General Terms of Service
The main terms that apply to all Imani Health users, accounts, services and platform features.
Healthcare Organisation Terms
Terms for hospitals, clinics, pharmacies, laboratories and enterprise organisations using Imani Health.
Medical Practitioner Agreement
Terms for doctors, nurses, pharmacists, laboratory scientists and other healthcare professionals.
Data Processing Agreement (DPA)
1. Purpose
This Data Processing Agreement governs Imani's processing of personal data on behalf of a Healthcare Organisation, HMO, corporate employer, NGO, school, government agency or other enterprise customer in connection with the Platform.
This DPA supplements the General Terms of Service, Healthcare Organisation Terms and any applicable order form or enterprise agreement.
2. Definitions
Terms such as Data Controller, Data Processor, Personal Data, Sensitive Personal Data, Processing, Data Subject, Personal Data Breach and Data Protection Officer have the meanings given under applicable Data Protection Laws unless otherwise defined here.
Customer means the organisation that controls the relevant personal data and uses Imani's Platform.
Processor Data means personal data processed by Imani on behalf of the Customer under this DPA.
Subprocessor means a third party engaged by Imani to process Processor Data on behalf of the Customer.
3. Roles of the Parties
For Processor Data submitted to the Platform by or on behalf of the Customer, the Customer is the Data Controller and Imani is the Data Processor, unless a written agreement or applicable law provides otherwise.
For data that Imani processes for its own account administration, security, billing, fraud prevention, support, analytics, legal compliance, product improvement, direct patient services or other independently determined purposes, Imani may act as an independent Data Controller.
4. Customer Instructions
Imani will process Processor Data only on documented instructions from the Customer, including instructions contained in this DPA, the Healthcare Organisation Terms, the General Terms, the order form, Platform configuration and lawful user actions.
Imani may refuse an instruction where it reasonably believes the instruction violates Data Protection Laws, healthcare law, patient safety obligations, professional obligations or another legal requirement.
5. Subject Matter and Duration
The subject matter of processing is the provision, support, security, maintenance and improvement of the Platform for the Customer.
Processing continues for the duration of the Customer's use of the Platform and any post-termination retention, export, backup, legal, audit or deletion period described in this DPA, the Privacy Policy, the Healthcare Organisation Terms or an order form.
6. Nature and Purpose of Processing
Imani may process Processor Data to:
- host, store, retrieve and transmit patient and organisation data;
- support EMR, HMS, telehealth, appointment, pharmacy, laboratory, billing, claims and analytics workflows;
- manage staff accounts, permissions and audit logs;
- provide implementation, migration, training and support;
- process payments, invoices and wallet-related records where applicable;
- enable AI Scribe, transcription, translation, summarisation and documentation support where enabled;
- maintain security, backups, disaster recovery and business continuity;
- investigate incidents, misuse, complaints and support requests;
- comply with lawful requests and legal obligations.
Facility Offline Mode Processing
Where facility offline mode is enabled, Imani may process Processor Data to operate local storage, local access, local audit trails, synchronisation, retry handling, conflict review, record mapping and reconciliation between a Healthcare Organisation's local facility server and Imani's cloud services.
7. Categories of Data Subjects
Processor Data may relate to:
- patients;
- dependants and family members;
- healthcare professionals;
- organisation staff, contractors and administrators;
- corporate plan members, employees, students, beneficiaries or community participants;
- pharmacy, laboratory, HMO, insurer or partner users;
- visitors, support contacts and complainants.
8. Types of Personal Data
Processor Data may include:
- names, contact details, gender, date of birth, identifiers and demographic data;
- account credentials and authentication data;
- health information, symptoms, diagnoses, allergies, vitals, consultation notes, prescriptions, lab results, medical documents and admission records;
- dependant information;
- appointment, telehealth and communication records;
- payment, billing, invoice, subscription and transaction records;
- professional licences, credentials and verification documents;
- staff roles, departments, permissions and audit logs;
- technical data, IP address, device data, usage data and security logs;
- images, audio, video, transcription and AI-generated documentation where enabled.
9. Customer Obligations
The Customer must:
- ensure it has a lawful basis for processing and instructing Imani to process Processor Data;
- provide required privacy notices and obtain required consents;
- ensure data submitted to the Platform is accurate, relevant and lawful;
- configure access controls appropriately;
- ensure staff and authorised users comply with confidentiality and Data Protection Laws;
- respond to Data Subject requests where it is responsible for doing so;
- notify Imani promptly of unlawful instructions, security incidents or data issues;
- comply with registration, DPO, audit and reporting obligations where applicable under NDPA and NDPC guidance.
