This Data Processing Agreement ("DPA") forms part of the Terms of Service between CareBridge Ltd ("Processor") and the Customer ("Controller") and reflects the parties' agreement with respect to the Processing of Personal Data under UK GDPR Article 28.
1. Definitions
Capitalised terms have the meanings given in the UK GDPR. "Customer Personal Data" means personal data submitted to the Service by the Controller or its Authorised Users.
2. Subject matter & duration
Subject matter: provision of the workforce-compliance Service. Duration: the term of the underlying subscription, plus any post-termination retention period set out below.
3. Nature and purpose
CareBridge processes Customer Personal Data to provide candidate screening, DBS and Right-to-Work tracking, training records, supervision logs and CQC evidence-pack generation.
4. Categories of data subjects & personal data
- Data subjects: candidates, workers, registered managers and other staff of the Controller.
- Categories of data: identification data, employment data, training records, DBS reference numbers, Right-to-Work evidence, supervision notes, evidence documents.
- Special categories: health-related training records and criminal-record information (via DBS reference).
5. Processor obligations
- Process Customer Personal Data only on documented instructions from the Controller.
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Annex 2).
- Assist the Controller with data-subject rights requests and DPIAs.
- Notify the Controller without undue delay of any Personal Data Breach (within 48 hours of awareness).
- Delete or return Customer Personal Data on termination as instructed.
- Make available all information necessary to demonstrate compliance, including audits.
6. Sub-processors
The Controller authorises CareBridge to engage sub-processors listed at /legal/dpa. CareBridge will give 30 days' prior notice of any addition or replacement and impose data-protection terms no less protective than this DPA.
7. International transfers
Customer Personal Data is stored in the UK. Where transfers outside the UK are necessary, they are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
8. Annex 1 — Processing details
As set out in sections 3 and 4 above. Frequency: continuous, for the term of the subscription.
9. Annex 2 — Technical & organisational measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control with least privilege and SSO/SAML for Enterprise.
- Multi-tenant isolation via row-level security policies.
- Comprehensive audit logging and tamper-evident retention.
- Daily encrypted backups with point-in-time recovery.
- Annual penetration testing and continuous vulnerability scanning.
- Documented incident response and breach-notification procedures.
- Background checks for all CareBridge personnel with access to production.