Data Processing Agreement
Last updated: 18 May 2026
This Data Processing Agreement (“DPA”) supplements and forms part of the Terms of Service between CaladriusHealth.AI (joint venture between GPracta and Yajur Healthcare, incorporated in India) and the subscribing Customer. It governs the processing of personal data under the Digital Personal Data Protection Act, 2023 (“DPDPA”).
1. Definitions
ABDM Policy — The Ayushman Bharat Digital Mission Draft Health Data Management Policy, April 2022 (v2), as amended.
Customer Data — Any personal data submitted to the Service by or on behalf of the Customer.
Data Fiduciary — Any person who determines the purpose and means of processing personal data (DPDPA Section 2(i)).
Data Principal — The individual to whom personal data relates (DPDPA Section 2(j)).
Data Processor — Any person who processes personal data on behalf of a Data Fiduciary (DPDPA Section 2(k)).
Personal Data Breach — As defined in DPDPA Section 2(u): any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data.
Processing — As defined in DPDPA Section 2(x): any wholly or partly automated operation performed on digital personal data.
Sub-Processor — A third party engaged by CaladriusHealth to process Customer Data in connection with the Service.
2. Roles
- The Customer is the Data Fiduciary for personal data within Customer Data.
- CaladriusHealth is the Data Processor for Customer Data, processing it only on behalf of and on the documented instructions of the Customer.
- CaladriusHealth acts as an independent Data Fiduciary for its own account management data (contact names, billing contacts, account emails).
3. How We Process Customer Data
CaladriusHealth processes Customer Data only:
- As necessary to provide the Service
- As otherwise instructed in writing by the Customer
- As required by applicable Indian law — in which case we will notify the Customer before processing unless prohibited from doing so
We do not process Customer Data for advertising, our own commercial purposes, or AI model training without prior written consent.
4. Data Residency
All Customer Data is processed and stored on-premises within India. We do not transfer Customer Data outside India. No cross-border data transfer mechanisms apply.
5. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| On-premises LLM | Primary AI inference | On-premises, India |
| Anthropic, PBC | Optional cloud AI inference | United States (inference only; no retention) |
| Google LLC (Gemini) | Optional cloud AI inference | United States (inference only; no retention) |
Cloud AI sub-processors are opt-in, configurable per organisation. They receive only the minimum data necessary for each inference task and are contractually prohibited from retaining Customer Data or using it for model training.
We will give Customers reasonable advance written notice before engaging any new Sub-Processor that will process Customer Data. Customers may object on data protection grounds within a reasonable period of receipt of such notice. Continued use of the Service after the objection period constitutes acceptance.
CaladriusHealth remains liable to Customers for Sub-Processor acts and omissions to the same extent as if we performed the processing directly.
6. Security
CaladriusHealth implements and maintains the technical and organisational security measures described in our Security Policy to protect Customer Data against Personal Data Breach, in accordance with DPDPA Section 8(5).
7. Data Principal Rights
CaladriusHealth will assist Customers in fulfilling Data Principal rights under DPDPA Chapter III, including:
- Right to access information about personal data being processed (Section 11)
- Right to correction and erasure of personal data (Section 12)
- Right to grievance redressal (Section 13)
- Right to nominate (Section 14)
Where we receive a request directly from a Data Principal relating to Customer Data, we will promptly forward it to the Customer.
8. Breach Notification
In the event of a Personal Data Breach affecting Customer Data, CaladriusHealth will:
- Notify the Customer without undue delay and within 72 hours of becoming aware
- Provide details of the breach’s nature, scope, affected Data Principals, likely consequences, and remediation measures taken
- Cooperate with the Customer in complying with its own notification obligations to the Data Protection Board of India and affected Data Principals under DPDPA Section 8(6)
9. Data Deletion
On termination of the Agreement, CaladriusHealth will delete or return all Customer Data within 30 days of a written request, unless retention is required by Indian law. We will confirm deletion in writing.
10. Audits
On written request with at least 15 days’ notice, CaladriusHealth will make records available to demonstrate compliance with this DPA. On-site audits are limited to once per calendar year, during business hours, at the Customer’s cost.
11. Processing Details
| Item | Detail |
|---|---|
| Nature | Storage, retrieval, AI-assisted inference, analysis, transmission |
| Purpose | Revenue cycle management and health claims processing |
| Duration | Duration of the Agreement plus any legally required retention period |
| Data subjects | Hospital staff, billing coders, and claims administrators employed by the Customer |
| Personal data categories | Name, employee ID, role, login credentials, activity logs, billing transaction metadata |
| Special categories | None — the Service processes billing and claims data only, not clinical health records |
12. Governing Law
This DPA is governed by the laws of India. The courts of Bengaluru have exclusive jurisdiction.