10. Imani Obligations
Imani will:
- process Processor Data in accordance with documented Customer instructions;
- maintain appropriate technical and organisational measures;
- restrict access to personnel and subprocessors with a need to know;
- require confidentiality obligations from authorised personnel;
- provide reasonable assistance for Data Subject requests, security obligations, breach response and compliance enquiries;
- maintain records and logs appropriate to the service;
- notify the Customer of confirmed Personal Data Breaches as described below;
- delete, return or anonymise Processor Data as described in this DPA, subject to legal retention and backup limitations.
11. Security Measures
Imani will maintain reasonable security measures designed to protect Processor Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures may include:
- encryption in transit and at rest where technically appropriate;
- access controls and role-based permissions;
- authentication controls;
- audit logging and monitoring;
- backup and recovery procedures;
- secure cloud hosting;
- vulnerability management;
- incident response procedures;
- least-privilege internal access;
- support access controls;
- confidentiality training or obligations for relevant personnel;
- segregation or logical separation of customer workspaces where applicable.
Specific security commitments may be expanded in an enterprise security schedule or order form.
Facility Offline Mode Security
Where facility offline mode is enabled, Personal Data may be temporarily stored and processed on a local facility server controlled or operated for the Healthcare Organisation. Imani will provide reasonable technical controls for facility registration, authentication, synchronisation, event logging, conflict reporting and service-to-service validation.
The Organisation remains responsible for the security of the local environment, including physical access, device access, local network controls, operating system maintenance, endpoint protection, power continuity, backup handling, and timely removal of staff access.
Both parties must cooperate to investigate suspected compromise, unauthorised access, sync tampering, data corruption, device theft, local server loss or failed synchronisation affecting Personal Data processed in facility offline mode.
12. Confidentiality
Imani will ensure that personnel authorised to process Processor Data are subject to appropriate confidentiality obligations. The Customer must impose equivalent confidentiality obligations on its users and staff.
13. Subprocessors
The Customer authorises Imani to engage subprocessors to provide, secure, support and improve the Platform. Subprocessors may include cloud hosting providers, database providers, SMS providers, email providers, push notification providers, payment processors, video providers, identity verification providers, customer support tools, analytics providers, AI service providers, security tools and infrastructure providers.
Imani will require subprocessors to protect Processor Data under obligations that are materially no less protective than those in this DPA, taking account of the service provided.
Where required by law or an enterprise agreement, Imani will provide a list of material subprocessors and a process for reasonable objections.
14. Cross-Border Transfers
Processor Data may be stored, accessed or processed outside Nigeria where necessary to provide cloud hosting, support, AI, communication, payment, security or other Platform services.
Imani will use lawful transfer mechanisms, safeguards, contractual protections, security measures or other conditions permitted by Data Protection Laws where cross-border transfers occur.
The Customer is responsible for informing Data Subjects and obtaining required consents or establishing another lawful basis where the Customer controls the transfer decision.
15. Data Subject Rights
Taking into account the nature of processing and Platform functionality, Imani will provide reasonable assistance to the Customer for Data Subject requests, including access, correction, deletion, restriction, objection, portability and consent withdrawal requests.
If Imani receives a request directly relating to Processor Data controlled by the Customer, Imani may redirect the request to the Customer unless required by law to respond directly.
16. Personal Data Breach Notification
Imani will notify the Customer without undue delay after confirming a Personal Data Breach affecting Processor Data. The notice may include available information about the nature of the incident, affected data, likely consequences, mitigation steps and recommended actions.
The Customer is responsible for notifying Data Subjects, regulators, professional bodies, insurers or other authorities where the Customer is legally required to do so, unless a written agreement assigns that responsibility to Imani.
The parties will cooperate in good faith to investigate, contain and remediate confirmed breaches.
17. Data Protection Impact Assessments and Regulatory Assistance
Where required and reasonably requested, Imani will assist the Customer with information necessary for data protection impact assessments, regulator enquiries, audit returns, compliance reviews and consultations relating to the Platform, subject to confidentiality, security and reasonable scope limitations.
18. Audits
The Customer may request reasonable information to verify Imani's compliance with this DPA. Imani may satisfy audit obligations by providing security summaries, certifications, questionnaires, policies, reports, attestations or written responses.
