Last updated: January 2026
This Data Processing Agreement (“DPA”) forms part of the Enterprise Terms of Service (“Terms”) between:
This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Service.
Capitalised terms not defined in this DPA have the meanings given in the Terms or in UK GDPR.
This DPA supplements the Terms. In the event of conflict, this DPA prevails in relation to data protection matters.
The Controller determines the purposes and means of Processing. The Processor Processes Personal Data solely on behalf of the Controller.
The Processor shall Process Personal Data only on documented instructions from the Controller, including those set out in the Terms, this DPA, any Order Form, and any other written instructions agreed between the parties. Instructions may be given in writing, including by email or via the Service.
Where required by law to Process otherwise, the Processor shall inform the Controller unless prohibited.
The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex 1.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Measures are described in Annex 2 and may evolve with risk.
Processor ensures all authorised persons are bound by confidentiality and process only on instructions.
Controller grants general authorisation for Sub-processors. Processor shall maintain a list and give prior notice of changes, allowing reasonable objection.
Processor remains fully liable for Sub-processors and shall be responsible for their acts and omissions as if they were its own. All Sub-processors must be bound by equivalent obligations.
Processor shall assist the Controller in responding to rights requests. Direct requests shall be forwarded without response.
Processor shall assist with Articles 32–36 UK GDPR, including DPIAs and ICO consultation.
Processor shall make available all information necessary to demonstrate compliance to the Controller and, where required, to the ICO.
Processor shall notify Controller without undue delay and provide required details and cooperation.
Controller may audit annually on 30 days' notice during business hours. Processor may provide certifications where appropriate.
Upon termination, Personal Data shall be returned or deleted at Controller's choice. Data may be retained for 90 days per the Terms.
Processor shall certify deletion upon request.
Transfers outside the UK shall use UK IDTA and/or UK SCC Addendum with Transfer Risk Assessments.
Liability follows the Terms. Nothing limits liability for death, injury, or fraud.
This DPA is governed by the laws of England and Wales.
Subject matter: Provision of a healthcare CRM.
Duration: Subscription Term plus 90 days.
Nature and purpose: Hosting, storage, organisation, transmission, and analysis.
Data subjects: Patients, staff, clinicians, administrators.
Categories of data: Contact data, appointments, communications, treatment context, credentials.
Special categories: Health data processed only on instructions.