Data Processing Agreement

1.1 In this Agreement, unless the context requires otherwise, the following terms shall have the meanings set out below:

1.2 Words in the singular include the plural and vice versa. A reference to a statute or statutory provision includes any subordinate legislation made under it and any modification or re-enactment of it.

2.1 This Agreement sets out the terms on which the Processor shall process Personal Data on behalf of the Controller in connection with the provision of the Services.

2.2 The Processor provides a practice management platform designed for mental health practitioners, including therapists, counsellors and psychologists. The Services include:

• Storage and management of client records, including clinical and demographic information.
• Session scheduling and calendar management.
• Secure messaging between the Controller and their clients.
• Automated appointment reminders and service notifications sent by email and SMS.
• Form creation, storage, and completion, including AI-assisted form generation and document-to-form conversion.
• Billing and payment processing through integrated payment providers.
• Video session facilitation through integrated video conferencing.
• Optional integrations with third-party calendars (such as Google Calendar) and other services at the Controller's discretion. Where calendar integration is used, only minimal data is shared, including appointment times and client initials only.

2.3 The nature, purpose, duration, types of Personal Data, and categories of Data Subjects are further described in Schedule 1.

2.4 The Processor shall process Personal Data only for the purposes of providing the Services to the Controller and as set out in this Agreement. The Processor shall not process Personal Data for any other purpose unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

2.5 For the avoidance of doubt, this Agreement applies only to Personal Data that the Processor processes on behalf of the Controller in connection with the Services. Therasee acts as an independent controller in respect of certain limited personal data relating to the Controller, including account and billing information, support correspondence, and product usage analytics. Such processing is described in the Therasee Privacy Policy and is not governed by this Agreement.

3.1 The Controller warrants and represents that:

• It has a lawful basis under Applicable Data Protection Law for the processing of Personal Data and Special Category Data, including an appropriate Article 9 condition for the processing of health and mental health data.
• It has provided appropriate privacy notices to Data Subjects informing them of the processing of their data by the Processor and any Sub-processors.
• It shall comply with its obligations under Applicable Data Protection Law in respect of the Personal Data processed under this Agreement.
• It shall ensure that any instructions it gives to the Processor in respect of the processing of Personal Data comply with Applicable Data Protection Law.
• Where it uses AI-assisted features, it is recommended as a matter of best practice to use blank or template versions of documents when uploading for conversion, in accordance with the principle of data minimisation. The Processor has measures in place to mask client data variables and to ensure that data processed by the AI service is not retained beyond the individual request.

Processing Instructions

4.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Applicable Data Protection Law. The Processor shall promptly inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.

Confidentiality

4.2 The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall continue after the termination of this Agreement and any individual's engagement with the Processor.

Security Measures

4.3 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures shall include, as appropriate and as further described in Schedule 2:

• Encryption of Personal Data in transit and at rest.
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
• Access controls and authentication mechanisms to ensure that Personal Data is accessible only to authorised personnel.
• Audit logging of access to and modifications of Personal Data.

4.4 In assessing the appropriate level of security, the Processor shall take account of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, and shall have particular regard to the sensitive nature of health and mental health data processed in connection with the Services.

Sub-processors

4.5 The Controller hereby provides general written authorisation for the Processor to engage Sub-processors for the processing of Personal Data in connection with the Services, subject to the conditions set out in this clause.

4.6 The Processor shall maintain a list of Sub-processors engaged in connection with the Services, as set out in Schedule 3. The Processor shall make this list available to the Controller upon request and shall keep it up to date.

4.7 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes before the change takes effect. The Processor shall provide at least 30 days' notice before engaging any new Sub-processor or making any change that materially alters the location of, or the level of protection applied to, Personal Data. Where the Processor reallocates processing activities between Sub-processors already listed in Schedule 3, without materially changing the location of or level of protection applied to Personal Data, it may do so on shorter notice, and shall update Schedule 3 and notify the Controller accordingly. If the Controller objects to any change on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith. If the parties cannot resolve the objection, the Controller may terminate this Agreement on written notice.

4.8 Where the Processor engages a Sub-processor, the Processor shall impose on the Sub-processor, by way of a contract or other legal act, the same data protection obligations as are set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations.

Data Subject Rights

4.9 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of UK GDPR and Chapter III of EU GDPR, including rights of access, rectification, erasure, restriction, data portability, and the right to object.

4.10 The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of their Personal Data. The Processor shall not respond to such a request itself unless authorised to do so by the Controller or required by applicable law.

Data Protection Impact Assessments

4.11 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and, where necessary, prior consultations with the Supervisory Authority, in each case solely in relation to the processing of Personal Data under this Agreement and taking into account the nature of the processing and the information available to the Processor.