On-site audits or intrusive technical testing require prior written agreement, reasonable notice, confidentiality protections, security restrictions, limited scope and may be subject to reasonable fees.
The Customer must not conduct tests that disrupt, degrade, compromise or risk the Platform or other customers.
19. Retention, Return and Deletion
During the term, Processor Data will be retained as needed to provide the Platform and comply with applicable obligations.
Upon termination or written request, Imani will return, export, delete or anonymise Processor Data in accordance with the Healthcare Organisation Terms, order form, Platform functionality and applicable law.
Imani may retain Processor Data where necessary for legal obligations, medical record retention, audit, security, fraud prevention, dispute resolution, payment, tax, backup, regulatory or professional recordkeeping reasons.
Deleted data may remain in encrypted backups for a limited period before overwrite or secure deletion, during which backup data will be isolated from ordinary use except for disaster recovery, security or legal compliance.
Local Offline Copies
Personal Data stored in facility offline mode should be synchronised, retained, exported, deleted or otherwise handled according to the Organisation's lawful instructions, applicable retention obligations, Imani's technical capabilities, and any separate support or offboarding process agreed by the parties.
Where local copies remain on a facility server after termination, suspension or migration, the Organisation is responsible for preventing unauthorised use and following Imani's instructions for secure deletion, transfer, final sync or lawful retention.
20. AI Processing
Where AI Features are enabled, Processor Data may be processed to provide transcription, translation, summarisation, documentation, analytics or workflow assistance.
Imani will configure AI processing in accordance with applicable Platform settings, the order form, the Privacy Policy and this DPA. The Customer must ensure that AI use is lawful, disclosed where required and subject to human review for clinical or high-impact decisions.
Unless otherwise stated in a signed agreement, Imani will not permit identifiable Processor Data submitted by the Customer to be used to train third-party foundation models in a way that allows the third party to use that data for unrelated customers.
21. Anonymised and Aggregated Data
Imani may create and use aggregated, de-identified or irreversibly anonymised information for analytics, product improvement, benchmarking, security, research, public health insights, operational planning and reporting, provided the information can no longer reasonably identify a person or Customer-sensitive dataset.
22. Records of Processing and DPO Support
Where applicable, each party is responsible for maintaining its own records of processing activities, DPO appointment, compliance audit returns, registration as a data controller or processor of major importance and other obligations under Data Protection Laws.
Imani will provide reasonable information about its Platform processing to assist the Customer's records, subject to confidentiality and security limitations.
23. Liability
Liability for data protection matters is subject to the limitations in the applicable agreement, except where prohibited by law. Nothing in this DPA limits liability for obligations that cannot lawfully be limited.
24. Precedence
If there is a conflict between this DPA and other terms regarding processing of Processor Data, this DPA controls to the extent of the conflict. Commercial, billing, clinical and service scope matters remain governed by the applicable order form, Healthcare Organisation Terms and General Terms.
Schedule 1: Processing Details
Subject matter: Provision of Imani Health Platform services to the Customer.
Duration: Term of the Customer's subscription and any post-termination retention, export, backup or legal period.
Nature and purpose: Hosting, storage, access, transmission, support, analytics, security, telehealth, EMR, HMS, pharmacy, laboratory, billing, claims, AI documentation and administrative workflow support.
Data subjects: Patients, dependants, staff, practitioners, administrators, corporate plan members, beneficiaries, support contacts and related persons.
Data categories: Identity, contact, demographic, health, medical, appointment, payment, billing, professional, technical, usage, audit and communication data.
Sensitive data: Health information, medical records, biometric or identity verification information where collected, children's information where dependants are added, financial data and professional credentials.
Schedule 2: Minimum Security Measures
Imani's baseline safeguards may include:
- encryption for data in transit;
- encryption for stored data where technically appropriate;
- logical separation of customer workspaces;
- role-based access controls;
- administrative access restrictions;
- audit logs;
- backup and recovery procedures;
- secure software development practices;
- vulnerability management;
- incident response procedures;
- confidentiality obligations for personnel;
- subprocessors subject to contractual safeguards;
- disaster recovery and business continuity planning appropriate to the service level.
The Customer's baseline safeguards should include:
- unique user accounts;
- MFA where available;
- prompt user deactivation;
- staff confidentiality training;
- secure devices and networks;
- least-privilege access;
- secure handling of exports and printed records;
- internal breach escalation procedures;
- lawful patient notices and consents;
- periodic review of roles, staff and permissions.
---