B2B ENTERPRISE POLICY SUITE

DATA PROCESSING AGREEMENT (DPA)

This DPA forms an integral part of the commercial agreement between:
SAHCHI HEARING AND SPEECH SOLUTIONS PRIVATE LIMITED (“Gabify”)
and
The Institution (“Data Fiduciary” / “Client”)

Applies to: all usage of Neurolens, and any services where Gabify processes personal/sensitive personal data on behalf of an institution.

1. DEFINITIONS

“Data Fiduciary / Client / Institution”

The entity (hospital, clinic, school, NGO, therapist practice) responsible for determining the purpose and means of processing client/child data.

“Data Processor / Gabify”

Gabify processes data strictly on instructions of the Institution.

“Personal Data”

Any information identifying an individual.

“Sensitive Personal Data”

Includes:

• Child information
  
• Disability, diagnosis, developmental data
  
• Audio/video recordings
  
• Therapy and assessment information
  
• Behavioral and psychological attributes
  

“Processing”

Includes: collection, storage, transmission, analysis, retrieval, deletion, and AI model inference.

“AI Training Data”

De-identified data used for internal AI model improvement, only with explicit consent.

2. PURPOSE OF DATA PROCESSING

Gabify processes data solely for:

• Delivering Neurolens functionality
  
• Generating assessments and digital reports
  
• Providing analytics and dashboards
  
• Supporting clinical workflows
  
• Improving service quality
  
• AI model inference
  

AI training is only done with explicit consent.

Gabify does not use, share, or process data for:

• Advertising
  
• Marketing
  
• Commercial resale
  
• Training third-party AI systems
  

3. OBLIGATIONS OF THE INSTITUTION (DATA FIDUCIARY)

The Institution agrees to:

3.1 Collect Lawful Consent

• Parent/guardian consent for child data
  
• Consent for audio/video recording
  
• Separate optional consent for AI training data
  

3.2 Ensure Data Accuracy

Gabify is not responsible for inaccurate or incomplete data uploaded by users.

3.3 Restrict Access

Only verified clinicians/employees may access Neurolens.

3.4 Compliance With Law

Institution is the primary fiduciary under the DPDP Act.

3.5 Provide Deletion Requests

Deletion rights must be channeled through the institution.

4. OBLIGATIONS OF GABIFY (DATA PROCESSOR)

Gabify shall:

4.1 Process Data Only on Client Instructions

No independent use of data.

4.2 Maintain Strict Confidentiality

Employees and contractors are bound by confidentiality agreements.

4.3 Implement Security Measures

Gabify uses:

• Encryption at rest (AES-256)
  
• Encryption in transit (TLS 1.2+)
  
• Role-based access control
  
• Audit trails
  
• Secure cloud infrastructure
  

4.4 Assist with Data Access Requests

Gabify will assist the Institution in fulfilling individual rights (access, correction, deletion).

4.5 Report Incidents

Any security breach affecting client data will be reported promptly.

5. CROSS-BORDER DATA HANDLING

Gabify may store/process certain operational data in secure regions such as India, Singapore, or Europe.

Sensitive child/patient data is not exported outside India unless:

• Institution authorizes
  
• Equivalent legal safeguards apply
  
• Data is encrypted
  

6. SUB-PROCESSORS

Gabify uses vetted sub-processors for:

• Cloud hosting
  
• Analytics
  
• Email delivery
  
• Customer support
  

Gabify ensures all sub-processors:

• Sign binding data protection agreements
  
• Meet security and compliance standards
  

7. TERM & TERMINATION

This DPA remains active:

• Throughout the duration of the commercial agreement
  
• Until data deletion obligations are fulfilled
  

Upon termination:

• Gabify will delete or return all identifiable data
  
• De-identified AI training data may be retained (non-reversible)
  

8. LIABILITY

Institution retains responsibility for:

• Data accuracy
  
• Consent failures
  
• Unauthorized user activity
  

Gabify’s total liability is limited to fees paid in the preceding 6 months (unless otherwise stated in commercial contract).

9. AUDIT RIGHTS

Institutions may request:

• Security documentation
  
• Infrastructure certifications
  
• Processing logs
  

Gabify may refuse audits that compromise platform security or other customer confidentiality.

