UK Data Processing Addendum (UK GDPR)
Effective Date: 2025-12-15
Version: v1.0
This UK Data Processing Addendum (“UK DPA”) forms part of the Digital CBTe Partner Terms where Supplier processes personal data on behalf of Customer. It is intended to address Article 28 UK GDPR requirements.
1. Roles
1.1 Controller and processor. Customer is the controller of Patient Data and other personal data it provides to Supplier for processing. Supplier acts as processor when processing such data on Customer’s behalf.
1.2 Independent controller. Each party may act as an independent controller for limited data it processes for its own purposes (for example, billing contacts, compliance, and fraud prevention).
2. Processing details
2.1 Subject matter. Provision of the Digital CBTe Service, Support, security, and related services.
2.2 Duration. For the duration of the Order Term, plus any post-termination period required for return or deletion and legally required retention.
2.3 Nature and purpose. Hosting, storage, transmission, and other processing necessary to deliver Digital CBTe to Authorized Users and Patient Users, including analytics necessary to operate, secure, and improve performance of the Service on Customer’s behalf.
2.4 Types of personal data. Patient identifiers, contact details, demographic details, usage data, assessment responses, symptom and outcome measures, clinician notes to the extent uploaded, and other health-related data entered into the Service.
2.5 Categories of data subjects. Patient Users, Customer clinicians and staff, and other Customer personnel.
2.6 Special category data. Health data and related special category data may be processed.
2.7 Appendix. The details above are part of the parties’ agreement and satisfy UK GDPR Article 28(3) in combination with the terms below.
3. Processor obligations
Supplier will:
3.1 Process personal data only on documented instructions from Customer, including with respect to international transfers, unless required by law. Supplier will inform Customer of such legal requirement unless prohibited.
3.2 Ensure persons authorized to process personal data are subject to confidentiality obligations.
3.3 Implement appropriate technical and organizational measures to protect personal data, taking into account risks.
3.4 Respect the conditions for engaging subprocessors (Section 5).
3.5 Assist Customer, taking into account the nature of processing, to respond to requests from data subjects to exercise rights under UK GDPR.
3.6 Assist Customer in ensuring compliance with security, breach notification, DPIAs, and prior consultation with the ICO where applicable.
3.7 At Customer’s choice, delete or return personal data at the end of the Services, and delete existing copies unless legal retention is required.
3.8 Make available information reasonably necessary to demonstrate compliance with this UK DPA, and allow for audits as described in Section 8.
4. Customer obligations
Customer will:
4.1 Ensure it has a lawful basis and a condition for processing special category data, and provide appropriate privacy information to Patient Users.
4.2 Ensure its instructions are lawful, documented, and consistent with this UK DPA.
4.3 Determine access controls and configuration choices for its implementation.
5. Subprocessors
5.1 Authorization. Customer provides general authorization for Supplier to use subprocessors.
5.2 Notice and objections. Supplier will maintain an up-to-date list of subprocessors at: https://credotherapies.com/legal/. Supplier will provide reasonable prior notice of material changes. Customer may object within 10 business days on reasonable data protection grounds. If the parties cannot resolve the objection, either party may terminate the affected Order Form without penalty (except fees due for Services provided).
5.3 Flow-down. Supplier will impose data protection terms on subprocessors that are no less protective than this UK DPA.
6. International transfers
6.1 Supplier will not transfer personal data outside the UK (and where applicable the EEA) unless it implements a valid transfer mechanism under UK GDPR, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or other lawful mechanism.
6.2 Transfer details and mechanisms may be documented in the Order Form or a separate transfer schedule.
7. Security and breach notification
7.1 Supplier will maintain appropriate security measures.
7.2 Supplier will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data and will provide information reasonably necessary to support Customer’s compliance with breach notification obligations.
8. Audits
8.1 Supplier will make available summaries of relevant security and compliance materials (for example, policies, certifications, penetration test summaries, or DSPT assertions where applicable), subject to confidentiality.
8.2 If Customer reasonably requires an audit, the parties will agree on scope, timing, and safeguards to avoid disruption and protect other customers. Audits will be at Customer cost unless triggered by Supplier breach of this UK DPA.
9. Data return and deletion
9.1 Upon expiration or termination of the Order Form, Supplier will, at Customer’s written request within 30 days, provide an export of Customer Data in a commonly used format, and then delete Customer Data within a reasonable time, unless retention is required by law.
10. Conflict
If there is a conflict between this UK DPA and the Partner Terms, this UK DPA controls for data protection matters.
Change log
- v1.0 (2025-12-15): Initial release.
