CareStreamAI Logo

Legal

Data Processing Agreement

CARESTREAM — DATA PROCESSING AGREEMENT

Made under Article 28 of the UK GDPR

between

TRG Digital Ltd (trading as CareStream) (the Processor)

and

The Customer identified in the Principal Agreement (the Controller)

Version 1.0

Parties

(1) TRG DIGITAL LTD, a company registered in England and Wales with company number 11731704, whose registered office is at Suite Ra01, 195-197 Wood Street, London, England, E17 3NU, trading as CareStream (the Processor); and

(2) THE CUSTOMER, being the organisation identified as the Customer in the Principal Agreement (the Controller),

each a "party" and together the "parties".

Background

(A) The Processor operates CareStream, an AI-powered compliance and knowledge platform that gives the Controller's care team instant access to the Controller's own policies, procedures and regulatory guidance, together with related staff training, CQC readiness reporting, governance auditing, onboarding and analytics functionality (the Services).

(B) The parties have entered into, or intend to enter into, an agreement under which the Processor provides the Services to the Controller (the Principal Agreement). In performing the Services, the Processor processes Personal Data on behalf of the Controller.

(C) This Data Processing Agreement (this Agreement or DPA) sets out the terms on which the Processor processes Personal Data on behalf of the Controller and records the parties' agreement for the purposes of Article 28 of the UK GDPR. It forms part of, and is subject to, the Principal Agreement.

(D) If there is any conflict between this Agreement and the Principal Agreement in relation to the Processing of Personal Data, this Agreement prevails.

IT IS AGREED as follows.

1. Definitions and Interpretation

1.1 In this Agreement, the following definitions apply:

  • Data Protection Laws — all laws and regulations applicable to the Processing of Personal Data under this Agreement, including the UK GDPR, the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and any successor or amending legislation, together with any guidance and codes of practice issued by the Information Commissioner's Office (ICO).
  • UK GDPR — Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as amended by the DPA 2018.
  • Controller, Processor, Data Subject, Personal Data, Processing, Special Category Data and Supervisory Authority — have the meanings given to them (or to their nearest equivalents) in the Data Protection Laws. "Data Controller" and "Data Processor" are construed accordingly.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed under this Agreement.
  • Sub-processor — any third party (including any affiliate of the Processor) engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Services.
  • Restricted Transfer — a transfer of Personal Data to, or access to Personal Data from, a country or territory outside the United Kingdom that is not the subject of UK adequacy regulations made under the DPA 2018.
  • UK Transfer Mechanism — the International Data Transfer Agreement issued by the ICO (IDTA), and/or the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the ICO (the UK Addendum), in each case as completed and in force from time to time, or any other lawful transfer mechanism under the Data Protection Laws.
  • Processing Details — the description of the Processing set out in Schedule 1 (Details of Processing).
  • Security Measures — the technical and organisational measures set out in Schedule 2 (Technical and Organisational Security Measures).
  • Working Day — any day other than a Saturday, Sunday or public holiday in England.

1.2 In this Agreement: (a) clause headings do not affect interpretation; (b) a reference to a statute or statutory provision includes any subordinate legislation made under it and is a reference to it as amended, extended or re-enacted from time to time; (c) any words following the terms "including", "include", "in particular" or "for example" are illustrative and do not limit the words preceding them; and (d) the Schedules form part of this Agreement and have effect as if set out in full in the body of this Agreement.

2. Status of the Parties and Scope

2.1 The parties acknowledge that, for the Data Protection Laws, the Controller is the Controller and the Processor is the Processor in respect of the Personal Data Processed under this Agreement.

2.2 The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out in the Processing Details. The parties may update the Processing Details from time to time to reflect changes in the Services, provided the changes are consistent with the Data Protection Laws.

2.3 Each party shall comply with its respective obligations under the Data Protection Laws. This Agreement does not relieve the Controller of its own obligations as Controller, including its obligations in respect of the lawfulness, fairness and transparency of the Processing and the establishment of a lawful basis for the Processing.

2.4 The Controller acknowledges that the Services are delivered on a multi-tenant basis and that the Processor relies on the Controller's instructions and configuration of the Services (including the documents the Controller uploads and the user accounts it creates) when delivering the Services.

3. Obligations of the Processor

3.1 The Processor shall Process the Personal Data only:

(a) to the extent, and in such manner, as is necessary to provide the Services and to comply with its obligations under the Principal Agreement and this Agreement; and

(b) on the documented instructions of the Controller (including those set out in this Agreement and the Principal Agreement, and any further written instructions given by the Controller in relation to the Processing),

3.2 Unless the Processor is otherwise required to Process the Personal Data by applicable law, in which case the Processor shall (to the extent permitted by that law) inform the Controller of that legal requirement before Processing.

3.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the Data Protection Laws. The Processor is not obliged to carry out a review of the Controller's instructions for legal compliance and is not liable for any claim arising from any act or omission to the extent that it results from compliance with the Controller's instructions.

3.4 The Processor shall ensure that persons authorised to Process the Personal Data are subject to an appropriate duty of confidentiality (whether contractual or statutory) and have received appropriate training on their obligations under the Data Protection Laws.

3.5 The Processor shall implement and maintain the Security Measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing, as well as the risk to the rights and freedoms of Data Subjects, as required by Article 32 of the UK GDPR.

3.6 The Processor shall maintain a record of its Processing activities carried out on behalf of the Controller, as required by Article 30(2) of the UK GDPR, and shall make that record available to the Controller on reasonable request.

3.7 The Processor shall not Process the Personal Data, nor permit any Personal Data to be Processed, outside the United Kingdom otherwise than in accordance with clause 6 (International Transfers).

4. Obligations of the Controller

4.1 The Controller warrants and represents that:

(a) it has, and will maintain throughout the term, a valid lawful basis under the Data Protection Laws for the Processing of the Personal Data by the Processor in accordance with this Agreement, including (where required) for the transmission of communications by email and WhatsApp;

(b) it has provided, and will provide, all necessary information and notices to Data Subjects, and obtained all necessary consents (where consent is the relevant lawful basis), required for the lawful Processing of the Personal Data under this Agreement; and

(c) Its instructions to the Processor, and the documents and data it uploads to or inputs into the Services, comply with the Data Protection Laws.

4.2 The Controller is solely responsible for the accuracy, quality and legality of the Personal Data and the documents it uploads to the Services, and for determining whether such documents or data contain Personal Data or Special Category Data. The Processor does not require the Controller to upload Special Category Data and is not responsible for the content of documents the Controller chooses to upload.

4.3 The Controller shall ensure that the user accounts it creates, and the access rights it assigns to its administrators and staff, are appropriate and kept up to date.

5. Sub-processing

5.1 The Controller grants the Processor general written authorisation to engage the Sub-processors listed in Schedule 3 (Sub-processors) for the purposes described in that Schedule, including cloud infrastructure and database hosting providers, AI large-language-model and text-embedding providers, vector search providers, and email and messaging (WhatsApp) providers.

5.2 The Processor shall maintain an up-to-date list of Sub-processors. The Processor shall give the Controller at least fourteen (14) days' prior notice of the addition or replacement of any Sub-processor (which may be given by electronic means or by updating the list made available to the Controller), thereby allowing the Controller to object to such changes.

5.3 If the Controller has reasonable grounds, on data protection grounds, to object to the appointment of a new Sub-processor, it shall notify the Processor in writing within the notice period. The parties shall work together in good faith to address the objection. If no resolution can be reached, the Processor may, at its option, decline to appoint the Sub-processor, or the Controller may, as its sole remedy, terminate the affected Services in accordance with the Principal Agreement.

5.4 Before engaging any Sub-processor, the Processor shall enter into a written contract with the Sub-processor that imposes on the Sub-processor data protection obligations that are no less protective than those set out in this Agreement, as required by Article 28(4) of the UK GDPR.

5.5 The Processor remains fully liable to the Controller for the performance of each Sub-processor's data protection obligations.

6. International Transfers

6.1 The Controller acknowledges and instructs that, in delivering the Services, the Processor stores the Controller's structured data in a managed PostgreSQL database hosted in the European Economic Area (Ireland) and stores uploaded documents in Amazon Web Services (AWS) S3 in the United Kingdom (London), as described in Schedule 2. Transfers of Personal Data from the United Kingdom to the EEA are made in reliance on the UK adequacy regulations covering the EEA.

6.2 Where the provision of the Services requires a Restricted Transfer (for example, where an AI large-language-model, text-embedding, vector search, email or messaging Sub-processor Processes Personal Data outside the United Kingdom in a country not covered by UK adequacy regulations), the Processor shall ensure that an appropriate UK Transfer Mechanism is in place before the Restricted Transfer is made, together with any supplementary measures and a transfer risk assessment where required.

6.3 The Controller authorises and instructs the Processor to enter into the relevant UK Transfer Mechanism with the relevant Sub-processor on the Controller's behalf, or otherwise to ensure that such a mechanism is in place, in respect of any Restricted Transfer necessary for the provision of the Services. Further detail is set out in Schedule 4 (International Transfers).

6.4 The Processor minimises Restricted Transfers by passing only the relevant retrieved excerpts of the Controller's documents, never the Controller's whole document library, together with the relevant query, to the AI models and vector search index used to generate a grounded response.

7. Security of Processing

7.1 The Processor shall implement and maintain the Security Measures set out in Schedule 2, which the parties agree are appropriate to the risk presented by the Processing.

7.2 The measures shall include, as appropriate: the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability of and access to Personal Data on time in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of those measures.

7.3 The Processor may update the Security Measures from time to time, provided that such updates do not materially reduce the overall level of protection of the Personal Data.

8. Personal Data Breaches

8.1 The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Personal Data.

8.2 Such notification shall, to the extent then known and as further information becomes available, include: a description of the nature of the Personal Data Breach (including, where possible, the categories and approximate number of Data Subjects and records concerned); the likely consequences of the Personal Data Breach; the measures taken or proposed to address it and to mitigate its possible adverse effects; and the name and contact details of a point of contact from whom more information can be obtained.

8.3 The Processor shall co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, including to enable the Controller to meet its own obligations to notify the ICO and affected Data Subjects where required.

8.4 The Processor shall not make any notification of a Personal Data Breach to a Supervisory Authority or to Data Subjects on the Controller's behalf, or in the Controller's name, without the Controller's prior written consent, unless required to do so by applicable law.

9. Data Subject Rights and Assistance

9.1 Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as is reasonably possible, in fulfilling the Controller's obligation to respond to requests by Data Subjects exercising their rights under the Data Protection Laws (including rights of access, rectification, erasure, restriction, portability and objection).

9.2 The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of the Personal Data, and shall not respond to that request except on the documented instructions of the Controller or as required by applicable law.

9.3 The Processor shall provide reasonable assistance to the Controller, at the Controller's cost (save where the need for assistance arises from the Processor's breach of this Agreement), with: data protection impact assessments under Article 35 of the UK GDPR; prior consultation with the ICO under Article 36 of the UK GDPR; and the Controller's compliance with its obligations under Articles 32 to 36 of the UK GDPR, in each case taking into account the nature of the Processing and the information available to the Processor.

10. Records, Audits and Inspections

10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 of the UK GDPR and this Agreement.

10.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller (and who is subject to a duty of confidentiality), in relation to the Processing of the Personal Data, subject to the following: such audits shall take place no more than once in any twelve (12) month period (save where required by the ICO or following a Personal Data Breach); shall be conducted on at least thirty (30) days' prior written notice; shall take place during normal business hours; and shall be conducted in a manner that minimises disruption to the Processor's business and does not compromise the security or confidentiality of other customers' data.

10.3 The Processor may satisfy the Controller's audit rights by providing relevant third-party certifications, audit reports or summaries of the same, where available.

10.4 Each party shall bear its own costs in relation to any audit, save that the Controller shall reimburse the Processor's reasonable costs where an audit reveals no material non-compliance by the Processor.

11. Return and Deletion of Personal Data

11.1 On termination or expiry of the Principal Agreement, or otherwise on the Controller's written request, the Processor shall (at the Controller's election) delete or return to the Controller all the Personal Data Processed on the Controller's behalf, and delete existing copies, unless applicable law requires continued storage of the Personal Data.

11.2 The Processor shall complete such deletion or return within ninety (90) days of termination or expiry, or of the Controller's request, save that the Processor may retain Personal Data contained in its immutable, append-only audit log to the extent and for the period required to comply with its legal and regulatory obligations, during which time the Processor shall continue to protect that Personal Data in accordance with this Agreement.

