johan
/
inou
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
inou/portal/templates/dpa.tmpl

146 lines
5.7 KiB
Cheetah
Raw Blame History

{{define "dpa"}}
<div class="page-container">
<div class="page-card">
<h1>Data Processing Agreement</h1>
<p class="intro">This agreement describes how <span class="inou">inou</span> processes your health data. It applies to all users and any third-party services that access your data through our platform.</p>
</div>
<div class="page-card">
<h2>Definitions</h2>
<h3>Data Controller.</h3>
<p>You. You decide what data to upload, who can access it, and when to delete it.</p>
<h3>Data Processor.</h3>
<p><span class="inou">inou</span>. We store, encrypt, and transmit your data according to your instructions.</p>
<h3>Third-party services.</h3>
<p>You may connect external services to your account, such as AI assistants. These services operate as independent controllers or as processors engaged directly by you — not as our sub-processors. We do not engage sub-processors for storage or core functionality.</p>
</div>
<div class="page-card">
<h2>Data we process</h2>
<h3>Health data.</h3>
<p>Medical imaging (DICOM files including MRI, CT, X-ray), laboratory results, genetic/genomic data, and any other health information you upload. Genetic and genomic data constitutes special category data under GDPR Article 9 and is processed solely on the basis of your explicit consent.</p>
<h3>Account data.</h3>
<p>Name, email address, date of birth, and sex. Used for account management and medical context.</p>
<h3>Technical data.</h3>
<p>IP addresses and session identifiers. Used exclusively for security and access control.</p>
</div>
<div class="page-card">
<h2>How we process it</h2>
<h3>Storage.</h3>
<p>All health data is encrypted using FIPS 140-3 validated cryptography before storage. Data resides on dedicated infrastructure in the United States that we own and operate.</p>
<h3>Transmission.</h3>
<p>All data in transit is protected by TLS 1.3 encryption. When you connect third-party services, data travels through an encrypted bridge directly to your session.</p>
<h3>Access.</h3>
<p>Only you and accounts you explicitly authorize can access your data. Staff access requires your explicit request, is restricted to senior personnel, and is logged.</p>
</div>
<div class="page-card">
<h2>Processing restrictions</h2>
<p>We process your data solely to provide the service. Specifically, we do <strong>not</strong>:</p>
<ul>
<li>Use your data for AI model training</li>
<li>Sell, rent, or share your data with third parties</li>
<li>Analyze your data for advertising or profiling</li>
<li>Access your data without your explicit request</li>
<li>Retain your data after account deletion</li>
</ul>
</div>
<div class="page-card">
<h2>Third-party connections</h2>
<p>When you connect an AI assistant or other service to <span class="inou">inou</span>:</p>
<ul>
<li>You explicitly authorize each connection</li>
<li>Data is transmitted only for your active session</li>
<li>We do not store copies of transmitted data</li>
<li>You can revoke access at any time</li>
<li>Each third party operates under their own privacy policy</li>
</ul>
<p>We recommend reviewing the privacy policy of any service you connect.</p>
</div>
<div class="page-card">
<h2>Security measures</h2>
<h3>Encryption.</h3>
<p>FIPS 140-3 validated encryption at rest. TLS 1.3 encryption in transit. Application-layer encryption before database storage.</p>
<h3>Infrastructure.</h3>
<p>Dedicated hardware. No shared cloud environments. Redundant storage with RAID-Z2. Uninterruptible power with generator backup.</p>
<h3>Access control.</h3>
<p>Role-based access control. Mandatory authentication. All access logged and auditable.</p>
<h3>Monitoring.</h3>
<p>Continuous automated monitoring. Intrusion detection. Regular security assessments.</p>
</div>
<div class="page-card">
<h2>Data retention</h2>
<p>We retain your data for as long as your account is active. When you delete your account:</p>
<ul>
<li>All personal data is permanently destroyed</li>
<li>All health data is permanently destroyed</li>
<li>Deletion is immediate and irreversible</li>
<li>Backups are overwritten within 30 days</li>
</ul>
<p>We do not offer recovery of deleted data.</p>
</div>
<div class="page-card">
<h2>Your rights</h2>
<h3>Access.</h3>
<p>See and export everything we store — data you've entered, account details, access logs, and audit history.</p>
<h3>Rectification.</h3>
<p>Correct any inaccurate data directly or by request.</p>
<h3>Erasure.</h3>
<p>Delete your account and all associated data instantly.</p>
<h3>Portability.</h3>
<p>Download data you've entered in standard formats. Your uploaded files are already yours.</p>
<h3>Objection.</h3>
<p>Revoke any permission at any time. We comply immediately.</p>
</div>
<div class="page-card">
<h2>Compliance</h2>
<p>This agreement is designed to comply with:</p>
<ul>
<li><strong>GDPR</strong> (European Union General Data Protection Regulation)</li>
<li><strong>FADP</strong> (Swiss Federal Act on Data Protection)</li>
<li><strong>HIPAA</strong> (US Health Insurance Portability and Accountability Act)</li>
</ul>
<p>We apply the highest standard regardless of your jurisdiction.</p>
</div>
<div class="page-card">
<h2>Contact</h2>
<p>Data Protection Officer: <a href="mailto:privacy@inou.com">privacy@inou.com</a></p>
<p>Questions about data processing: <a href="mailto:privacy@inou.com">privacy@inou.com</a></p>
<p>This agreement was last updated on February 8, 2026.</p>
</div>
{{template "footer"}}
</div>
{{end}}
Reference in New Issue View Git Blame Copy Permalink