UK Data Processing Agreement

1. Parties and Background

1.1 Background

(A) The Controller has engaged the Processor to provide clinical decision support services ("Services") under a separate service agreement ("Principal Agreement").

(B) The provision of the Services involves the processing of personal data, including special category data (health data).

(C) The Parties wish to ensure that the processing of personal data complies with UK Data Protection Laws.

(D) This DPA sets out the terms on which the Processor will process personal data on behalf of the Controller.

(E) Where personal data is transferred outside the UK to countries without adequacy decisions, the UK International Data Transfer Agreement (IDTA) provisions in this DPA shall apply.

2. Definitions

In this DPA:

• "UK Data Protection Laws" means the UK GDPR, Data Protection Act 2018, and any other applicable UK data protection legislation.
• "UK GDPR" means the EU GDPR as incorporated into UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• "ICO" means the UK Information Commissioner's Office.
• "IDTA" means the UK International Data Transfer Agreement issued by the ICO under Section 119A of the Data Protection Act 2018.
• "Adequacy Regulations" means regulations made under Section 17A of the Data Protection Act 2018 specifying that a country provides adequate protection for personal data.
• "Personal Data" has the meaning given in UK Data Protection Laws.
• "Processing" has the meaning given in UK Data Protection Laws and "Process" and "Processed" shall be construed accordingly.
• "Personal Data Breach" has the meaning given in UK Data Protection Laws.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Restricted Transfer" means a transfer of Personal Data from the UK to a country or territory outside the UK which is not subject to Adequacy Regulations.
• "Transfer Risk Assessment" or "TRA" means an assessment of the laws and practices in the destination country that may affect the protection of transferred Personal Data.

3. Scope and Purpose

3.1 Scope

This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.

3.2 Roles

The Parties acknowledge that:

• The Controller is the data controller of the Personal Data;
• The Processor is the data processor acting on behalf of the Controller;
• The Processor shall only Process Personal Data on documented instructions from the Controller.

3.3 Duration

This DPA shall remain in force for the duration of the Principal Agreement and for as long as the Processor continues to Process Personal Data on behalf of the Controller.

3.4 UK Representative

The Processor has appointed a UK Representative in accordance with Article 27 of the UK GDPR. Contact details are available in our UK GDPR Policy.

4. Processing Details (Schedule 1)

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by UK law;
• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes UK Data Protection Laws;
• Process Personal Data only to the extent necessary to provide the Services.

5.2 Confidentiality

The Processor shall ensure that persons authorised to Process the Personal Data:

• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Process the Personal Data only on instructions from the Controller.

5.3 Records

The Processor shall maintain records of Processing activities as required by Article 30(2) of the UK GDPR, including:

• Name and contact details of the Processor and each Controller;
• Categories of Processing carried out;
• International transfers and safeguards;
• Description of technical and organisational security measures.

5.4 Caldicott Principles

Where the Processor handles NHS patient data, it shall observe the Caldicott Principles and support the Controller's Caldicott Guardian responsibilities.

6. Security Measures (Schedule 2)

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

6.1 Technical Measures

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls
• Multi-factor authentication for practitioner accounts
• Firewalls, intrusion detection, and DDoS protection
• Regular security testing and vulnerability assessments
• Encrypted backups with tested recovery procedures
• Data residency in UK or approved locations

6.2 Organisational Measures

• Information security policies and procedures
• Staff training on data protection and security
• Access limited to personnel with legitimate need
• Regular access reviews
• Incident response procedures
• Business continuity planning

6.3 NHS DSPT Compliance

The Processor is registered with the NHS Data Security and Protection Toolkit and maintains compliance with the 10 National Data Guardian standards.

7. Sub-Processors

7.1 General Authorisation

The Controller provides general authorisation for the Processor to engage Sub-processors, subject to the requirements below.

7.2 Sub-Processor Requirements

The Processor shall:

• Maintain a list of Sub-processors available to the Controller upon request;
• Enter into written agreements with Sub-processors imposing data protection obligations equivalent to this DPA;
• Where Sub-processors are located outside the UK, ensure appropriate transfer mechanisms are in place;
• Remain fully liable to the Controller for the performance of Sub-processors.

7.3 Changes to Sub-Processors

The Processor shall:

• Notify the Controller of any intended addition or replacement of Sub-processors;
• Provide at least 30 days' notice before engaging new Sub-processors;
• Consider in good faith any objections raised by the Controller.

