Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between the healthcare organisation (“Controller”, “you”) and CliniVoice AI Ltd (“Processor”, “we”, “us”) for the processing of personal data through the CliniVoice AI Service. This DPA is entered into pursuant to Article 28 of UK GDPR.

1. Definitions

• “Controller” means the healthcare organisation (NHS Trust, private clinic, or other entity) that determines the purposes and means of processing personal data through the Service.
• “Processor” means CliniVoice AI Ltd, which processes personal data on behalf of the Controller.
• “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
• “Personal Data”, “Data Subject”, “Processing”, and “Personal Data Breach” have the meanings given in UK GDPR.
• “Clinical Data” means any special category data (health data) relating to patients processed through the Service, including audio recordings, transcriptions, clinical letters, and patient identifiers.
• “UK GDPR” means the Data Protection Act 2018 and the retained EU GDPR as it forms part of UK law.

2. Scope & Purpose

2.1. This DPA applies to all personal data processed by the Processor on behalf of the Controller through the CliniVoice AI Service.

Categories of Data Subjects

• Patients of the Controller whose clinical information is dictated/transcribed
• Healthcare professionals employed by or affiliated with the Controller

Types of Personal Data

• Patient identifiers: name, date of birth, NHS number, hospital number, address
• Health data: clinical observations, diagnoses, treatment plans, medication, referral information
• Audio recordings of clinical dictation
• AI-generated clinical letters and summaries
• Healthcare professional names and professional registration numbers

Purpose of Processing

The Processor processes data solely to provide the clinical dictation, AI transcription, and letter generation services as described in the main service agreement.

3. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by UK law (in which case we will inform the Controller before processing, unless legally prohibited from doing so).
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA.
• Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller, as detailed in Section 6.
• Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of UK GDPR (security, breach notification, DPIAs, prior consultation).
• At the Controller’s choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless UK law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits.
• Immediately inform the Controller if, in our opinion, an instruction infringes UK GDPR or other UK data protection provisions.
• Not process personal data for any purpose other than providing the Service, and specifically shall not use Clinical Data for AI model training without explicit, documented consent from the Controller.

4. Controller Obligations

The Controller shall:

• Ensure it has a lawful basis for processing personal data through the Service, including for the processing of special category (health) data under Article 9(2)(h) of UK GDPR.
• Ensure that data subjects have been informed about the processing in accordance with Articles 13 and 14 of UK GDPR.
• Ensure that all instructions given to the Processor are lawful and comply with applicable data protection legislation.
• Conduct a Data Protection Impact Assessment (DPIA) where required before deploying the Service for clinical use.
• Ensure that its staff using the Service are appropriately trained in data protection and information governance.
• Maintain appropriate access controls and ensure that user accounts are not shared between individuals.

5. Data Security Measures

The Processor implements the following technical and organisational measures:

Encryption

• TLS 1.2+ for all data in transit
• AES-256 encryption for data at rest
• Encrypted database connections

Access Controls

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication for all administrative access
• Unique user accounts with no shared credentials
• Automatic session timeout after period of inactivity

Infrastructure

• Hosting on Vercel (ISO 27001 certified infrastructure)
• Database hosted on Supabase (SOC 2 Type II compliant)
• Regular security patches and updates
• Network segmentation and firewall rules

Monitoring & Testing

• Comprehensive audit logging of all data access and processing activities
• Regular vulnerability scanning and penetration testing
• Automated alerting for suspicious activity
• Incident response procedures documented and tested

Personnel

• All staff with access to personal data are subject to confidentiality agreements
• Regular data protection and security awareness training
• Background checks for staff handling sensitive data

6. Sub-processors

6.1. The Controller provides general authorisation for the Processor to engage the sub-processors listed below. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 30 days.

6.2. The Processor shall impose equivalent data protection obligations on each sub-processor by way of a contract, ensuring the same level of protection as this DPA.

6.3. The Processor remains fully liable to the Controller for the performance of each sub-processor’s obligations.

7. International Transfers

7.1. The Processor shall not transfer personal data outside the United Kingdom without ensuring appropriate safeguards are in place in accordance with Chapter V of UK GDPR.

7.2. Where transfers are necessary (e.g. to sub-processors located outside the UK), the Processor ensures protection through:

• UK adequacy regulations for transfers to countries deemed adequate by the Secretary of State
• UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with UK Addendum
• Transfer Risk Assessments conducted for each transfer destination

7.3. Clinical data processing (AI transcription and generation) is configured to use EU/UK data regions where available.

8. Data Subject Rights

8.1. The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Chapter III of UK GDPR, including requests for access, rectification, erasure, restriction, portability, and objection.

8.2. If the Processor receives a request directly from a data subject, we shall promptly redirect the request to the Controller unless legally required to respond directly.

8.3. The Processor shall provide the Controller with the technical capability to export, correct, or delete personal data within the Service to facilitate compliance with data subject requests.

9. Data Breach Notification

9.1. The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting data processed under this DPA.

9.2. The notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
• The name and contact details of the Processor’s point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

9.3. The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9.4. Breach notifications should be sent to the Controller’s designated information governance contact at the email address provided during onboarding, and additionally to security@clinivoice.com.

10. Audit Rights

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR.

10.2. The Controller (or a mandated third-party auditor bound by confidentiality) may conduct audits of the Processor’s data processing activities, subject to:

• At least 30 days’ written notice
• Audits conducted during normal business hours
• The auditor agreeing to reasonable confidentiality obligations
• A maximum of one audit per calendar year (unless a breach has occurred or a regulatory authority requires it)

10.3. The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g. SOC 2), or detailed compliance documentation, where the Controller reasonably accepts this as equivalent.

11. Data Return & Deletion

11.1. Upon termination of the service agreement or upon the Controller’s request, the Processor shall, at the Controller’s election:

• Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV), and subsequently delete all copies; or
• Delete all personal data and certify such deletion in writing.

11.2. Deletion shall be completed within 30 days of the request or termination, except where UK law requires longer retention.

11.3. The Processor shall ensure that sub-processors also delete or return personal data within the same timeframes.

12. Liability

12.1. Each party shall be liable for damage caused by processing that infringes UK GDPR, in accordance with Article 82 of UK GDPR.

12.2. The limitations of liability set out in the main service agreement (Terms of Service) apply to this DPA, except that neither party limits its liability for breaches of data protection law to the extent such limitation would be unlawful.

13. Term & Termination

13.1. This DPA shall remain in effect for the duration of the Processor’s processing of personal data on behalf of the Controller.

13.2. The obligations under this DPA that by their nature should survive termination (including Sections 9, 10, 11, and 12) shall survive the termination or expiry of this DPA.

14. Governing Law

14.1. This DPA is governed by the laws of England and Wales.

14.2. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.