MediDesk policies

Data Processing Agreement / Operator Agreement

The operator agreement that governs DeskLabs processing personal information on behalf of customer practices.

Operator: DeskLabsEffective date: 23 June 2026Version: 1.4

This Data Processing Agreement ("DPA") forms part of the MediDesk Terms of Service and governs DeskLabs' processing of personal information on behalf of customer practices. In the event of a conflict on a data processing matter, this DPA prevails.

1. Roles

For patient personal information entered and managed by a customer practice through MediDesk:

  • the customer practice is the responsible party as defined in POPIA — it decides why and how patient data is processed;
  • DeskLabs is the operator — it processes patient data only to provide the MediDesk service, on the practice's behalf.

DeskLabs is an independent responsible party for its own account administration, billing, security, support, and compliance activities.

2. Processing Instructions

DeskLabs processes Customer personal information only:

  • to provide, operate, maintain, support, and secure MediDesk;
  • as configured or instructed by the Customer through the platform;
  • as required by applicable South African law;
  • as necessary to investigate security incidents, support requests, or legal claims.

DeskLabs will not use patient personal information for its own commercial, marketing, or AI training purposes.

3. Processing Details

ItemDetail
Subject matterMediDesk practice management SaaS and related services (administrative use only — not a clinical system, medical device, or EHR in any capacity)
DurationSubscription term plus 30-day post-termination export window
NatureHosting, storage, retrieval, transmission, logging, deletion, AI-assisted call handling and transcription
PurposesPatient administration, scheduling, consent, billing, communications (including SMS message content and metadata), AI voice receptionist call handling and transcription, appointment notifications, queue management, SMS credit purchases, support, security, and audit
Data subjectsPatients, guardians, caregivers, practice users, referring doctors, callers to AI Voice Receptionist
Data categoriesIdentity, contact, health, clinical, billing, authorisation, communications (including message bodies and delivery metadata), voice call recordings and transcripts (where recording consent given), SMS credit purchase records, audit, and technical data
Special dataHealth information, identity numbers, minor patient data, financial information, voice recordings (with consent)

4. Customer Obligations

The Customer, as responsible party, is solely responsible for:

  • having a lawful POPIA condition for each category of patient data processed;
  • providing patients with required POPIA notices and obtaining required consents;
  • providing patients with the patient-facing privacy notice before they submit information through public consent forms or walk-in queue check-in;
  • the accuracy and lawfulness of data entered into MediDesk;
  • responding to patient data subject requests (access, correction, deletion, objection) as the responsible party;
  • complying with healthcare recordkeeping and professional obligations, including obligations that survive termination of the MediDesk subscription;
  • managing patient communication authority, recipient lists, and opt-out requests;
  • the content and lawfulness of all communications sent through MediDesk;
  • configuring and supervising the AI Voice Receptionist, including recording consent settings and informing patients that calls may be handled by an AI system.

DeskLabs is not responsible for the Customer's compliance as responsible party. DeskLabs' deletion of platform records does not fulfil the Customer's own legal or professional record retention obligations.

5. Confidentiality

DeskLabs limits access to Customer personal information to personnel who require it for support, security, billing, onboarding, incident response, or legal compliance. All such personnel are bound by confidentiality obligations. DeskLabs personnel must not access customer or patient data for any other purpose, must not copy or export patient data outside approved systems, and must log any access in the relevant support ticket or incident record.

6. Security

DeskLabs maintains reasonable technical and organisational security measures appropriate to the sensitivity of health information, including:

  • practice-scoped access controls and Row Level Security (RLS);
  • role-based permissions within each practice;
  • private document storage for patient files, consent PDFs, and clinical documents;
  • encryption in transit (HTTPS/TLS) and encryption at rest via hosting and database providers;
  • audit logging of sensitive actions;
  • incident response procedures as described in the Incident Response Policy.

DeskLabs does not warrant that these measures will prevent all incidents. Full details are in the Information Security Policy.

7. Subprocessors

DeskLabs uses the following subprocessors:

ProviderPurposeCountryData processed
SupabaseDatabase, authentication, file storageUS (AWS)All practice and patient data
VercelApplication hostingUS / Global EdgeApplication traffic, session tokens
WinSMSSMS messaging (primary)South AfricaSMS message content and delivery metadata
TwilioSMS messaging (fallback)USSMS message content and delivery metadata
Retell.aiAI Voice ReceptionistUSCall audio, transcripts, recordings (with consent), call metadata
OpenAIAudio transcriptionUSCall audio for transcription only; not used for model training
PayFastSubscription payments and SMS credit top-up purchasesSouth AfricaPayment tokens; no patient data
SentryError monitoringUSError logs; PII scrubbed before transmission
Make.comAutomation webhooksEUOperational workflow data
CloudflareWeb analytics and performanceUS / GlobalNo personally identifiable data
UpstashRate limitingUS / EURequest metadata only

These providers are bound by data protection obligations. DeskLabs will give the Customer reasonable advance notice of material subprocessor changes. The Customer may object within 14 days; if DeskLabs cannot accommodate the objection, the Customer may terminate on 30 days' notice without penalty.

8. Data Subject Rights

DeskLabs will provide reasonable technical assistance to help the Customer respond to patient data subject rights requests. Customers, as the responsible party, are responsible for all patient-facing responses. DeskLabs will direct any direct patient enquiries to the relevant practice.

9. Breach Notification

If DeskLabs becomes aware of a security compromise affecting Customer personal information, DeskLabs will notify the affected Customer without undue delay. Notification will include available facts about the nature, scope, and containment of the incident. The Customer, as responsible party, is responsible for determining its own notification obligations to the Information Regulator and affected patients under POPIA Section 22. DeskLabs will provide the information it has to support that assessment.

10. Retention and Deletion

During the subscription term, the Customer may export its data at any time using MediDesk's built-in export tools. After termination, Customer personal information in active production systems is retained for 30 days for export. After the export window, active data is deleted, subject to:

  • backup retention cycles (backup copies may persist for the duration of the backup schedule);
  • audit log retention requirements (3 years);
  • billing record retention requirements under South African tax law (5 years);
  • any legal hold imposed for ongoing disputes, regulatory investigations, or litigation.

Healthcare recordkeeping obligations apply to the Customer's practice and survive termination of the MediDesk subscription. DeskLabs' deletion of platform records does not fulfil the Customer's own legal retention obligations under the National Health Act, HPCSA rules, or other applicable law.

11. Governing Law and Liability

This DPA is governed by the laws of the Republic of South Africa. The parties submit to the non-exclusive jurisdiction of the Western Cape Division of the High Court, Cape Town. The liability limitations in the Terms of Service apply equally to this DPA.

Contact: legal@desklabs.co.za | desklabs.co.za