Terms of Service

Last updated June 2026. These Terms of Service govern access to and use of MedFlow's clinical data structuring, registry, and compliance products. They are governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (Royal Decree No. M/19). By using the service you agree to these terms on behalf of your institution.

1. Acceptance and parties

By accessing or using MedFlow, you accept these terms on behalf of yourself and the institution you represent. If you do not agree, do not use the service.

2. The service

MedFlow provides software for extracting, structuring, de-identifying, querying, and reporting on clinical data within a customer's environment. The specific products, scope, and deployment are defined in your order or agreement with us.

3. Roles under the PDPL

For clinical data, the customer is the data controller and MedFlow acts as a processor, handling personal data only on the customer's documented instructions and in accordance with the PDPL and its Implementing Regulations.

4. Compliance with Saudi law

The customer is responsible for the lawfulness of the data it processes and for its obligations under the PDPL, Ministry of Health requirements, CBAHI accreditation standards, and NPHIES participation. MedFlow provides the software and supports the customer's compliance but does not assume the customer's regulatory obligations.

5. Data residency and security

Where agreed, MedFlow is deployed to keep personal data within the Kingdom on compliant infrastructure, and applies technical and organizational safeguards including encryption, access control, and audit logging consistent with the PDPL.

6. Accounts and access

You are responsible for safeguarding credentials and for activity under your accounts, and must notify us promptly of any unauthorized use.

7. Customer data and confidentiality

You retain all rights to your clinical and institutional data. MedFlow accesses it only as needed to provide and support the service and treats it as confidential.

8. Acceptable use

You may not misuse the service, attempt unauthorized access, re-identify de-identified data without authority, or use the service in violation of applicable law or the rights of patients or third parties.

9. Intellectual property

MedFlow and its software, models, and documentation are owned by MedFlow and its licensors. You receive a limited, non-exclusive right to use the service; no ownership is transferred.

10. Fees

Fees, payment terms, and deployment scope are set out in your order or agreement with MedFlow.

11. Warranties and disclaimers

The service is provided on an “as is” basis to the extent permitted by law. MedFlow is data infrastructure and does not provide medical advice or make clinical or regulatory decisions; the customer remains responsible for those judgments.

12. Limitation of liability

To the maximum extent permitted by Saudi law, MedFlow is not liable for indirect, incidental, or consequential damages arising from use of the service. Nothing limits liability that cannot be limited under applicable law.

13. Term and termination

These terms apply while you use the service. On termination, your right to use the service ends and personal data is returned or destroyed as set out in your agreement and as required by the PDPL.

14. Governing law and disputes

These terms are governed by the laws of the Kingdom of Saudi Arabia. Disputes are subject to the competent Saudi courts, or to arbitration where the parties have agreed to it in writing.

15. Changes and contact

We may update these terms and will communicate material changes. Questions can be sent to support@medflow.sa.