Data Processing Agreement

This DPA forms part of the agreement between you (the Controller) and CareLoop Ltd (the Processor), and applies whenever we process personal data on your behalf as defined by UK GDPR Article 28.

1. Subject matter & duration

Processing relates to the operation of the CareLoop service for the duration of your subscription plus a 30-day post-termination retention window for export.

2. Categories of data subjects

• Your employees, agency workers and volunteers.
• Residents and service users in your care.
• Family members & next-of-kin you record.
• External professionals (GPs, district nurses, etc.).

3. Categories of personal data

• Identity & contact (name, role, email, phone, employee reference).
• Special-category health data — care plans, medication, allergies, mental capacity, end-of-life wishes.
• HR records — DBS status, certifications, disciplinary.
• Financial — pay rate, bank for payroll export.
• Audit logs — who did what, when.

4. Processor obligations

1. Process only on documented instructions from the Controller.
2. Ensure persons authorised to process are bound by confidentiality.
3. Implement Annex II — Technical and Organisational Measures.
4. Engage sub-processors only with prior general authorisation.
5. Assist with DSARs, breach notification and DPIAs.
6. Notify the Controller of any personal data breach within 24 hours.
7. Delete or return all personal data on termination.
8. Make available all information necessary to demonstrate compliance.

Annex I — Sub-processors

See live list at /sub-processors. You will be notified of changes 30 days in advance and may object.

Annex II — Technical and Organisational Measures

See /security for the full controls list, equivalent to ISO 27001 Annex A.

To execute a signed copy, email dpo@careloop.com.