Data Processing Addendum
GDPR / UK GDPR data-processing terms for DivineCare Service customers.
1. Definitions
Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject”, “sub-processor”, and “personal data breach” have the meanings given to them in the GDPR (Regulation (EU) 2016/679) and the UK GDPR.
2. Roles
With respect to Customer Personal Data processed via the Service, the Customer is the controller and DivineCare Service is the processor.
3. Subject matter, duration, and nature
- Subject matter: provision of the DivineCare Service platform.
- Duration: for the term of the Master Agreement, plus any retention period required by law.
- Nature & purpose: hosting, processing, and securing patient and care-team data on the Customer's behalf.
- Categories of data subjects: patients / care recipients, guardians, agency staff users.
- Categories of personal data: identity, contact, clinical and care records, scheduling, and audit metadata.
4. Processor obligations
- Process personal data only on documented instructions from the Customer.
- Ensure persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Security).
- Engage sub-processors only with the Customer's general written authorisation and under equivalent data-protection obligations.
- Assist the Customer, taking the nature of processing into account, in fulfilling data-subject requests.
- Assist with security, breach notification, DPIAs, and prior consultation as required by Articles 32–36 GDPR.
- At the Customer's choice, return or delete Customer Personal Data at the end of the engagement.
5. Sub-processors
We use a small, carefully-vetted set of sub-processors necessary to operate the Service — including cloud hosting, encrypted blob storage, email and SMS delivery providers. The current list is available on request and via in-product notice. We notify Customers of intended changes and give them an opportunity to object on reasonable data-protection grounds.
6. International transfers
Where Customer Personal Data is transferred outside its origin region, transfers rely on the European Commission's Standard Contractual Clauses (or the UK Addendum / UK IDTA, as applicable), supplemented by technical safeguards including encryption in transit and at rest. Data-residency options (US, EU, UK) are available for eligible deployments.
7. Data-subject requests
Where a data subject contacts DivineCare Service directly with a request, we will (unless legally prohibited) forward the request to the Customer without undue delay. We provide tooling within the Service for the Customer to fulfil access, rectification, erasure, restriction, and portability requests.
8. Breach notification
We notify the Customer of any personal data breach affecting Customer Personal Data without undue delay after becoming aware, and in any event in time to allow the Customer to meet its GDPR Article 33 / UK GDPR obligations (typically within 72 hours of awareness). Notifications include the nature and scope of the breach, likely consequences, and the measures taken or proposed.
9. Audit rights
On reasonable written notice, we make available to the Customer the information necessary to demonstrate compliance with this addendum, and allow for and contribute to audits — including inspections — conducted by the Customer or an auditor mandated by the Customer. Audit modalities and reasonable cost-sharing terms are set out in the executed DPA.
10. Liability & precedence
Liability for breach of this DPA is governed by the liability provisions of the Master Agreement. In the event of conflict between this DPA and the Master Agreement on matters of data protection, this DPA prevails.
Requesting a countersigned DPA
To execute the DPA for your organisation, reach out via our contact form with the legal entity name and a signatory contact. See also our Privacy Policy and Security page.