7.4 Current Sub-Processors

The current list of approved Sub-processors is set out in Schedule 3 (available upon request) and includes:

• Cloud infrastructure providers
• AI language model providers
• SMS delivery services
• Email delivery services

8. International Transfers (IDTA)

8.1 Data Residency

Primary Personal Data for UK customers shall be stored in the United Kingdom (London region) unless otherwise agreed in the Principal Agreement.

8.2 Restricted Transfers

Where Personal Data is transferred outside the UK to countries not subject to Adequacy Regulations (a "Restricted Transfer"), the Processor shall ensure appropriate safeguards are in place using the UK International Data Transfer Agreement (IDTA).

8.3 IDTA Incorporation

For any Restricted Transfer under this DPA:

• The IDTA Tables in the Annex to this DPA are incorporated by reference;
• The Parties are deemed to have signed the IDTA;
• In the event of any conflict between this DPA and the IDTA, the IDTA shall prevail to the extent of the conflict.

8.4 Transfer Risk Assessment

The Processor shall:

• Conduct and document a Transfer Risk Assessment (TRA) before any Restricted Transfer;
• Assess whether the laws and practices in the destination country provide adequate protection;
• Implement supplementary measures where necessary to ensure equivalent protection;
• Make the TRA available to the Controller upon request.

8.5 Government Access Requests

If the Processor receives a legally binding request for disclosure of Personal Data from a government authority, the Processor shall:

• Notify the Controller promptly (unless legally prohibited);
• Challenge the request if grounds exist;
• Minimise disclosure to the extent permitted by law;
• Redirect the authority to the Controller where possible.

8.6 Supplementary Measures

For transfers to the United States (where certain Sub-processors are located), the Processor implements the following supplementary measures:

• Strong encryption of data in transit and at rest;
• Pseudonymisation where technically feasible;
• Contractual commitments to challenge disproportionate government access requests;
• Transparency reporting on government access requests received.

9. Data Subject Rights

9.1 Assistance

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under UK Data Protection Laws, including rights of:

• Access (Subject Access Requests)
• Rectification
• Erasure ("right to be forgotten")
• Restriction
• Data portability
• Objection

9.2 Notification

The Processor shall notify the Controller promptly (within 5 business days) upon receiving any request from a data subject, and shall not respond directly unless instructed by the Controller.

10. Data Breach Notification

10.1 Notification Obligations

Upon becoming aware of a Personal Data Breach, the Processor shall:

• Notify the Controller without undue delay (and in any event within 24 hours);
• Provide all reasonably available information about the breach;
• Cooperate with the Controller's investigation and response;
• Support the Controller in meeting ICO notification requirements (72 hours).

10.2 Information to Provide

The notification shall include:

• Description of the nature of the breach;
• Categories and approximate number of data subjects affected;
• Categories and approximate number of records affected;
• Likely consequences of the breach;
• Measures taken or proposed to address the breach.

11. DPIA Assistance

The Processor shall provide reasonable assistance to the Controller with:

• Data Protection Impact Assessments (DPIAs);
• Prior consultation with the ICO;
• Compliance with the Controller's obligations under Articles 32-36 of the UK GDPR.

12. Audit Rights

12.1 Audit Access

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and UK Data Protection Laws.

12.2 Audit Conduct

The Controller (or its appointed auditor) may conduct audits, subject to:

• Reasonable advance notice (at least 30 days);
• Audits during normal business hours;
• Confidentiality obligations regarding Processor information;
• No more than one audit per 12-month period (except where required by the ICO).

12.3 Alternative Evidence

The Processor may satisfy audit requirements by providing:

• Third-party audit reports or certifications;
• NHS DSPT assessment results;
• Completed security questionnaires;
• Documentation of security practices and procedures.

13. Termination and Data Return

13.1 Upon Termination

Upon termination of the Principal Agreement, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a commonly used format; or
• Delete all Personal Data and certify such deletion.

13.2 Retention Exceptions

The Processor may retain Personal Data where required by UK law, provided:

• The Controller is notified of the legal requirement;
• Processing is limited to the extent required by law;
• Appropriate security measures continue to apply.

14. Liability

14.1 Liability Cap

Liability under this DPA shall be subject to the limitations set out in the Principal Agreement.

14.2 Indemnification

Each Party shall indemnify the other against losses arising from breaches of this DPA or UK Data Protection Laws attributable to the indemnifying Party.

15. IDTA Tables (Annex)

The following tables are completed in accordance with the ICO's International Data Transfer Agreement template: