Data Processing Agreement

“Controller” means the subscribing organisation — the children’s residential care home or care provider that holds the CareClarity account and determines the purposes and means of processing personal data through the platform.

“Processor” means GFE Tech Group Ltd (Companies House: 17234887), trading as CareClarity, acting on the Controller’s instructions in operating the platform.

“Personal Data” means any information relating to an identified or identifiable natural person processed through or in connection with the CareClarity platform.

“Processing” has the meaning given to it in the UK GDPR.

“UK GDPR” means the General Data Protection Regulation as it forms part of UK law under the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

“Sub-processor” means any third party engaged by CareClarity to process Personal Data in connection with the platform.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

The parties acknowledge that, for the purposes of UK GDPR:

The Controller determines the purposes and means of processing Personal Data. The Controller is responsible for ensuring it has a lawful basis for processing and for compliance with its own obligations under UK GDPR, including providing appropriate notices to data subjects.

The Processor (CareClarity) processes Personal Data only on the documented instructions of the Controller, as set out in this DPA and the Terms and Conditions, and in accordance with UK GDPR Article 28.

Nature: Transient AI-assisted analysis of documents submitted by the Controller’s authorised users, storage of account and usage data, and delivery of the CareClarity platform services.

Purpose: To provide the CareClarity compliance and practice tools to authorised users within the Controller’s organisation.

Duration: For the term of the subscription agreement, subject to clause 10 (Deletion and Return of Data).

Types of personal data processed:

• Account data: names, email addresses, job roles of authorised users
• Usage data: records of tool usage, timestamps, and organisation identifiers
• Document content: text or documents submitted by users to the platform tools (processed transiently — not stored by CareClarity)

Categories of data subjects: Authorised users (employees and staff of the Controller); and, where included in documents submitted to the platform tools, third parties referenced in those documents (including children in care, staff members, and professionals).

CareClarity shall:

• Process Personal Data only on documented instructions from the Controller, which are set out in this DPA and the Terms and Conditions, unless required to do otherwise by applicable law (in which case CareClarity will inform the Controller before processing, unless prohibited by law).
• Ensure that persons authorised to process Personal Data are subject to appropriate duties of confidentiality.
• Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as set out in clause 8.
• Not engage any Sub-processor without the prior written authorisation of the Controller, save that the Controller grants general authorisation to the Sub-processors listed in clause 6 by accepting this DPA.
• Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to data subject rights requests under UK GDPR.
• Assist the Controller in ensuring compliance with its obligations under UK GDPR Articles 32–36, including security, breach notification, data protection impact assessments, and prior consultation with the ICO.
• At the Controller’s choice, delete or return all Personal Data to the Controller upon termination of the subscription, and delete existing copies, subject to clause 10.
• Make available to the Controller all information necessary to demonstrate compliance with UK GDPR Article 28, and allow for and contribute to audits conducted by the Controller or its appointed auditor, subject to clause 11.
• Promptly inform the Controller if any instruction given by the Controller infringes UK GDPR or applicable data protection law.

The Controller shall:

• Ensure that it has a lawful basis under UK GDPR for instructing CareClarity to process Personal Data through the platform.
• Ensure that appropriate privacy notices have been provided to data subjects whose personal data may be processed through the platform, including staff and (where applicable) children in care whose information may be referenced in documents submitted to the tools.
• Ensure that only authorised users access the platform, and that account credentials are kept secure.
• Not submit to the platform any special category data (as defined in UK GDPR Article 9) beyond what is reasonably necessary for the intended use of each tool, and where possible use anonymised or pseudonymised data.
• Comply with its own obligations under UK GDPR as a data controller.

The Controller grants general authorisation for CareClarity to engage the following Sub-processors in connection with the platform. CareClarity will provide at least 30 days’ notice of any material changes to this list.

CareClarity will impose data protection obligations on each Sub-processor equivalent to those set out in this DPA, and remains liable for each Sub-processor’s compliance with those obligations.

CareClarity will promptly notify the Controller of any request received from a data subject in relation to Personal Data processed through the platform, and will not respond to such requests directly except to advise the data subject that the request has been forwarded to the Controller.

CareClarity will provide reasonable assistance to enable the Controller to fulfil its obligations to respond to data subject rights requests within the statutory timeframe.

CareClarity implements and maintains appropriate technical and organisational measures to protect Personal Data, including:

• Encrypted data transmission (HTTPS/TLS) for all platform communications
• Encrypted data storage using industry-standard encryption (AES-256 at rest via Supabase)
• Role-based access controls limiting user access to their own organisation’s data
• Row-level security enforced at the database level
• Transient document processing — document content is not written to the CareClarity database
• Anthropic API operational logs retained for a maximum of 7 days before automatic deletion
• Invitation-only user onboarding with authenticated sessions
• Regular security review

In the event of a Security Incident affecting Personal Data processed through the CareClarity platform, CareClarity will:

• Notify the Controller without undue delay, and where feasible within 72 hours of becoming aware of the incident
• Provide reasonable information about the nature of the incident, the data affected, the likely consequences, and the measures taken or proposed
• Provide reasonable assistance with the Controller’s obligations to notify the ICO and affected data subjects where required

Notification of a Security Incident by CareClarity does not constitute an acknowledgement of fault or liability.

Upon termination or expiry of the subscription, CareClarity will:

• Retain account and usage data for 12 months following account closure, after which it will be deleted
• Make account data available for export by the Controller on request within 30 days of subscription end
• Delete all Personal Data from CareClarity’s systems within 12 months of account closure

Document content submitted to the platform tools is not retained by CareClarity beyond the processing session and is therefore not subject to the deletion and return process.

CareClarity will make available to the Controller, on request, information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28. This may include relevant certifications, security documentation, and sub-processor details.

The Controller may request an audit of CareClarity’s data processing activities no more than once per calendar year, subject to 30 days’ prior written notice to hello@careclarity.care, and on terms agreed between the parties. Audits must be conducted during normal business hours, in a manner that does not materially disrupt CareClarity’s operations, and at the Controller’s cost.

Where CareClarity provides relevant third-party certifications (such as SOC 2 or ISO 27001 documentation from its Sub-processors), the Controller agrees to accept these in lieu of conducting a separate physical audit of the controls covered.

Some Sub-processors process Personal Data outside the UK or EEA. CareClarity ensures that all such transfers are subject to appropriate safeguards under UK GDPR, including UK International Data Transfer Agreements (UK IDTA) or Standard Contractual Clauses as applicable. Details are set out in clause 6.

This DPA comes into effect on the date the subscribing organisation creates a CareClarity account and remains in force for the duration of the subscription. It survives termination of the subscription to the extent necessary to govern the deletion of Personal Data under clause 10.

This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with it shall be subject to the exclusive jurisdiction of the courts of England and Wales.

For any data protection queries relating to this DPA, contact GFE Tech Group Ltd at hello@careclarity.care.

GFE Tech Group Ltd is registered with the Information Commissioner’s Office under registration number ZC153731.