Data Processing Agreement (Controller to Processor)

DEFINITIONS & INTERPRETATION

“Applicable Data Protection Laws” means all applicable privacy and data protection laws, including without limitation:

• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
• Any successor, amended, or related legislation applicable to the processing activities under this Agreement

“Personal Data” has the meaning given in UK GDPR and includes all personal data processed under this Agreement.

“Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation as defined in UK GDPR Article 9.

“Processing“, “Controller“, “Processor“, “Data Subject“, “Subprocessor” and related terms have the meanings set out in UK GDPR.

NATURE AND PURPOSE OF PROCESSING

Roles and Instructions

• Customer acts as Data Controller; ShiftCare UK acts as Data Processor
• ShiftCare UK processes Personal Data solely on documented instructions from Customer
• This Data Processing Agreement (“DPA”) forms part of the agreement governing the provision of the ShiftCare services (the “Main Agreement”), including the ShiftCare Terms and Conditions.

Categories of Data and Data Subjects

• Data Categories: Contact details, demographic information, care recipient records, health/medical data, employee records, system usage logs, communications, location data
• Data Subjects: Care recipients, service users, staff members, contractors, system administrators, family members/representatives
• Processing Purpose: Provision of care management software services as detailed in the Main Agreement

Data Location

• Personal Data is primarily hosted within UK/EU infrastructure. Limited processing may occur outside the UK where required for support or service delivery, subject to appropriate safeguards including Standard Contractual Clauses and the UK Addendum.

SUBPROCESSORS

General Authorization

Customer provides general written authorization for ShiftCare UK to engage subprocessors for data processing activities, including:

• Cloud infrastructure providers
• Technical support, system administration, and operational support functions
• System administration and maintenance providers

Subprocessor Requirements

• ShiftCare UK maintains current list of subprocessors in Schedule 1
• All subprocessors bound by data protection obligations substantially equivalent to this DPA
• For any subprocessors located outside the UK, ShiftCare UK maintains appropriate international transfer safeguards including Standard Contractual Clauses where required
• ShiftCare UK provides 30 days’ notice of new/replacement subprocessors
• Customer may object to subprocessor changes on reasonable data protection grounds

Liability

ShiftCare UK remains fully liable to Customer for subprocessor performance of data protection obligations.

SECURITY MEASURES

Technical and Organisational Measures

ShiftCare implements and maintains security measures including:

• Encryption: AES-256 for data at rest, TLS 1.3+ for data in transit
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA)
• System Security: Regular vulnerability assessments, penetration testing, security monitoring
• Physical Security: Secure data centres with access controls and environmental protections
• Incident Response: Continuous monitoring and incident response procedures
• Staff Training: Annual security awareness training for all personnel

Compliance Standards

ShiftCare maintains industry-standard technical and organisational measures aligned to recognised security frameworks.

DATA SUBJECT RIGHTS

Assistance Obligations

ShiftCare UK shall assist Customer in responding to Data Subject rights requests under UK GDPR, including:

• Access, rectification, erasure, restriction, portability, and objection rights
• Providing necessary information and access to facilitate Customer’s response
• Technical assistance for data extraction, correction, or deletion as required

Request Handling

• Direct Data Subject requests forwarded to Customer within 48 hours
• ShiftCare UK provides reasonable technical assistance for request fulfilment
• Response timeframes comply with UK GDPR requirements (1 month, extendable to 3 months)

DATA BREACH NOTIFICATION

Notification Requirements

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and provide timely updates as further information becomes available.

Incident Information

Breach notifications include:

• Nature and scope of breach
• Categories and approximate numbers of affected Data Subjects
• Likely consequences and risks
• Measures taken to address breach and prevent recurrence
• Contact information for further inquiries

Regulatory Notifications

ShiftCare UK assists Customer in meeting ICO notification obligations within required 72-hour timeframe where applicable.

