Documentation
GDPR Compliance
How NexusHealth complies with GDPR.
GDPR Compliance
NexusHealth complies with the General Data Protection Regulation (GDPR) for EU/EEA customers.
Data Processing
Legal Basis
We process health data based on:
- Medical treatment necessity (Article 9(2)(h))
- Data Processing Agreements with customers
Data Processing Agreement
We provide DPAs that include:
- Processing purposes and scope
- Security measures
- Sub-processor list
- Data subject rights support
Data Subject Rights
NexusHealth supports your obligations to fulfill data subject rights:
Right to Access
- Export patient data
- View processing history
- Generate access reports
Right to Rectification
- Update patient records
- Maintain accuracy
- Document corrections
Right to Erasure
- Delete patient records
- Cascade to related data
- Maintain audit trail
Right to Portability
- Export in standard formats
- Machine-readable data
- Transfer support
International Transfers
EU Data Residency
- EU-based data centers available
- Data stays within EU/EEA
- Contact us to configure
Transfer Mechanisms
For transfers outside EU:
- Standard Contractual Clauses
- Supplementary measures
- Transfer impact assessments
Sub-Processors
We use carefully selected sub-processors:
- Hetzner (EU hosting)
- SendGrid (email)
- Monitoring services
Full list available in our DPA.
Security Measures
Technical and organizational measures include:
- Encryption at rest and in transit
- Role-based access controls
- Comprehensive audit logging
- Regular security testing
- Staff training
- Incident response procedures
Your Obligations
As a data controller, you must:
- Maintain lawful basis for processing
- Fulfill data subject requests
- Report breaches timely
- Maintain documentation
Data Retention
- Patient data retained per your instructions
- Audit logs retained for compliance periods
- Deletion upon request or contract termination
Breach Notification
In the event of a data breach:
- We notify you within 72 hours
- Provide details of the incident
- Assist with regulatory notifications
- Implement remediation measures
Documentation
We provide:
- Data Processing Agreement (DPA)
- Sub-processor list
- Technical and organizational measures document
- Data flow documentation
Contact
Data Protection Officer: dpo@kcraft.io
For GDPR inquiries, data subject requests, or to request our DPA, please contact us.