Personal Data Breaches

4.12 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement. Such notification shall:

• Describe the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• Communicate the name and contact details of the Processor's data protection point of contact.
• Describe the likely consequences of the Personal Data Breach.
• Describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.13 The Processor shall co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

Deletion and Return of Data

4.14 On termination of this Agreement, or at the Controller's written request, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data. The Processor shall provide the Controller with a reasonable period following termination to export their data from the platform before deletion occurs, in accordance with the timescales set out in Schedule 4.

4.15 Where the Controller requests deletion, the Processor shall confirm in writing that all Personal Data has been deleted, except where retention is required by applicable law.

Compliance and Cooperation

4.16 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of UK GDPR and Article 28 of EU GDPR and this Agreement, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.17 The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Applicable Data Protection Law.

5.1 The Processor shall not transfer Personal Data to any country outside the United Kingdom or the European Economic Area without appropriate safeguards being in place in accordance with Chapter V of UK GDPR and Chapter V of EU GDPR, as applicable.

5.2 The majority of Personal Data is stored and processed within the United Kingdom. Where processing occurs outside the UK, the following safeguards apply:

Transfers to the European Union

5.3 Certain processing activities, specifically the AI-assisted form generation service provided through Google Cloud Vertex AI, take place in the European Union (Netherlands, europe-west4 region). The EU has been recognised as providing an adequate level of data protection under the UK's Data Protection (Adequacy) (EU and EEA EFTA States) Regulations. Accordingly, transfers of Personal Data from the UK to the EU do not require additional transfer mechanisms such as Standard Contractual Clauses.

5.3A Where Personal Data is processed within the European Union, such processing is subject to EU GDPR. The Processor ensures that its Sub-processors operating within the EU comply with EU GDPR, including through the Google Cloud Data Processing Addendum (CDPA) which addresses obligations under both UK GDPR and EU GDPR.

Transfers to Other Jurisdictions

5.4 Where Sub-processors process Personal Data outside the UK and the EEA, the Processor shall ensure that appropriate transfer mechanisms are in place, including Standard Contractual Clauses approved by the ICO (International Data Transfer Agreement or Addendum to the EU SCCs) or the European Commission, or reliance on an adequacy decision by the Secretary of State or the European Commission, as applicable.

5.5 Details of the locations and transfer mechanisms for each Sub-processor are set out in Schedule 3.

6.1 The Controller shall have the right to audit and inspect the Processor's compliance with this Agreement and Applicable Data Protection Law. The Controller may exercise this right directly or through a mandated third-party auditor, provided that such auditor is bound by appropriate confidentiality obligations.

6.2 The Controller shall give the Processor at least 30 days' written notice of any audit or inspection, unless an audit is required due to a Personal Data Breach or a request from the Supervisory Authority, in which case reasonable notice shall be given.

6.3 Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear its own costs in connection with any audit.

6.4 The Processor shall co-operate fully with any audit or inspection and shall provide the Controller with access to relevant records, systems, and personnel as reasonably required.

6.5 Where the Processor engages an independent third party to conduct security audits or certifications (such as SOC 2 or ISO 27001), the Processor may make the results of such audits available to the Controller in lieu of a direct audit, provided the Controller considers the scope and results sufficient for its purposes.

7.1 Each party shall be liable for damage caused by processing that infringes Applicable Data Protection Law in accordance with Article 82 of UK GDPR and Article 82 of EU GDPR, as applicable.

7.2 The Processor shall indemnify and hold harmless the Controller against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Controller that arise out of or are related to the Processor's breach of this Agreement or its obligations under Applicable Data Protection Law, to the extent that the Processor is at fault.

7.3 The Controller shall indemnify and hold harmless the Processor against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Processor that arise out of or are related to the Controller's breach of this Agreement, its instructions to the Processor, or its obligations under Applicable Data Protection Law, to the extent that the Controller is at fault.

7.4 Nothing in this Agreement shall limit or exclude either party's liability for fraud, death, or personal injury caused by negligence, or any other liability that cannot be limited or excluded by applicable law.

7.5 Subject to clause 7.4, the total aggregate liability of either party under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the total fees paid or payable by the Controller to the Processor under the applicable service agreement in the 12-month period immediately preceding the event giving rise to the claim.

8.1 This Agreement is incorporated into the Therasee Terms of Service and shall come into effect on the date the Controller first uses the Services. It shall continue in force for as long as the Processor processes Personal Data on behalf of the Controller.

