Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") is entered into between:

1. Automate Labs ("Processor"), the operator of the Care Home Platform, contactable at chp@automatelabs.co.uk; and
2. The Customer Organisation ("Controller") that has agreed to the Care Home Platform Terms of Service ("Main Agreement").

This DPA forms part of and is incorporated into the Main Agreement. In the event of any conflict on matters of data protection, this DPA shall prevail.

Both parties agree to comply with their respective obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable ICO guidance.

1. Definitions

Controller

- the Customer Organisation that determines the purposes and means of processing personal data.

Processor

- Automate Labs, processing personal data on behalf of the Controller.

Personal Data

- any information relating to an identified or identifiable natural person (Article 4(1) UK GDPR).

Special Category Data

- personal data revealing racial or ethnic origin, health data, biometric data, or other categories under Article 9(1) UK GDPR.

Personal Data Breach

- a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data (Article 4(12) UK GDPR).

Sub-Processor

- any third party engaged by the Processor to process personal data on the Controller's behalf.

Platform

- the Care Home Platform SaaS application operated by Automate Labs.

2. Subject Matter and Purpose

The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the Platform services, including:

• Storage and management of children and young people's care records
• Storage and management of staff employment, qualification, and training records
• Compliance and safeguarding tracking and reporting (including Ofsted readiness)
• Generation of statutory and internal reports
• Audit logging of user activity for governance purposes

The Processor shall not process personal data for any other purpose, including its own commercial purposes.

3. Types of Personal Data Processed

Children and Young People

Personal identifiers, demographic data, legal and placement status, care records, health data, educational data, contact and family data, and professional connections.

Staff and Employees

Personal identifiers, contact data, employment data, qualification and training records, DBS check records, right to work documentation, and performance or absence records where entered by the Controller.

Professional Contacts

Names, job titles, employer organisations, and professional contact details.

4. Obligations of the Processor

5. Obligations of the Controller

The Controller warrants that:

• It has a lawful basis for each processing activity instructed under this DPA.
• It has issued appropriate privacy notices to data subjects whose data is entered into the Platform.
• All personal data provided is accurate, up to date, and limited to what is necessary.
• It is responsible for ensuring authorised users comply with Applicable Data Protection Law.
• It shall notify the Processor of any suspected Personal Data Breach attributable to its own systems or users.

6. International Transfers

The Processor shall not transfer personal data outside the United Kingdom without the Controller's prior written consent and without an appropriate safeguard under UK GDPR Chapter V.

All personal data is currently hosted on infrastructure located within the United Kingdom. Any proposed Sub-Processor transfer outside the UK will be notified with at least 30 days' notice.

7. Personal Data Breach Notification

The Processor shall notify the Controller within 24 hours of becoming aware of a Personal Data Breach, including:

• A description of the nature of the breach
• Categories and approximate number of data subjects and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

The Controller is responsible for assessing whether the breach requires notification to the ICO (within 72 hours) or to data subjects under Articles 33-34 UK GDPR.

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year on 30 days' written notice, during business hours and at the Controller's expense. The Processor may satisfy audit obligations by providing relevant third-party audit reports (e.g. ISO 27001 certification).

9. Deletion and Return of Personal Data

Upon termination of the Main Agreement, or on written request, the Processor shall within 30 days either return all personal data in a structured machine-readable format (CSV/JSON) or securely delete it. A written certification of deletion will be provided on request.

Anonymised or aggregated data from which no individual can be identified may be retained for platform improvement purposes.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Main Agreement. Where both parties are responsible for damage caused by a processing activity, each shall be liable only for the damage attributable to their own breach.

The Processor shall not be liable for damage caused by processing that complies with the Controller's documented instructions.

11. Governing Law

This DPA and any non-contractual obligations arising from it are governed by the laws of England and Wales. Each party submits to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 - Technical and Organisational Security Measures

Schedule 2 - Approved Sub-Processors

The current list of approved Sub-Processors is maintained at carehomeplatform.com/sub-processors. Controllers will receive at least 30 days' notice before any new Sub-Processor is added.

Schedule 3 - Contact Details