Data Processing Agreement
The standard SoftCare Data Processing Agreement, incorporated into the SoftCare Subscription Terms and satisfying UK GDPR Article 28. A qualified data-protection lawyer's review is recommended before large-scale processing of resident data or before signing enterprise/group contracts.
Data Processing Agreement
This Data Processing Agreement (the "DPA") is entered into between:
SOCurity Ltd (trading as "SoftCare"), a company registered in Scotland under company number SC742697, with its registered office at Moffat Business Centre, 96-98 Forrest Street, Clarkston, Airdrie, Scotland, ML6 7AG ("SoftCare", "we", "us", "Processor"); and
the customer identified in the underlying SoftCare Subscription Terms (the "Customer", "you", "Controller").
This DPA forms part of, and is governed by, the SoftCare Subscription Terms (the "Principal Agreement"). Capitalised terms not defined here have the meaning given in the Principal Agreement. In the event of conflict between this DPA and the Principal Agreement on matters relating to personal data, this DPA prevails.
Effective date: the date the Principal Agreement becomes effective.
1. Definitions
"UK GDPR" means the UK General Data Protection Regulation (Regulation (EU) 2016/679 as retained in UK law) together with the Data Protection Act 2018.
"Applicable Data Protection Laws" means UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other data protection or privacy laws applicable to the processing of Personal Data under this DPA.
"Personal Data", "Data Subject", "Process", "Processing", "Controller", "Processor", "Sub-processor", "Supervisory Authority", and "Special Category Data" have the meanings given in UK GDPR.
"Customer Personal Data" means Personal Data processed by SoftCare on behalf of the Customer under the Principal Agreement.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
2. Subject matter, duration, nature, and purpose
Subject matter. Processing by SoftCare of Customer Personal Data as necessary to provide the SoftCare service under the Principal Agreement.
Duration. From the Effective Date until termination of the Principal Agreement and the subsequent return or deletion of Customer Personal Data in accordance with section 12.
Nature and purpose. SoftCare processes Customer Personal Data to operate, maintain, improve, secure, and support the SoftCare service, and to perform SoftCare's obligations under the Principal Agreement.
Types of Personal Data, categories of Data Subjects, and description of processing are set out in Annex A (Processing Details).
3. Roles
The Customer is the Controller of Customer Personal Data. SoftCare is a Processor. SoftCare may act as a Controller only in relation to (i) account administration data (names and emails of Customer-designated administrators), (ii) aggregate or anonymised service-usage data, and (iii) billing information. For those limited categories, the Privacy Policy at softcare.uk/privacy applies.
Where Customer Personal Data includes Special Category Data (including health data and care records), the Customer warrants that it has a lawful basis under UK GDPR Article 6 and a separate condition under UK GDPR Article 9 for the processing, and confirms that SoftCare's processing of that data as a Processor is covered by that basis and condition.
4. Customer instructions
SoftCare will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by applicable UK or EU law to which SoftCare is subject. Where SoftCare is required to process for any other purpose by law, SoftCare will inform the Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
The Customer's instructions to SoftCare are to:
- operate, maintain, and support the SoftCare service as described in the Principal Agreement and Documentation;
- perform any Customer-configured actions (for example, generating reports, exporting data, provisioning or removing user accounts);
- act on support or configuration requests the Customer raises through SoftCare's support channels or via authorised Customer administrators; and
- comply with any further instructions the Customer gives in writing, consistent with the Principal Agreement.
If SoftCare believes a Customer instruction would infringe Applicable Data Protection Laws, SoftCare will promptly inform the Customer and is not required to carry out the instruction until the matter is resolved.
5. Confidentiality
SoftCare ensures that personnel authorised to process Customer Personal Data are bound by written confidentiality obligations or appropriate statutory duties of confidence, and are trained in their data protection responsibilities.
6. Security
SoftCare implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk to Customer Personal Data. These measures are described in Annex B (Security Measures) and include, at minimum: encryption in transit, encryption at rest of Customer Personal Data, database-layer tenant isolation via PostgreSQL Row-Level Security, role-based access control, multi-factor authentication for privileged access, full-mutation audit logging, structured logging, network segmentation, regular vulnerability scanning, penetration testing, secure development lifecycle practices, documented backup and restore procedures, and incident response processes.
