Data Processing Agreement
DPA / Auftragsverarbeitungsvertrag (AVV)
Last updated: June 2025 · Pursuant to Art. 28 GDPR and Swiss FADP/DSG
1. Subject Matter and Purpose
This Data Processing Agreement (DPA) governs the processing of personal data and special categories of data (in particular health data) by Viali as data processor on behalf of the Customer (controller). Processing is carried out solely for the purpose of providing the contractually agreed services of the Viali platform.
2. Nature, Scope, and Purpose of Processing
Viali processes the following categories of data in the course of providing its services:
- Patient master data (name, date of birth, contact details)
- Medical documentation data (diagnoses, anaesthesia records, surgical reports)
- Staff data for clinical personnel
- Scheduling and planning data
- Billing and performance data
The purpose of processing is the provision and operation of the Viali platform for clinic management.
3. Obligations of the Processor
Viali undertakes to:
- Process data only on documented instructions from the controller
- Ensure the confidentiality of processed data
- Implement all required technical and organisational measures pursuant to Art. 32 GDPR
- Engage no sub-processors without prior written consent from the controller
- Assist the controller in fulfilling its obligations towards data subjects
- Return or delete all data after completion of services
4. Technical and Organisational Measures (TOMs)
Viali implements and maintains the following security measures:
- Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
- Role-based access management (RBAC) with multi-factor authentication
- Continuous security monitoring and anomaly detection
- Regular security audits and penetration tests
- Data storage exclusively in Switzerland or the EU
- Complete audit trails for all data access
- Disaster recovery with RPO < 1 hour and RTO < 4 hours
5. Sub-processors
Viali uses selected sub-processors to operate the platform (e.g. for hosting and email delivery). These are contractually bound to comply with GDPR requirements. An up-to-date list of sub-processors is available upon request.
6. Data Breach Notification
Viali will notify the controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware of it. The notification will contain all information required under Art. 33(3) GDPR.
7. Contact and Individual DPA
Customers who require an individual Data Processing Agreement are welcome to contact us at:
hello@viali.app
We are happy to provide a complete DPA tailored to your facility.