Data Processing Agreement
GDPR-compliant data processing terms
1. Definitions
1.1 "Data Protection Laws" means GDPR (Regulation (EU) 2016/679), UK Data Protection Act 2018, and any other applicable data protection legislation.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement.
1.3 "Processing" has the meaning given in the GDPR.
1.4 "Data Subject" means the individual to whom Personal Data relates (typically therapy clients).
1.5 "Sub-processor" means any third party engaged by Processor to process Personal Data.
1.6 "Controller" means the therapist or therapy practice determining the purposes and means of processing.
1.7 "Processor" means TherapyVault.ai processing Personal Data on behalf of the Controller.
1.8 "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Application
2.1 Agreement Purpose
This Data Processing Agreement ("DPA") governs the processing of Personal Data by TherapyVault.ai on behalf of healthcare professionals using our platform.
2.2 Relationship to Terms
This DPA forms an integral part of the Terms of Service and takes precedence in matters of data protection.
2.3 Duration
This DPA remains in effect for the duration of Personal Data processing, including any retention period.
3. Data Processing Details
3.1 Nature and Purpose
Processing purposes:
- Therapy session recording and transcription
- AI-powered session analysis
- Clinical documentation management
- Practice administration support
- Service improvement (anonymized)
3.2 Types of Personal Data
Client data processed:
- Identifying information (names, contact details)
- Voice recordings and transcriptions
- Health and mental health information
- Treatment notes and assessments
- Therapeutic progress data
Therapist data processed:
- Account and credential information
- Professional registration details
- Usage and activity logs
- Billing information
3.3 Categories of Data Subjects
- Therapy clients/patients
- Mental health professionals
- Practice administrators
- Authorized third parties
3.4 Duration of Processing
Processing continues for the term of service plus any legally required retention period.
4. Roles and Responsibilities
4.1 Controller Obligations
The Controller shall:
- Ensure lawful basis for processing
- Obtain necessary consents
- Provide clear instructions
- Comply with Data Protection Laws
- Respond to data subject requests
- Maintain processing records
4.2 Processor Obligations
The Processor shall:
- Process only on documented instructions
- Ensure personnel confidentiality
- Implement appropriate security measures
- Assist with compliance obligations
- Delete or return data after termination
- Demonstrate compliance
5. Processor Personnel
5.1 Confidentiality
All personnel authorized to process Personal Data have:
- Committed to confidentiality obligations
- Received appropriate training
- Limited access based on necessity
5.2 Reliability
We ensure personnel reliability through:
- Background checks
- Confidentiality agreements
- Regular training
- Access monitoring
- Disciplinary procedures
6. Technical and Organizational Measures
6.1 Security Measures
Technical safeguards:
- Military-grade encryption at rest
- Industry-leading encryption in transit
- Strong authentication mechanisms
- Comprehensive access control
- Advanced threat detection
- Regular security updates
Organizational safeguards:
- Information security policies
- Incident response procedures
- Business continuity planning
- Regular risk assessments
- Security awareness training
- Vendor management program
6.2 Data Center Security
Physical security:
- 24/7 monitoring
- Biometric access controls
- Environmental controls
- Redundant power systems
- Fire suppression
- Geographic redundancy
6.3 Compliance Certifications
- SOC 2 Type II
- International security standards aligned
- NHS Data Security Toolkit aligned
- Regular third-party audits
7. Sub-processing
7.1 Authorized Sub-processors
Current authorized sub-processors:
| Service Type | Purpose | Location |
|---|---|---|
| Cloud Infrastructure | Hosting & Storage | UK/EU |
| Transcription Services | Speech Processing | Compliant Regions |
| AI Services | Analysis & Insights | EU |
| Payment Processing | Billing | EU |
| Document Management | Contracts | UK |
7.2 Sub-processor Requirements
All sub-processors must:
- Provide sufficient guarantees
- Sign data processing agreements
- Implement appropriate measures
- Allow audits and inspections
- Notify of breaches immediately
7.3 New Sub-processors
Notification process:
- 30 days advance notice
- Opportunity to object
- Reasonable grounds required
- Alternative options considered
7.4 Liability
Processor remains fully liable for sub-processor compliance and performance.