SoftCare reviews and, where needed, updates these measures periodically to reflect evolving threats and good industry practice.
7. Sub-processors
The Customer authorises SoftCare to engage Sub-processors to assist in providing the service, subject to the conditions in this section.
Current Sub-processors are listed at softcare.uk/subprocessors and in Annex C (Sub-processor Register) of this DPA as of the Effective Date.
Changes. SoftCare will give the Customer at least 30 days' prior notice of any intended addition or replacement of a Sub-processor processing Customer Personal Data. Notice may be given by email to the Customer's notified administrator contacts, by in-product notification, or by updating softcare.uk/subprocessors and notifying subscribers to that page. Within that 30-day period the Customer may object in writing on reasonable data protection grounds. If SoftCare cannot resolve the objection to the Customer's reasonable satisfaction, the Customer may terminate the affected services under the Principal Agreement without penalty, with pro-rated refund of any prepaid fees for services not yet delivered.
Flow-down. SoftCare imposes on each Sub-processor, by written contract, data protection obligations substantially equivalent to those in this DPA, and remains liable to the Customer for each Sub-processor's performance of those obligations.
8. International transfers
SoftCare hosts and processes Customer Personal Data in the United Kingdom as its primary location. Where a Sub-processor processes Customer Personal Data outside the UK, SoftCare ensures the transfer is permitted under UK GDPR, including through reliance on adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an appropriate alternative safeguard, with any supplementary measures required following the UK ICO's guidance.
Transfer mechanisms for each Sub-processor are identified in Annex C.
9. Data Subject rights
SoftCare will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under UK GDPR. If SoftCare receives a Data Subject request directly, it will forward the request to the Customer without undue delay and will not respond substantively except on Customer instruction or as required by law.
The SoftCare service provides functionality to enable the Customer to access, rectify, export, and delete Customer Personal Data to support responding to Data Subject requests.
10. Data Protection Impact Assessments and consultation
SoftCare will provide reasonable assistance to the Customer for any Data Protection Impact Assessment and, where required, prior consultation with the Supervisory Authority, in each case relating to processing by SoftCare of Customer Personal Data under this DPA.
11. Security Incidents
SoftCare will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notification will include, to the extent known at the time:
- a description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and records concerned;
- the name and contact details of the SoftCare contact point for further information (by default, privacy@softcare.uk);
- the likely consequences of the Security Incident; and
- the measures taken or proposed to address the Security Incident and to mitigate its possible adverse effects.
Where and insofar as it is not possible to provide the information at the same time, it may be provided in phases without further undue delay. SoftCare will cooperate in good faith with the Customer's response to the Security Incident and, where required under UK GDPR, the Customer's notification to the Supervisory Authority and affected Data Subjects.
A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (for example, unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems).
12. Return or deletion of Customer Personal Data
Upon termination or expiry of the Principal Agreement, SoftCare will, at the Customer's choice, return all Customer Personal Data to the Customer or delete it, including copies, within 90 days of termination, unless UK or EU law requires storage of some or all of the Customer Personal Data (in which case SoftCare will continue to protect it in accordance with this DPA and delete it once the legal basis for retention ends).
The service provides a Customer-initiated export of Customer Personal Data in common machine-readable formats prior to termination. Backups containing Customer Personal Data are retained for the backup retention period stated in Annex B and are purged on the normal backup cycle after termination.
13. Audits
SoftCare will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for, and contribute to, audits conducted by the Customer or another auditor mandated by the Customer, subject to reasonable notice (at least 30 days except for urgent audits required by a Supervisory Authority), reasonable frequency (no more than once per 12-month period except as required by a Supervisory Authority or following a Security Incident), confidentiality obligations, and SoftCare's reasonable security and operational requirements.
SoftCare may satisfy its obligations under this section by providing the Customer with copies of current third-party certifications and audit reports (for example, Cyber Essentials Plus, NHS DSPT submissions, ISO 27001 certificates, SOC 2 reports once obtained), together with responses to reasonable follow-up questions.
The Customer is responsible for its own and its auditor's reasonable costs in conducting an audit. SoftCare is responsible for its own reasonable costs of cooperating with an audit, except where an audit identifies a material breach by SoftCare of this DPA, in which case SoftCare bears its own costs.
14. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability in the Principal Agreement.
15. Governing law
This DPA is governed by the laws of Scotland, consistent with the Principal Agreement. The parties submit to the exclusive jurisdiction of the Scottish courts.
Annex A — Processing Details
Nature and purpose of processing. Operation, maintenance, support, improvement, and security of the SoftCare care management service provided under the Principal Agreement.
Subject matter. Personal data necessary for Customer to deliver regulated care services using SoftCare, including records relating to the individuals in Customer's care ("Service Users"), Customer staff ("Employees"), and individuals linked to Service Users (e.g., next of kin).
Duration. From the Effective Date until deletion or return under section 12.
Categories of Data Subjects. (i) Customer's Employees and contractors; (ii) Service Users; (iii) family members, next-of-kin, and other contacts of Service Users authorised by Customer to access the service; (iv) administrators and other authorised users of the Customer.
Types of Personal Data. Contact details (name, email, phone, address); employment data (job title, hours, rates, absence, supervisions, training); identifiers (NHS number, NI number, DBS certificate identifiers); Special Category Data including health data, care records, medication records, risk assessments, incident reports; safeguarding information; biometric or body-map data where recorded by Customer; operational data (rota, timesheets, visit logs, handovers, announcements); billing and financial data as applicable; audit logs of user actions.
Frequency of processing. Continuous during the Principal Agreement.
Annex B — Security Measures
SoftCare implements the following technical and organisational measures to protect Customer Personal Data. This Annex will be updated from time to time to reflect SoftCare's evolving posture; no update will reduce the overall level of protection.
- Hosting and tenancy. UK-region hosting with industry-standard cloud provider. Multi-tenant architecture with database-layer isolation via PostgreSQL Row-Level Security (RLS) policies. Automated CI tests verify cross-tenant access is rejected.
- Encryption. TLS 1.2 or higher for data in transit. AES-256 or equivalent for data at rest, including database and backup storage.
- Access control. Role-based access control enforced in the application and at the database layer. Multi-factor authentication required for all SoftCare personnel with privileged access. Principle of least privilege applied to production systems.
- Authentication. Bcrypt-hashed passwords for Customer users; JWT-based session management with short-lived access tokens and rotated refresh tokens; MFA available to Customer administrators.
- Audit logging. Full mutation audit log captures actor, action, entity, old values, new values, IP address, and user agent for Customer-side data changes. SoftCare side administrative access is separately logged.
- Secure development. Peer code review, dependency scanning, static analysis, and security review of new features with Personal Data implications. Separation of development, staging, and production environments.
- Vulnerability management. Regular automated vulnerability scans. Annual third-party penetration test (targeted once the first paid customer onboards and annually thereafter).
- Backups. Encrypted database backups retained for 30 days. Documented and periodically tested restore procedure.
- Business continuity. Documented incident response plan and disaster recovery plan, reviewed at least annually.
- Physical security. Provided by the underlying cloud provider under their certified controls.
- Personnel. Written confidentiality undertakings, background checks where permitted, and role-appropriate data protection training.
- Certifications (planned). Cyber Essentials (self-assessed), Cyber Essentials Plus, NHS Data Security and Protection Toolkit, and ISO 27001 certification on the compliance roadmap.
Annex C — Sub-processor Register
| Sub-processor | Purpose | Location | Transfer mechanism (if outside UK) |
| Amazon Web Services (AWS) | Application + database hosting, storage, encrypted backups | UK (eu-west-2, London) | N/A — UK |
| Stripe | Subscription billing and payment processing | UK / EU / US | UK IDTA / UK Addendum to EU SCCs |
| Anthropic | AI processing for support and product-build assistance (prompt content only; no bulk resident records) | US | UK Addendum to EU SCCs |
| Sentry | Application error reporting (no personal data; stack traces only) | EU (Germany) | N/A — EU adequacy |
| PostHog | Product analytics (named events only; no resident data) | EU | N/A — EU adequacy |
| Cloudflare | DNS and network routing | Global (UK edge) | UK Addendum to EU SCCs |
| Proton | Inbound support email | Switzerland / EU | N/A — Switzerland adequacy |
This DPA has been signed electronically or is incorporated by reference in the Principal Agreement between the parties.