8.2 This Agreement shall automatically terminate when the Controller's use of the Services ends and all Personal Data has been deleted or returned in accordance with clause 4.14.

8.3 Either party may terminate this Agreement immediately by written notice if the other party commits a material breach of this Agreement and, where such breach is capable of remedy, fails to remedy it within 30 days of receiving written notice of the breach.

8.4 Clauses 4.2 (Confidentiality), 4.14 and 4.15 (Deletion and Return of Data), 6 (Audit Rights), 7 (Liability and Indemnification), and 9 (General Provisions) shall survive termination of this Agreement.

9.1 This Agreement, together with the schedules annexed to it, forms part of the Therasee Terms of Service and constitutes the entire agreement between the parties with respect to the processing of Personal Data, superseding all prior agreements, representations, and understandings on that subject. In the event of any conflict or inconsistency between this Agreement and the Terms of Service in relation to the processing of Personal Data, this Agreement shall prevail.

9.2 This Agreement may be amended by written agreement signed by both parties, or by the Processor in accordance with the following:

9.3 If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

9.4 This Agreement shall be governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

9.5 Notices under this Agreement shall be sent to the contact details provided by each party. Notices to the Processor shall be sent to privacy@therasee.com or to Therasee Ltd, 1 St. Andrews Road, Studio 8, Montpelier, Bristol, BS6 5EH.

Nature and Purpose of Processing

The Processor processes Personal Data for the purpose of providing a practice management platform to mental health practitioners. Processing activities include the storage, organisation, retrieval, and management of client records; facilitation of secure messaging and video sessions; scheduling; delivery of automated appointment reminders and service notifications by email and SMS; billing and payment processing; form creation and management (including AI-assisted form generation and document conversion); and related administrative functions.

Duration of Processing

Processing shall continue for the duration of the Controller's use of the Services. On termination, data shall be retained in accordance with the Processor's retention policy and deleted in accordance with clause 4.14.

Types of Personal Data

The following types of Personal Data may be processed:

• Full name and title.
• Contact details (email address, telephone number, postal address).
• Date of birth.
• Gender and pronouns.
• GP and referrer details (name, practice, contact information).
• Emergency contact details (name, relationship, telephone number).
• Medical and mental health information, including diagnoses, treatment history, medication, and presenting issues. This constitutes Special Category Data under Article 9 of UK GDPR and EU GDPR.
• Session notes and clinical records.
• Form responses and assessment results.
• Voice and audio data, where the practitioner or client uses speech-to-text features.
• Technical data, including IP address, device and browser information, and authentication and audit log records.
• Any personal data, including Special Category Data, contained in documents or files uploaded to the platform by the Controller or their clients.
• Billing information (name, address; payment card details are processed by Stripe and not stored by the Processor).
• Communication records (secure messages between practitioner and client, and email and SMS notifications sent to clients on the Controller's behalf).
• Scheduling information (appointment dates, times, and types).

Categories of Data Subjects

The following categories of Data Subjects are affected by the processing:

• Clients and patients of the Controller.
• Emergency contacts nominated by clients.
• GPs, referrers, and other healthcare professionals associated with client care.

Clients may include children and vulnerable adults. The Controller is responsible for ensuring that any additional safeguards or conditions required under Applicable Data Protection Law for the processing of such data are met.

The Processor implements the following technical and organisational measures to protect Personal Data:

Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is encrypted using AES-256 or equivalent industry-standard encryption.
• Database connections use encrypted channels.

Access Controls

• Role-based access controls ensure that practitioners can only access their own client data.
• Administrative access to production systems is restricted to authorised personnel and requires multi-factor authentication.
• Principle of least privilege is applied to all system access.

Authentication

• Secure password requirements are enforced for all user accounts.
• Multi-factor authentication is available and recommended for practitioner accounts.
• Session management includes automatic timeout and secure token handling.

Infrastructure Security

• Primary infrastructure and database services are hosted on Microsoft Azure in UK data centres with ISO 27001 and SOC 2 certification.
• Network security includes firewalls, intrusion detection, and DDoS protection.
• Regular vulnerability scanning and patching.

Audit and Monitoring

• Audit logging of access to and modifications of Personal Data.
• Monitoring of system health and security events.
• Regular security reviews and risk assessments.

Business Continuity

• Regular automated backups of all data.
• Disaster recovery procedures to restore services in the event of an incident.
• Redundancy in critical infrastructure components.

AI-Specific Measures

• AI processing (Google Cloud Vertex AI) occurs in the EU under enterprise-tier agreements with contractual guarantees against data use for model training. Client data variables are masked before content is sent to Google Cloud.
• Data sent to AI services is processed transiently and is not retained by the AI service provider beyond the individual API call. No personally identifiable client information is exchanged with the AI service during the form building process.
• Speech-to-text processing (Microsoft Azure) is hosted in the UK with a strict no logging policy. No audio content is retained.
• All AI-generated content requires practitioner review and approval before being saved or used.