10. GOVERNING LAW

This DPA is governed by Indian law, with exclusive jurisdiction in New Delhi, unless specified otherwise in the commercial contract.

B2B USER ELIGIBILITY & VERIFICATION POLICY

 Applies To: Neurolens users accessing clinical AI workflows.

1. PURPOSE

This policy ensures that only qualified professionals and authorized institutions use Neurolens.

2. ELIGIBLE INSTITUTIONS

Neurolens is restricted to:

• Hospitals
  
• Clinics
  
• Rehabilitation centers
  
• Schools & preschools
  
• NGOs
  
• Special needs centers
  
• Government health/education agencies
  
• Registered therapy practices
  

Gabify may request:

• Registration certificates
  
• Medical/clinical licenses
  
• GST details
  
• Organizational identity verification
  

3. ELIGIBLE USERS (INDIVIDUAL)

Users must be:

• Speech-language pathologists
  
• Clinical psychologists
  
• Pediatricians
  
• Occupational therapists
  
• Special educators
  
• Behavioral therapists
  
• School counsellors
  
• Neurologists or developmental experts
  

All users must:

• Be affiliated with a verified institution
  
• Have proper credentials
  
• Follow ethical clinical practices
  
• Use Neurolens strictly for authorized purposes
  

4. VERIFICATION PROCEDURES

Gabify may perform:

• KYC/KYB for institutions
  
• License verification
  
• Certificate checks
  
• Staff employment verification
  
• OTP/email verification
  
• Role-based permission approval
  

5. PROHIBITED USERS

Neurolens cannot be used by:

• Unverified individuals
  
• Parents or general consumers
  
• Commercial entities not engaged in clinical work
  
• Entities intending to resell or redistribute the platform
  

Gabify reserves the right to suspend accounts immediately if in violation.

6. USER ACCESS MANAGEMENT

Institutions must:

• Maintain updated user lists
  
• Revoke access of former employees
  
• Assign roles responsibly
  

Gabify supports:

• Admin dashboards
  
• Permission controls
  
• Access logs
  

7. ACCOUNTABILITY

Institutions assume legal responsibility for:

• Misuse of accounts
  
• Unauthorized uploads
  
• Breach of consent obligations
  
• Inaccurate assessments
  

ACCEPTABLE USE & ANTI-ABUSE POLICY

 Applies to: Gabify website & Neurolens application

1. PURPOSE

To prevent:

• Misuse of clinical AI
  
• Unauthorized access
  
• Data abuse
  
• Harmful assessments
  
• Misrepresentation of AI accuracy
  

2. ACCEPTABLE USE

Users may:

• Conduct screenings
  
• Generate reports
  
• Use Neurolens under supervision of certified professionals
  
• Train staff internally
  
• Use results for clinical documentation
  

3. PROHIBITED ACTIONS

Users shall NOT:

3.1 Upload Data Without Consent

• No child data without parent/guardian permission
  
• No unauthorized recordings
  

3.2 Misuse AI Tools

• Use AI outputs as sole basis for diagnosis
  
• Present Neurolens as a certified diagnostic tool
  
• Input fabricated or misleading data
  

3.3 Abuse System Infrastructure

• Attempt reverse engineering
  
• Breach security controls
  
• Launch DDoS, scraping, or penetration attacks
  
• Use bots to automate assessments
  

3.4 Unauthorized Commercial Use

• Resell Neurolens
  
• Offer Neurolens as a service without agreement
  
• Train third-party machine learning models
  

3.5 Inappropriate Use of Reports

• Using reports in legal disputes as “proof”
  
• Sharing reports outside the clinical context
  
• Posting outputs on public platforms
  

4. DISRUPTIVE OR UNETHICAL BEHAVIOR

Users may not:

• Harass platform staff
  
• Attempt fraud
  
• Upload illegal or harmful content
  
• Use Neurolens to make discriminatory decisions
  

5. ENFORCEMENT ACTIONS

Gabify may:

• Suspend accounts
  
• Disable access
  
• Terminate institutional licenses
  
• Report violations to authorities
  
• Pursue legal remedies
  

6. REPORTING ABUSE

Email: info@gabify.life