Data Processing Agreement
1. Roles
You (the practitioner) are the Covered Entity. Tipulim US acts as your Business Associate and processes Protected Health Information (PHI) only to provide the service and on your documented instructions.
2. Safeguards
We maintain administrative, physical, and technical safeguards: AES-256 encryption at rest, TLS in transit, append-only audit logging of PHI access, and least-privilege access controls. Infrastructure runs on AWS under a signed BAA.
3. Subprocessors
We use AWS (Amplify, Aurora, Cognito, S3) as our infrastructure subprocessor under a Business Associate Addendum. Additional subprocessors (e.g. email, SMS) are engaged only under appropriate agreements.
4. Breach notification
We will notify you without undue delay upon discovery of a breach of unsecured PHI, with the information needed for you to meet your §164.400 obligations.
5. Patient rights
We support your obligations to provide access, amendment, and an accounting of disclosures. Patients can request an accounting of who accessed their records.
6. Return / deletion
On termination, PHI is retained for the legally required period and then securely deleted, or returned to you on request where feasible.
Last updated 2026. A countersigned BAA is available on request.