11.3 On request, the Processor shall certify in writing to the Controller that it has complied with this clause 11.

12. Liability and Indemnity

12.1 The liability of each party arising out of or in connection with this Agreement is subject to the limitations and exclusions of liability set out in the Principal Agreement, and references in the Principal Agreement to a party's liability are deemed to include that party's liability under this Agreement.

12.2 Nothing in this Agreement limits or excludes either party's liability where such limitation or exclusion is not permitted by the Data Protection Laws or other applicable law.

12.3 Where the parties are held jointly and severally liable under Article 82 of the UK GDPR for damage caused by the Processing, each party shall be entitled to claim back from the other that part of the compensation corresponding to the other party's part of the responsibility for the damage.

13. Term and Termination

13.1 This Agreement takes effect on the date of the last signature of the Principal Agreement (or, if earlier, the date on which the Processor first Processes Personal Data on behalf of the Controller) and continues in force for so long as the Processor Processes Personal Data on behalf of the Controller under the Principal Agreement.

13.2 Clauses that by their nature are intended to survive termination (including clauses 11, 12 and 14) shall survive termination or expiry of this Agreement.

14. General

14.1 Entire agreement. This Agreement, together with the Principal Agreement, constitutes the entire agreement between the parties in relation to the Processing of Personal Data and supersedes any prior arrangement, understanding or agreement relating to that subject matter.

14.2 Variation. No variation of this Agreement is effective unless it is in writing and signed by or on behalf of each party, save that the Processor may update the Sub-processor list and the Security Measures as expressly permitted by this Agreement.

14.3 Severance. If any provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable; if such modification is not possible, the relevant provision shall be deemed deleted, and this shall not affect the validity of the remainder of this Agreement.

14.4 Third-party rights. A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

14.5 Governing law and jurisdiction. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter (including non-contractual disputes or claims) are governed by, and construed in accordance with, the law of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 — Details of Processing

  • Controller — The Customer identified in the Principal Agreement.
  • Processor — TRG Digital Ltd (trading as CareStream).
  • Subject matter of the Processing — Provision of the CareStream AI-powered compliance and knowledge platform and related services to the Controller.
  • Duration of the Processing — For the term of the Principal Agreement, plus the return/deletion period set out in clause 11 and any retention period required by law.
  • Nature of the Processing — Collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission and erasure of Personal Data; generation of searchable text and AI "embeddings" from uploaded documents; retrieval-augmented generation of responses to user queries; delivery of communications via web chat, email and WhatsApp (including voice notes); maintenance of training, audit, onboarding and analytics records; and maintenance of an immutable, append-only audit log.
  • Purpose of the Processing — To deliver the Services, namely: on-demand access to the Controller's policies, procedures and regulatory guidance; staff training, assessments, certificates and renewal reminders; CQC readiness reporting and inspector-style staff preparation questions; monthly governance audits; staff onboarding flows; and analytics evidencing workforce engagement with policies.

Categories of Data Subjects

The Controller's staff, workers and care team members who use the Services (including care workers, nurses and other care personnel); the Controller's administrators and managers; and any individuals whose Personal Data is incidentally contained within the policy and procedure documents the Controller chooses to upload.

Types of Personal Data

  • User account data — Name, work email address, job role and language preference; and a mobile telephone number where WhatsApp access is enabled.
  • Authentication and access data — Per-user authentication credentials and records of authentication, admin/staff role permissions and access events.
  • Usage and interaction data — A record of the questions asked and answers given through the Services, including the channel used (web chat, email or WhatsApp), the language and a timestamp.
  • Audit, training and onboarding records — Records held in the immutable, append-only audit log of access and key actions; and training records (including assessments, certificates and renewal status) and onboarding records held per client.
  • Document-derived data — The searchable text and AI "embeddings" derived from the documents uploaded by the Controller, and the relevant retrieved excerpts passed to the AI models and vector search index to generate responses.
  • Personal Data within uploaded documents — Any Personal Data that the Controller chooses to include within the policy and procedure documents it uploads (the content of which is determined by the Controller).

Special Category Data

The Services are not designed to process Special Category Data, and the Processor does not require the Controller to upload such data. The Controller is responsible for determining the content of the documents it uploads. To the extent any Special Category Data is incidentally contained within uploaded documents, the Controller confirms it has a lawful basis and an applicable Article 9 condition for that Processing.