AUDIT AND COMPLIANCE

Audit Rights

Customer may audit ShiftCare UK’s compliance through:

• Review of third-party certifications and audit reports
• Questionnaires and compliance assessments
• On-site inspections (with reasonable notice and scope)

Compliance Demonstration

ShiftCare UK provides evidence of compliance subject to reasonable notice, scope, and confidentiality obligations including:

• Security policies and procedures
• Training records and incident logs
• Regular compliance assessments

RECORDS AND DOCUMENTATION

Processing Records

ShiftCare UK maintains records of processing activities as required by UK GDPR Article 30, including:

• Categories of processing and purposes
• Data retention periods and deletion practices
• Security measures and incident logs
• Subprocessor arrangements and oversight

Record Retention

Processing records retained for minimum periods required by UK law or until contract termination plus limitation period.

DATA RETENTION AND RETURN/DELETION

Retention Periods

Personal Data retained only as long as necessary for processing purposes or as required by UK law, as specified in the Data Retention Schedule.

End of Processing

Upon contract termination or Customer instruction:

• Return or deletion of all Personal Data within 30 days
• Certification of deletion provided upon request
• Retention permitted only if required by UK law

LIABILITY AND INDEMNIFICATION

Data Protection Liability

Each party liable for damages caused by processing in violation of UK GDPR, subject to Main Agreement limitations except where prohibited by law.

Regulatory Fines

ShiftCare UK liable for ICO fines resulting from its non-compliance with this DPA; Customer liable for fines resulting from its instructions or non-compliance.

TERM AND TERMINATION

This DPA commences on the Effective Date and continues for the duration of the Main Agreement. Provisions relating to data security, confidentiality, and return/deletion survive termination.

AMENDMENTS AND GOVERNING LAW

Amendments

This DPA may be amended only by written agreement, except for updates required by changes in UK Data Protection Laws.

Governing Law

This DPA is governed by the laws of England and Wales.

Conflict Resolution

Any conflicts between this DPA and Main Agreement resolved in favour of this DPA regarding data protection matters.

SCHEDULE 1: SUBPROCESSOR LIST

A current list of authorised subprocessors is maintained and made available to the Customer upon request or via a published webpage. ShiftCare UK will notify the Customer of any intended changes to subprocessors in accordance with this Agreement and provide the Customer with the opportunity to object on reasonable data protection grounds.

Notes to readers of the DPA The safeguards above reflect vendor-published trust/compliance pages or primary announcements. If a customer requests copies of specific reports (e.g., SOC 2), these are typically available under NDA via each vendor’s Trust Center or by request.

SCHEDULE 2: TECHNICAL AND ORGANISATIONAL MEASURES

ShiftCare UK implements and maintains appropriate technical and organisational measures in accordance with UK GDPR Article 32, including:

Security of Processing

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.2 or higher)
• Role-based access controls (RBAC) and multi-factor authentication (MFA)
• Secure authentication and password management practices

Confidentiality, Integrity, Availability

• Systems designed to ensure ongoing confidentiality, integrity, and availability of personal data
• Infrastructure hosted with enterprise-grade cloud providers with built-in redundancy and resilience
• Access restricted to authorised personnel on a need-to-know basis

Monitoring and Incident Management

• Continuous monitoring of systems for security events
• Documented incident response procedures
• Logging and alerting mechanisms for suspicious activity

Testing and Evaluation

• Regular vulnerability assessments and penetration testing
• Periodic review of security controls and risk assessments
• Regular testing, assessment, and evaluation of the effectiveness of technical and organisational measures.

Organisational Measures

• Staff confidentiality obligations
• Security awareness training
• Access management policies
• Internal data protection and security policies

Data Resilience and Recovery

• Backup procedures and disaster recovery capabilities
• Ability to restore access to personal data in a timely manner in the event of an incident

Subprocessor Security

• Subprocessors subject to contractual obligations ensuring equivalent security standards
• Ongoing due diligence and oversight of subprocessors

Further technical and organisational measures are detailed in applicable subprocessor agreements and Standard Contractual Clauses.

SCHEDULE 3: DATA RETENTION SCHEDULE