The following Sub-processors are authorised to process Personal Data on behalf of the Controller in connection with the Services:

Customer support is provided through Intercom, and anonymised product analytics are collected through Google Analytics on the practitioner application only. These services process limited practitioner data for which Therasee acts as an independent controller, as described in clause 2.5 and the Therasee Privacy Policy, and are therefore not listed as Sub-processors under this Agreement.

Optional third-party integrations. The Services offer optional integrations that the Controller may choose to enable, including synchronisation with the Controller's own Google Calendar account. Where the Controller enables calendar synchronisation, limited scheduling data (appointment dates, times, session type, and client initials only, with no client names, email addresses, or other directly identifying information) is transmitted to the Controller's connected Google account when appointments are scheduled in the Services. Where two-way synchronisation is enabled, the Controller's Google Calendar events are accessed through the Google Calendar API and processed transiently to display the Controller's availability within the Services; such event data is not retained or stored by the Processor. All such processing is carried out via the Controller's own connected Google account, under the Controller's own relationship with Google, and is governed by the Controller's agreement with Google rather than by this Agreement. The Controller is responsible for its decision to enable any such integration and for ensuring an appropriate lawful basis for the sharing of data with the integrated service.

The Processor shall notify the Controller of any changes to this list in accordance with clause 4.7.

4.1 The Processor shall retain Personal Data for the duration of the Controller's active use of the Services.

4.2 On termination of the Controller's account, the Processor shall:

• Provide the Controller with a period of 45 days to export their data from the platform, in accordance with the Terms of Service.
• Following the export period, delete all Personal Data associated with the Controller's account from active systems without undue delay.
• Remove Personal Data from backup systems within 180 days of deletion from active systems, or at the next scheduled backup cycle, whichever is sooner.

4.3 The Processor may retain limited data where required by applicable law (for example, financial records required for tax or accounting purposes), but only for so long as required by that law and only for the purpose specified by that law.

4.4 Where Personal Data is processed by Sub-processors, the Processor shall ensure that Sub-processors delete data in accordance with their respective data processing agreements and the timescales set out in this schedule.

4.5 Data processed by the AI form generation service (Google Cloud Vertex AI) is not retained by that service beyond the individual API call and is therefore not subject to a separate retention period. Audio data processed by Microsoft Azure Speech-to-Text is processed in memory only and is not retained. Email and SMS notification content processed by Microsoft Azure Communication Services is retained only for as long as necessary to deliver the message and maintain delivery records.

This Schedule is maintained by the Processor in its capacity as processor, in support of the Controller's record-keeping under Article 30 of UK GDPR. It describes the categories of processing carried out on behalf of the Controller and, for each, the lawful basis on which the Controller's processing is commonly carried out.

The recipients of the above data are the Controller (as data controller), the Processor (as data processor), and the Sub-processors listed in Schedule 3. Retention is as set out in Schedule 4. Security measures are as set out in Schedule 2.

This Schedule applies where the Controller is established in the United Kingdom and supplements, and does not replace, the obligations set out in the main body of this Agreement.

1. Applicable legislation

The following apply to processing under this Agreement where the Controller is established in the United Kingdom:

2. Lawful basis for special category health data

Where the Controller processes health data (special category data under Article 9 of UK GDPR) in connection with the provision of its services, the condition commonly relied upon is the Data Protection Act 2018, Schedule 1, Part 1, paragraph 2 (health or social care purposes), in conjunction with Article 9(2)(h) of UK GDPR. Where the Controller instead relies on explicit consent, it is responsible for obtaining that consent in accordance with Articles 7 and 9(2)(a) of UK GDPR. The Controller is responsible for confirming which condition applies to its practice.

3. Supervisory authority

The competent supervisory authority for the processing of personal data in the United Kingdom is the Information Commissioner's Office (ICO), ico.org.uk.

4. International data transfers and adequacy

The majority of Personal Data is stored and processed in the United Kingdom. Where AI-assisted form generation is used, limited processing takes place in the European Union (Netherlands), which is permitted on the basis of the UK's adequacy regulations for the EU and EEA. Both parties acknowledge that the UK's adequacy regulations for the EU, and the European Union's adequacy decision in respect of the United Kingdom, are subject to periodic review and may be amended or revoked. The Processor shall notify the Controller promptly of any material change that affects the lawfulness of data transfers under this Agreement.