8. International Transfers
8.1 Transfer Restrictions
Personal Data remains within UK/EEA unless:
- Controller provides instructions
- Appropriate safeguards exist
- Legal requirement applies
8.2 Transfer Mechanisms
Safeguards implemented:
- Standard Contractual Clauses (2021)
- Supplementary measures
- Transfer impact assessments
- Encryption requirements
8.3 Data Localization
Primary data storage and processing in secure UK facilities with options for:
- EU data residency
- Regional restrictions
- Controlled international transfers
9. Controller Assistance
9.1 Data Subject Rights
Processor assists with:
- Access requests
- Rectification requests
- Erasure requests
- Portability requests
- Restriction requests
- Objection handling
Response timeline: 5 business days
9.2 Compliance Support
Assistance provided for:
- Data protection impact assessments
- Prior consultation with authorities
- Security breach investigations
- Regulatory inquiries
- Compliance demonstrations
9.3 Documentation
Processor maintains and provides:
- Processing records
- Security documentation
- Audit reports
- Compliance certificates
- Breach registers
10. Data Breach Management
10.1 Breach Notification
To Controller:
- Notification without undue delay
- Maximum 48 hours from awareness
- Detailed incident report
- Regular status updates
10.2 Notification Content
Breach notifications include:
- Nature of the breach
- Categories of data affected
- Approximate number of subjects
- Likely consequences
- Mitigation measures taken
- Contact point for information
10.3 Breach Response
Processor shall:
- Investigate immediately
- Contain the breach
- Assess the impact
- Implement remediation
- Prevent recurrence
- Cooperate with authorities
10.4 Documentation
All breaches documented with:
- Facts and effects
- Remedial action taken
- Notification timeline
- Lessons learned
11. Audits and Inspections
11.1 Audit Rights
Controller may conduct audits:
- Annual audits permitted
- 30 days advance notice
- Reasonable scope and duration
- Minimal disruption requirement
11.2 Audit Types
Available options:
- Documentation review
- Questionnaire completion
- Third-party audit reports
- On-site inspections (if necessary)
11.3 Costs
- First annual audit: No charge
- Additional audits: Controller pays
- Breach-related audits: Processor pays
11.4 Findings
- Report provided within 30 days
- Remediation plan if needed
- Follow-up verification
- Confidentiality maintained
12. Data Return and Deletion
12.1 Upon Termination
Controller may choose:
- Data return in standard format
- Secure deletion certification
- Combination of both
12.2 Timeline
- Return/deletion within 30 days
- Backup deletion within 90 days
- Legal retention exceptions
12.3 Format
Data returned in:
- JSON or CSV format
- Encrypted transfer
- Verification checksums
- Documented structure
12.4 Certification
Processor provides:
- Deletion certificate
- Method description
- Verification process
- Authorized signature
13. Liability and Indemnification
13.1 Processor Liability
Processor liable for:
- Breach of DPA obligations
- Acting outside instructions
- Sub-processor failures
- Security breaches (negligence)
13.2 Liability Limitations
Subject to Terms of Service limitations except:
- Gross negligence
- Willful misconduct
- Regulatory fines (fault-based)
13.3 Indemnification
Mutual indemnification for:
- Third-party claims
- Regulatory actions
- Breach-related damages
14. Governing Law and Jurisdiction
14.1 Applicable Law
This DPA governed by laws of England and Wales.
14.2 Dispute Resolution
- Good faith negotiation
- Mediation attempt
- Arbitration or courts
- ICO complaint rights preserved
15. Amendments
15.1 Modification Process
Amendments require:
- Written agreement
- Regulatory compliance
- Reasonable notice
- No degradation of protection
15.2 Regulatory Changes
Automatic updates for:
- Legal requirements
- Regulatory guidance
- Court decisions
- Standard clause updates
16. Order of Precedence
In case of conflict:
- Mandatory law
- This DPA
- Terms of Service
- Other agreements
17. Annexes
Annex I: Processing Details
A. List of Parties
- Controller: Healthcare Professional/Practice
- Processor: TherapyVault.ai Limited
B. Processing Description
- Recording and transcription services
- AI-powered analysis
- Clinical documentation
- Practice management
C. Competent Supervisory Authority
- UK: Information Commissioner's Office
Annex II: Technical Measures
Security Standards:
- Encryption: Military-grade standards
- Access: Multi-layered authentication and authorization
- Monitoring: Continuous security monitoring
- Backup: Regular automated backups with redundancy
- Testing: Regular security assessments and audits
Annex III: Sub-processors
See Section 7.1 for current list.
Updates at: therapyvault.ai/sub-processors
18. Signatures
By accepting the Terms of Service, Controller agrees to this Data Processing Agreement.
Processor:
TherapyVault.ai Limited
Authorized Representative
Date: As per Terms acceptance
Controller:
Accepted electronically
Date: Upon service registration
Document Control
Version: 1.0
Effective Date: August 1, 2025
Review Date: February 1, 2026
Classification: Legal Agreement