© 2026 Clear Consent. All rights reserved.

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the agreement between Clear Consent Limited (“Processor”) and the relevant customer identified in the applicable subscription, order form, or account registration process (“Controller”) governing use of the Clear Consent Services.

This DPA applies where Processor processes personal data on behalf of Controller in connection with the Services.

1. Interpretation

In this DPA:

  • Applicable Data Protection Law means all laws and regulations applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, and any legislation replacing or supplementing them.
  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process and Processing have the meanings given in Applicable Data Protection Law.
  • Services means the Clear Consent website, software platform, and associated services provided by Processor to Controller.
  • Sub-processor means any third party appointed by Processor to process personal data on behalf of Controller in connection with the Services.
2. Scope and Role of the Parties

2.1 The parties acknowledge and agree that, in relation to personal data processed by Processor on behalf of Controller in connection with the Services:

  • Controller is the data controller; and
  • Processor is the data processor.

2.2 Nothing in this DPA prevents Processor from acting as a controller in relation to personal data processed for its own independent business purposes, including account administration, billing, service administration, security, compliance, and customer relationship management.

3. Subject Matter, Duration, Nature and Purpose of Processing

3.1 Subject matter of processing: the provision of the Services by Processor to Controller.

3.2 Duration of processing: for the duration of the agreement between the parties and for such period thereafter as Processor lawfully retains personal data in accordance with Controller’s documented instructions, contractual obligations, and Applicable Data Protection Law.

3.3 Nature of processing: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, restriction, deletion, and other processing activities reasonably required to provide the Services.

3.4 Purpose of processing: to provide consent workflow, communication, administrative, storage, support, security, AI-assisted, and related software services to Controller.

4. Categories of Data Subjects and Personal Data

4.1 Categories of data subjects may include:

  • Controller’s patients;
  • prospective patients;
  • Controller’s staff, clinicians, contractors, and authorised users;
  • other individuals whose personal data is uploaded to or processed through the Services by or on behalf of Controller.

4.2 Categories of personal data may include:

  • names, contact details, identifiers, demographic information;
  • treatment-related information and clinical records;
  • consent records and related notes;
  • images, videos, audio recordings, and generated content;
  • account, usage, and communication data;
  • any other personal data submitted by or on behalf of Controller through the Services.

4.3 Personal data processed under this DPA may include special category personal data, including health data.

5. Controller Obligations

Controller shall:

  • ensure that it has all necessary lawful bases, notices, policies, permissions, and, where required, consents, to enable the lawful processing of personal data by Processor;
  • comply with Applicable Data Protection Law in respect of its use of the Services;
  • ensure that its instructions to Processor are lawful;
  • remain responsible for the accuracy, quality, and legality of personal data and the means by which Controller acquired the personal data;
  • remain responsible for all clinical, professional, and regulatory decisions, including the content and use of patient-facing materials and consent processes.
6. Processor Obligations

6.1 Process on Instructions

process personal data only on the documented instructions of Controller, unless otherwise required by law, in which case Processor shall inform Controller of that legal requirement before processing, unless prohibited by law from doing so.

6.2 Confidentiality

ensure that persons authorised to process personal data are subject to appropriate obligations of confidentiality.

6.3 Security

implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, taking into account the nature of the data and the risks involved.

6.4 Assistance

provide reasonable assistance to Controller, taking into account the nature of the processing and the information available to Processor, in relation to:

  • requests from data subjects to exercise their rights;
  • personal data breach notifications;
  • data protection impact assessments;
  • prior consultation with supervisory authorities where required.

6.5 Return or Deletion

at the end of the provision of Services, delete or return personal data to Controller at Controller’s choice, unless Applicable Data Protection Law requires storage of the personal data.

6.6 Information

make available to Controller such information as is reasonably necessary to demonstrate compliance with this DPA and Article 28 UK GDPR.

7. Security Measures

7.1 Processor shall maintain reasonable and appropriate security measures designed to protect personal data, which may include, where appropriate:

  • encryption in transit and at rest;
  • role-based access controls;
  • authentication and credential controls;
  • system monitoring and logging;
  • backup and recovery arrangements;
  • vulnerability management and security maintenance procedures.

7.2 Controller acknowledges that no system or service can be guaranteed completely secure or uninterrupted.

8. Personal Data Breaches

8.1 Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting personal data processed on behalf of Controller.

8.2 Such notification shall, to the extent reasonably possible, include:

  • the nature of the Personal Data Breach;
  • the categories and approximate number of affected data subjects and records, where known;
  • the likely consequences of the Personal Data Breach, where known;
  • the measures taken or proposed to be taken to address the Personal Data Breach.
9. Sub-processors

9.1 Controller authorises Processor to appoint and use Sub-processors in connection with the Services.

9.2 Processor shall ensure that any Sub-processor engaged in the processing of personal data is bound by written terms which impose data protection obligations no less protective than those set out in this DPA, to the extent applicable to the services provided by that Sub-processor.

9.3 Processor shall remain responsible for the acts and omissions of its Sub-processors to the extent required by Applicable Data Protection Law.

9.4 Sub-processors may include providers of hosting, cloud infrastructure, storage, analytics, communications, payment processing, support tooling, and AI-enabled functionality, including providers such as OpenAI and Synthesia where used within the Services.

10. International Transfers

10.1 Processor may transfer personal data outside the UK where necessary for the provision of the Services or where a Sub-processor operates internationally.

10.2 Where Processor transfers personal data outside the UK, Processor shall ensure that appropriate safeguards are implemented in accordance with Applicable Data Protection Law, including use of the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another recognised lawful transfer mechanism where required.

11. Audit and Information Rights

11.1 Processor shall, on reasonable written request, provide Controller with information reasonably necessary to demonstrate compliance with this DPA.

11.2 Where such information is insufficient and Controller reasonably requires further verification, Controller may request an audit of Processor’s relevant data processing activities, provided that:

  • the request is reasonable and proportionate;
  • at least 30 days’ prior written notice is given, unless a shorter period is required by law or regulatory direction;
  • the audit takes place during normal business hours;
  • the audit does not unreasonably interfere with Processor’s business operations or compromise the confidentiality, security, or rights of other customers;
  • Controller bears its own costs and reimburses Processor for reasonable internal and external costs incurred in supporting the audit, except where the audit reveals a material breach of this DPA by Processor.

11.3 Processor may satisfy audit obligations through provision of relevant third-party certifications, reports, policies, or summaries where appropriate.

12. Data Subject Rights

12.1 Taking into account the nature of the processing, Processor shall provide reasonable assistance to Controller to enable Controller to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

12.2 If Processor receives a request directly from a data subject relating to personal data processed on behalf of Controller, Processor may, unless prohibited by law, refer the request to Controller and may advise the data subject to contact Controller directly.

13. Deletion and Return of Data

13.1 Upon termination or expiry of the Services, Processor shall, subject to the agreement between the parties and Applicable Data Protection Law, delete or return personal data processed on behalf of Controller.

13.2 Processor may retain personal data to the extent required by Applicable Data Protection Law or where necessary for the establishment, exercise, or defence of legal claims, provided that any retained data remains protected in accordance with this DPA.

14. Liability

14.1 This DPA is subject to any limitations and exclusions of liability set out in the Terms, except to the extent prohibited by Applicable Data Protection Law.

14.2 Nothing in this DPA excludes or limits liability where such exclusion or limitation is not permitted by law.

15. Order of Precedence

If there is any conflict between this DPA and the Terms in relation to the processing of personal data, this DPA shall prevail to the extent of that conflict.

16. Governing Law and Jurisdiction

This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.