This Data Processing Agreement ("DPA") forms part of the Care App Terms of Service and is required under Article 28 of the UK General Data Protection Regulation ("UK GDPR"). By using Care App, the Controller agrees to this DPA.
Data Processor:
Inkfinity Print Solutions Ltd
Innovation Centre, Maidstone Road, Chatham, Kent, ME5 9FD
Registered in England and Wales
ICO Registration No: 00017970075
Contact: hello@care-app.uk
Data Controller:
The organisation that has registered for and is using the Care App service, as identified by the account registration details.
In this DPA:
| Aspect | Details |
|---|---|
| Subject matter | Provision of the Care App care management platform |
| Duration | For the term of the Services Agreement, plus 90 days post-termination |
| Nature | Storage, retrieval, display, export, and deletion of care and staff records |
| Purpose | Enabling the Controller to manage supported living clients, staff, rotas, medications, care records, and compliance documentation |
| Types of personal data | Names; dates of birth; addresses; contact details; care and support plans; medication records; daily care notes; risk assessments; incident reports; staff employment details; timesheets; financial records relating to clients |
| Special category data | Health and care-related data relating to supported living clients |
| Data subjects | Supported living clients of the Controller; employees and contractors of the Controller |
| Data location | United Kingdom (Google Cloud, London region — europe-west2) |
The Processor shall:
Process Personal Data only on documented instructions from the Controller. The Controller's use and configuration of the Service constitutes such instructions. The Processor will notify the Controller if it considers that an instruction infringes UK GDPR before carrying out that instruction.
Ensure that all persons authorised to process the Personal Data are subject to appropriate obligations of confidentiality, whether under contract or by operation of law.
Implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:
Not engage a new Sub-processor without giving the Controller prior written notice of at least 14 days. The Controller's continued use of the Service following such notice constitutes consent. The Processor shall impose equivalent data protection obligations on all Sub-processors and remains liable for the acts of Sub-processors.
Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the UK GDPR, including in relation to security of processing, breach notification, data protection impact assessments, and prior consultation with the Supervisory Authority.
Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's data. Notification will be made to the email address associated with the Controller's management account. The notification shall include, to the extent then known:
At the choice of the Controller, upon termination of the Services Agreement, delete or return all Personal Data to the Controller within 90 days of termination, and delete all existing copies unless applicable law requires continued storage. The Processor will confirm deletion in writing upon request.
Make available all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable written notice of no less than 30 days and at the Controller's cost.
The Controller shall:
The Controller authorises the Processor to use the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google LLC (Firebase) | Cloud hosting, database (Firestore), file storage, user authentication | United Kingdom (London — europe-west2) |
Google's data processing terms are available at firebase.google.com/support/privacy. The Processor has accepted Google's data processing addendum.
The Processor will provide the Controller with at least 14 days' prior written notice of any intended change to this list, giving the Controller the opportunity to object before the change takes effect.
All Personal Data is stored and processed within the United Kingdom using Google Firebase's London region (europe-west2). No Personal Data is intentionally transferred outside the UK or EEA. In the event that any such transfer becomes necessary, the Processor will ensure it is made only in accordance with Chapter V of the UK GDPR and will notify the Controller in advance.
7.1 This DPA shall remain in force for the duration of the Services Agreement between the parties.
7.2 This DPA terminates automatically upon termination of the Services Agreement.
7.3 Obligations relating to confidentiality and the deletion of Personal Data shall survive termination of this DPA.
8.1 Each party's liability under this DPA shall be subject to the limitations set out in the Care App Terms of Service.
8.2 The Processor shall not be liable for any loss or damage arising from the Controller's failure to comply with its own obligations under UK GDPR or this DPA.
8.3 Nothing in this DPA limits liability for death or personal injury caused by negligence, fraud, or any other matter that cannot be excluded by law.
This DPA is governed by the laws of England and Wales. Any disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
For all data protection matters relating to this DPA, or to exercise any rights under this DPA, contact:
The UK Supervisory Authority is the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113