Schedule 2 — Technical and Organisational Security Measures

The Processor implements and maintains the following technical and organisational measures, which may be updated from time to time in accordance with clause 7.3 provided the overall level of protection is not materially reduced.

  • Tenant isolation — Every care provider is a fully isolated tenant. All data is tagged to the relevant client and segregated at two independent layers — within the application itself, and again by database-level Row-Level Security (RLS) as a safety net — so that one client's information cannot be seen by, or mixed with, another's.
  • Encryption — Personal Data is encrypted at rest using AES-256 and in transit using TLS.
  • Data location — Structured data is held in a managed PostgreSQL database hosted in the EU (Ireland). Uploaded documents are stored in AWS S3 in the UK (London).
  • Access control — Access is restricted by per-user authentication and admin/staff role-based permissions, with brute-force lockout and rate limiting to protect against unauthorised access.
  • Data minimisation in AI processing — To answer a query, only the relevant retrieved excerpts of the relevant client's documents — never the client's whole library — are passed, together with the query, to the AI generation and embedding services and the vector search index.
  • Auditability and integrity — An immutable, append-only audit log records access and key actions, supporting integrity, accountability and the production of CQC evidence.
  • Confidentiality of personnel — Personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations and receive appropriate data protection training.
  • Resilience and recovery — Measures are in place to support the ongoing confidentiality, integrity, availability and resilience of the Processing systems, and to restore the availability of and access to Personal Data in a timely manner following an incident.
  • Sub-processor assurance — Sub-processors are engaged under written contracts imposing data protection obligations no less protective than those in this Agreement, and are subject to the international transfer safeguards in clause 6 and Schedule 4.

Schedule 3 — Sub-processors

The Controller authorises the engagement of the following categories of Sub-processor for the purposes described below. The Processor shall maintain an up-to-date list identifying the specific legal entity, location and role of each Sub-processor, and shall notify the Controller of changes in accordance with clause 5.2.

[Complete the entity name and location for each Sub-processor used.]

  • Cloud document storage — Entity: [Amazon Web Services, Inc. / AWS EMEA SARL]. Purpose: storage of uploaded documents (AWS S3) — United Kingdom (London).
  • Managed database hosting — Entity: [insert provider]. Purpose: hosting of the managed PostgreSQL database holding structured data — EEA (Ireland).
  • AI large-language-model provider — Entity: [insert provider]. Purpose: generation of grounded responses from retrieved document excerpts and queries.
  • Text-embedding provider — Entity: [insert provider]. Purpose: generation of AI embeddings from documents and queries to enable retrieval.
  • Vector search index — Entity: [insert provider]. Purpose: indexing and similarity search over document embeddings.
  • Email delivery provider — Entity: [insert provider]. Purpose: delivery of communications and responses by email.
  • WhatsApp / messaging provider — Entity: [insert provider]. Purpose: delivery of communications and responses via WhatsApp, including voice notes.

Schedule 4 — International Transfers

  1. Transfers to the EEA (Ireland). The Controller's structured data is hosted in the EEA (Ireland). Transfers of Personal Data from the United Kingdom to the EEA are made in reliance on the UK adequacy regulations covering the EEA. No additional transfer mechanism is required for these transfers for so long as those adequacy regulations remain in force.

  2. UK storage. Uploaded documents are stored in AWS S3 in the United Kingdom (London) and do not involve a Restricted Transfer.

  3. Restricted Transfers to other countries. Where any Sub-processor (including an AI large-language-model, text-embedding, vector search, email or messaging provider) Processes Personal Data in a country outside the United Kingdom that is not covered by UK adequacy regulations, the Processor shall ensure that an appropriate UK Transfer Mechanism (the IDTA, or the UK Addendum to the EU Standard Contractual Clauses) is in place, supported by a transfer risk assessment and any necessary supplementary measures, before the Restricted Transfer is made.

  4. Authorisation. The Controller authorises and instructs the Processor to enter into the relevant UK Transfer Mechanism with each relevant Sub-processor on the Controller's behalf, or otherwise to ensure such a mechanism is in place, in respect of any Restricted Transfer necessary to provide the Services.

  5. Minimisation. The Processor passes only the relevant retrieved excerpts of the Controller's documents, never the whole library, together with the relevant query, to the AI models and vector search index, thereby minimising the volume of Personal Data involved in any transfer.