeting your obligations for privacy impact assessments and prior consultations.
- Notify you of any Personal Data Breach within 72 hours of becoming aware.
- On termination, return or delete Personal Data in accordance with Section 11.
- Make available all information reasonably necessary to demonstrate our compliance.
We will inform you immediately if, in our opinion, an instruction you give infringes the DPA Law or other applicable law.
5.Technical and organizational measures
We implement and maintain the measures described in Annex B, which reflect the state of the art, the cost of implementation, the scope and context of processing, and the risks to the rights and freedoms of natural persons. We review these measures at least annually and after any material change to the Service.
6.Sub-processors
You provide a general written authorization for us to engage Sub-processors. Current Sub-processors are listed below. We will provide at least 30 days' written notice — via in-app banner and email to your admin — of any intended addition or replacement. If you reasonably object on data-protection grounds we will work in good faith to find an alternative; if none is available you may terminate the affected Service with a prorated refund.
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean (on-shore region) | Primary compute and storage | Singapore region with data-residency add-on |
| Backblaze B2 | Encrypted off-site backups | US West (encrypted at source) |
| Postmark | Transactional email (password resets, report notifications) | United States |
| Cloudflare | DDoS mitigation and TLS termination | Global edge; Philippine POP preferred |
| Sentry | Error tracking (scrubbed of Personal Data) | United States |
This list is also published at labsyncsolutions.com/subprocessors; subscribe to the feed to be notified of changes.
7.Data location and transfers
Production databases and primary object storage are located within Southeast Asia, with a preference for Philippine and Singapore regions. Encrypted backups may be replicated to a secondary region outside ASEAN solely for disaster recovery. Any cross-border transfer is performed under contractual clauses consistent with NPC Advisory 2017-01 and the principles of adequacy and accountability. On request we provide a current list of production and backup regions.
8.Data subject requests
If a Data Subject contacts us directly with a request relating to their Personal Data processed on your behalf, we will forward the request to you within 5 Business Days and will not respond substantively except to acknowledge receipt, unless required by law. We provide tools within the Service — search, export, delete — that allow you to respond to access, correction, and erasure requests without our further involvement. For complex requests, we assist on a reasonable-cost basis.
9.Security incidents and breach notification
On becoming aware of a Personal Data Breach involving your Tenant we will:
- Notify your admin and DPO without undue delay and in any event within 72 hours.
- Provide a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
- Cooperate with you in notifying the NPC and affected data subjects as required by NPC Circular 16-03, although the primary reporting obligation rests with you as Controller.
- Preserve evidence and conduct a root-cause analysis, sharing the results with you on request.
10.Audit rights
You may audit our compliance no more than once every 12 months, subject to reasonable notice, confidentiality obligations, and coordination with our team. To minimize business disruption we typically satisfy audits by providing:
- Our most recent third-party penetration test summary report.
- Our ISO 27001-aligned controls self-assessment.
- A DPO-level walkthrough over video conference.
On-site audits are permitted for Enterprise customers under written agreement and are billed at cost if they exceed one day per year.
11.Return and deletion
On termination or expiration of the Service, you choose whether we (a) return your Personal Data in a machine-readable format or (b) delete it. Either way we provide a 90-day export window. Once you confirm deletion (or after 90 days if you do not respond), we irreversibly delete your Personal Data from primary systems immediately and from backups within the next quarterly backup rotation, unless a legal hold requires continued retention.
12.Term and termination
This DPA remains in effect for as long as we process Personal Data on your behalf. Obligations that by their nature should survive — confidentiality, deletion, audit, breach notification in respect of historical incidents — survive termination.
13.Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service, save that neither party may exclude liability it cannot lawfully exclude under the DPA Law or other applicable mandatory law.
14.Governing law
This DPA is governed by the laws of the Republic of the Philippines. Disputes are resolved as set out in the Terms of Service.
A.Annex A — Processing details
Subject matter
Provision of the LabSync Laboratory Information System to the Controller.
Duration
For the term of the Service subscription and the retention windows described in the Privacy Policy.
Nature and purpose
Registration of patients, collection and tracking of samples, ordering of tests, entry and approval of results, issuance of reports, and invoicing.
Categories of Data Subjects
- Patients of the Controller.
- Employees and contractors of the Controller who hold Tenant accounts.
- Referring physicians.
Categories of Personal Data
- Identifiers: name, date of birth, patient number, sex.
- Contact data: phone, email, address, emergency contact.
- Sensitive Personal Information: blood group, test orders, numeric and qualitative test results, abnormal and critical flags, physician clinical notes, OSCA and PWD IDs where applicable.
- Financial data: invoices, discounts, payments recorded for patient visits.
- Professional data: user roles, license numbers for medical technologists and pathologists.
B.Annex B — Technical and organizational measures
For the full narrative, see our Security Overview. Summary measures:
- Access control: tenant isolation at every query, role-based permissions, least privilege, MFA for administrative consoles, session timeout, credential rotation.
- Encryption: TLS 1.2+ with modern cipher suites in transit; AES-256 at rest for databases and object storage; password hashing with Argon2id.
- Audit trail: append-only, ISO 15189-aligned event log with actor, entity, timestamp, and diff — tamper-evident and exportable.
- Backups: daily encrypted snapshots; 30-day retention; quarterly restore drills; geographic redundancy for disaster recovery.
- Network security: firewall, rate limiting, reverse-proxy WAF, DDoS mitigation, intrusion detection.
- Change management: version-controlled source; peer code review; CI security scanning (dependency and static analysis); staged releases.
- Personnel: confidentiality agreements; annual security training; background checks for staff with production access.
- Incident response: documented runbook; 24-hour triage; 72-hour breach notification; post-mortem within 14 days.
- Continuity: documented DR plan; RTO ≤ 8 hours, RPO ≤ 24 hours for Pro; stricter targets available for Enterprise.