Data Processing Agreement

This Data Processing Agreement governs how HealthcareBase processes personal data on behalf of business customers acting as data controllers.

Last updated: 22 April 2026

This Data Processing Agreement ("DPA") is entered into between Healthcare Base Limited ("Processor") and the Customer ("Controller") and shall form part of the Customer Agreement upon execution by both parties. It governs the processing of personal data by Healthcare Base Limited on behalf of the Controller, where such processing occurs. This DPA only applies where both parties have agreed to its terms in writing. Capitalised terms not defined in this DPA have the meanings given to them in the Customer Agreement.

1. Definitions

1.1 In this DPA:

"Controller" has the meaning given under applicable Data Protection Legislation, and refers to the Customer where the Customer instructs Us to process personal data on their behalf (for example, by adding Users to the Platform).

"Data Protection Legislation" means the UK GDPR, the Data Protection Act 2018, and any successor legislation, as amended from time to time.

"Personal Data" has the meaning given under applicable Data Protection Legislation, and refers to personal data of the Controller's personnel and authorised Users processed by Us in the course of providing the Services.

"Processing" has the meaning given under applicable Data Protection Legislation.

"Processor" refers to Healthcare Base Limited in its capacity as data processor where it processes personal data on the Controller's behalf.

"Sub-processor" means any third-party processor engaged by Us to process personal data in the course of providing the Services.

2. Scope and Application

2.1 This DPA applies where the Controller is a business and instructs Us to process personal data of the Controller's employees, personnel, or agents as Users of the Platform (for example, by an Administrator adding User accounts).

2.2 This DPA does not apply to personal data for which We are the data controller in our own right (such as account registration data, billing data, and usage analytics collected directly by Us in accordance with Our Privacy Policy).

2.3 Where the Controller proposes to upload or submit third-party personal data to the Platform in the future, the parties agree to execute a separate or supplemental DPA covering that processing at that time.

3. Controller's Obligations

3.1 The Controller warrants that it has a lawful basis under applicable Data Protection Legislation for instructing Us to process personal data of its Users, and that it has provided all required notices to those individuals.

3.2 The Controller shall ensure that any personal data it provides to Us in connection with User account creation is accurate, limited to what is necessary, and that it has authority to provide such data to Us.

3.3 The Controller shall notify Us promptly if it becomes aware of any breach or suspected breach relating to personal data processed under this DPA.

4. Processor's Obligations

In relation to personal data processed on behalf of the Controller, We shall:

  • (a) process personal data only on documented instructions from the Controller (including as set out in the Customer Agreement and this DPA) and not for any other purpose, unless required to do so by applicable law (in which case We will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so);
  • (b) ensure that persons authorised to process the personal data are subject to appropriate obligations of confidentiality;
  • (c) implement appropriate technical and organisational security measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, having regard to the nature, scope, context and purposes of processing and the risks to individuals;
  • (d) not engage any new Sub-processor without prior written notice to the Controller (see Clause 5 below);
  • (e) assist the Controller, taking into account the nature of the processing, with responding to requests from data subjects exercising their rights under applicable Data Protection Legislation, insofar as this is possible given the nature of the processing;
  • (f) assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, to the extent applicable and insofar as the information required is available to Us;
  • (g) at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of the Services relating to processing (subject to any legal obligation to retain certain data); and
  • (h) make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable prior written notice of not less than thirty (30) days and subject to appropriate confidentiality undertakings.

5. Sub-processors

5.1 The Controller grants Us general authorisation to engage the following Sub-processors, which are involved in providing the Services:

Sub-processorLocationPurpose
Supabase Inc.United Kingdom (London)Database and authentication
Stripe, Inc.United StatesPayment processing
Functional Software, Inc. (Sentry)United StatesError monitoring
HubSpot, Inc.United StatesMarketing communications
Resend Inc.United StatesTransactional email

5.2 We will notify the Controller by email at least fourteen (14) days before adding any new Sub-processor or making material changes to existing Sub-processors. The Controller may object to such changes in writing within fourteen (14) days of notification. If the Controller objects and We are unable to address the objection, the Controller may terminate the Customer Agreement by written notice.

5.3 We shall ensure that any Sub-processor is bound by data processing obligations no less protective than those set out in this DPA.

6. International Transfers

6.1 Where personal data is transferred to Sub-processors located outside the United Kingdom, We shall ensure appropriate transfer mechanisms are in place, including UK International Data Transfer Agreements (IDTAs) or equivalent approved mechanisms, as required by applicable Data Protection Legislation.

7. Data Subject Rights

7.1 We shall promptly notify the Controller (and in any event within five (5) business days) if We receive any request from a data subject exercising their rights under applicable Data Protection Legislation in respect of personal data processed under this DPA.

7.2 We shall not respond to any such request on the Controller's behalf without the Controller's prior written authorisation, except to confirm that the request has been referred to the Controller.

8. Personal Data Breaches

8.1 We shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed under this DPA.

8.2 Such notification shall include, to the extent available at the time: the nature of the breach; the categories and approximate number of data subjects concerned; the categories and approximate volume of personal data records concerned; the likely consequences; and the measures taken or proposed to address the breach.

9. Deletion and Return of Data

9.1 Upon termination or expiry of the Customer Agreement, We shall (at the Controller's election) delete or return all personal data processed under this DPA within thirty (30) days, except to the extent We are required by applicable law to retain it.

10. Term

10.1 This DPA is effective from the date of the Customer Agreement and shall remain in force for the duration of the Customer Agreement and for so long as We retain any personal data on behalf of the Controller.

11. General

11.1 This DPA is governed by the laws of England and Wales and forms part of the Customer Agreement. In the event of any conflict between this DPA and the Customer Agreement, this DPA shall prevail in respect of the parties' data protection obligations.

11.2 Each party's liability under this DPA is subject to the limitations of liability set out in the Customer Agreement.

12. Contact

To request execution of this DPA or for any queries relating to data processing, please contact us at support@healthcarebase.co.uk or via https://www.healthcarebase.co.uk.