Wisterias CMS - Data Processing Agreement (DPA) Policy

Effective Date: 01/05/2025

  1. Introduction

This Data Processing Agreement (“DPA”) forms part of the service agreement (“Principal Agreement”) between Wisterias Care Software (“we”, “us”, “our”) and your organisation (“you”, “your”) regarding the use of our care management system via web and mobile applications (“the Services”).

This agreement outlines how we handle personal data on your behalf in compliance with all applicable data protection laws, including the UK GDPR and Data Protection Act 2018.

  1. Key Definitions
  • Applicable Law: Any current or future law, regulation, or rule in force that applies to the services.
  • Data Protection Law: All legislation relating to the protection of personal data, including the UK GDPR and DPA 2018.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Data Controller: You, the organisation, who decides how and why personal data is processed.
  • Data Processor: Wisterias Care software Ltd acting on your instructions.
  • Sub-Processor: Any third-party service we authorise to process personal data for us.
  • Data Subject: The individual whose data is being processed.
  • Processing: Any action taken regarding personal data (e.g., storage, access, deletion).
  1. Scope of Processing

We will process personal data solely:

  • As necessary to provide the Services under the Principal Agreement.
  • According to your documented instructions.
  • In accordance with applicable Data Protection Laws.

You, as Data Controller, retain full control of all personal data.

  1. Our Responsibilities as Data Processor

We commit to:

  • Following Instructions: We will only process personal data as per your documented instructions unless legally required to act otherwise.
  • Maintaining Confidentiality: All staff handling personal data are bound by confidentiality obligations.
  • Implementing Security Measures: We apply appropriate technical and organisational measures to secure personal data, including:
    • Encryption of data.
    • Access control.
    • Regular testing and monitoring of security.
    • Backup and disaster recovery protocols.
  • Assisting with Data Subjects’ Rights: We will assist you in responding to requests from individuals (such as access, rectification, or deletion requests).
  • Data Breach Notifications: We will promptly inform you if we become aware of any personal data breach.
  • Supporting Compliance: We will assist you, where reasonably possible, with impact assessments, consultations with authorities, and compliance obligations.
  1. Sub-Processors

We may appoint trusted Sub-Processors to assist in delivering the Services.
All Sub-Processors will:

  • Be under a written contract requiring equivalent data protection obligations.
  • Only process data in line with our instructions.
  • Be listed and updated as needed (you will be notified of new appointments and have the right to object).

Approved Sub-Processors include services like Amazon Web Services, Google Cloud, Intercom, Stripe, and others listed in our latest Sub-Processor register.

  1. Data Return and Deletion

At the end of our agreement (or upon written request), we will:

  • Either securely delete or return all personal data to you within 60 days;
  • Retain only data required by law.
  1. Audits and Inspections
  • You have the right to audit our compliance with this DPA.
  • Audits must be agreed with reasonable notice and conducted in a way that minimises disruption to our business.
  • We reserve the right to object to third-party auditors who are competitors or lack independence.
  1. Your Responsibilities as Data Controller

You must:

  • Ensure all personal data provided to us has been lawfully collected and processed.
  • Provide correct instructions for data processing.
  • Comply with your obligations under applicable data protection laws, including responding to data subjects’ requests.
  1. Limitation of Liability

Our total liability for all claims arising under this DPA will not exceed 75% of the total fees paid by you in the preceding year, unless otherwise required by law.

  1. General Terms
  • This DPA will terminate automatically with the end of the Principal Agreement.
  • Notices under this agreement must be sent in writing (post or email).
  • If any part of this DPA is found invalid, the rest will continue to apply.
  • No partnership or joint venture is created by this DPA.
  • No third party will have any rights under this agreement.
  1. Governing Law and Jurisdiction

This DPA is governed by English law.
Both parties agree to the exclusive jurisdiction of the courts of England and Wales.

📋 Schedule 1 – Data Processing Details

AreaDescription
Subject MatterProcessing of care, health, and contact data for service delivery.
PurposeProvision of our Care Management platform.
Types of DataNames, emails, addresses, health records, photos, incident notes, GPS location, care notes.
Categories of Data SubjectsCare workers (Users) and Service Users (patients).
DurationFrom agreement start until termination or deletion request.

 

📋 Schedule 2 – Approved Sub-Processors

  • Amazon Web Services
  • MongoDB
  • Intercom
  • HubSpot
  • Stripe
  • [Other Sub-Processors – if applicable]