Data Processing Agreement

Unless otherwise defined in the main agreement, the following terms have the meanings set out below:

• "UK GDPR" : the UK General Data Protection Regulation as it forms part of UK law under the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018.
• "EU GDPR" : Regulation (EU) 2016/679.
• "Applicable Data Protection Laws" : the UK GDPR, the EU GDPR (where it applies to the Customer), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other data-protection laws applicable to the processing.
• "Personal Data", "Controller", "Processor", "Processing", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings given in the UK GDPR.
• "Sub-processor" : any third party engaged by SimPatient to process Personal Data on behalf of the Customer.
• "Customer Personal Data" : Personal Data processed by SimPatient on behalf of the Customer under the main agreement and this DPA, as described in Annex 1.
• "UK IDTA" : the UK International Data Transfer Agreement issued by the Information Commissioner.
• "UK Addendum" : the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
• "Standard Contractual Clauses" / "SCCs" : the standard contractual clauses approved by the European Commission under Decision (EU) 2021/914.

This DPA sets out the terms on which SimPatient processes Customer Personal Data in order to provide the Service to the Customer.

• The Customer is the Controller of the Customer Personal Data.
• SimPatient is the Processor of the Customer Personal Data.

Where the Customer is itself processing Personal Data on behalf of a third party (for example, where a university processes student data under its own legal basis), the Customer remains responsible for its own role under Applicable Data Protection Laws.

The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.

Each party will comply with its obligations under Applicable Data Protection Laws in relation to the Customer Personal Data.

The Customer is responsible for:

• Ensuring it has a lawful basis for the processing instructed by it under this DPA
• Providing any notices required to Data Subjects
• Ensuring that its instructions to SimPatient comply with Applicable Data Protection Laws

SimPatient is responsible for processing Customer Personal Data only in accordance with this DPA, the main agreement, and the Customer's documented instructions, unless required to do otherwise by law (in which case SimPatient will inform the Customer before processing, unless the law prohibits such notification).

The Customer instructs SimPatient to process Customer Personal Data:

• To provide, maintain, secure, and improve the Service in accordance with the main agreement
• To enable the specific features the Customer or its users configure or use
• To comply with the Customer's reasonable written instructions that are consistent with the main agreement
• To comply with law

If SimPatient considers that an instruction from the Customer infringes Applicable Data Protection Laws, SimPatient will promptly inform the Customer and may suspend the relevant processing until the instruction is withdrawn or amended.

SimPatient will ensure that all personnel authorised to process Customer Personal Data:

• Are subject to binding obligations of confidentiality (contractual or statutory)
• Receive appropriate training on data protection and information security
• Access Customer Personal Data only on a need-to-know basis

SimPatient will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing.

The security measures in place as of the effective date of this DPA are described in Annex 2 (Technical and Organisational Measures).

SimPatient may update those measures from time to time, provided that the overall level of security is not materially reduced.

The Customer grants SimPatient general authorisation to engage Sub-processors to assist in the provision of the Service, subject to this clause 7. The list of authorised Sub-processors as of the effective date is set out in Annex 3.

SimPatient will impose on each Sub-processor, by written contract, data-protection obligations that are no less protective than those set out in this DPA, including in particular:

• A prohibition on processing Customer Personal Data for any purpose other than the provision of services to SimPatient
• A prohibition on using Customer Personal Data to train AI models
• Appropriate security measures
• Sub-processor transparency
• Flow-down of Data Subject rights assistance

SimPatient remains responsible to the Customer for the performance of each Sub-processor's obligations.

SimPatient will notify the Customer (by email or in-product notice) at least ninety (90) days before adding or replacing a Sub-processor that processes Customer Personal Data.

The Customer may object to the new Sub-processor on reasonable data-protection grounds within 14 days of notification. If the parties cannot agree on a resolution, the Customer may terminate the affected portion of the Service with a pro-rata refund of prepaid fees.

SimPatient processes Customer Personal Data exclusively on infrastructure located within the European Union or the United Kingdom. All Sub-processors listed in Annex 3 have contractually committed to restricting processing of Customer Personal Data to EU/UK regions.

In the limited circumstances where a transfer of Customer Personal Data outside the UK/EU becomes necessary (for example, for engineering support access), the transfer will be made pursuant to:

• The UK IDTA or the UK Addendum to the SCCs, as appropriate to the Customer's location and the Sub-processor concerned
• Supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest, pseudonymisation where feasible, and access controls

SimPatient has performed transfer impact assessments in respect of each Sub-processor that has a parent entity outside the UK/EU, and maintains written records of those assessments. Copies are available to the Customer on reasonable written request, subject to confidentiality.

Taking into account the nature of the processing, SimPatient will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including the rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decision-making.

If SimPatient receives a request directly from a Data Subject relating to Customer Personal Data, SimPatient will (unless legally prohibited) promptly forward that request to the Customer and will not respond to the Data Subject except as instructed by the Customer or required by law.

The Service provides self-service capabilities for authenticated users to:

• Access their own personal data
• Rectify inaccurate data
• Export their data in a structured, machine-readable format
• Request deletion of their account and associated data

SimPatient will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

The notification will include, to the extent known and as soon as it becomes available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the SimPatient contact point from whom more information can be obtained
• A description of the likely consequences
• A description of the measures taken or proposed to address the breach and mitigate its adverse effects

SimPatient will cooperate with the Customer and provide reasonable assistance to enable the Customer to meet its obligations under Articles 33 and 34 of the UK GDPR.

SimPatient will, taking into account the nature of the processing and the information available to SimPatient, provide reasonable assistance to the Customer with any Data Protection Impact Assessment and any prior consultation with a Supervisory Authority required under Articles 35 and 36 of the UK GDPR.

SimPatient will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA.

The Customer (or an independent third-party auditor acting on its behalf, bound by confidentiality and not a competitor of SimPatient) may audit SimPatient's compliance with this DPA not more than once in any twelve-month period, on at least 30 days' written notice, during normal business hours, at the Customer's cost, and subject to reasonable confidentiality undertakings.

In lieu of an on-site audit, SimPatient may satisfy the Customer's audit right by providing its most recent independent third-party audit reports or certifications (such as SOC 2, ISO 27001, Cyber Essentials, or NHS DSPT), where relevant.

This clause does not limit any audit or inspection right of a Supervisory Authority.

On expiry or termination of the main agreement, SimPatient will, at the Customer's election:

• Return all Customer Personal Data to the Customer in a structured, machine-readable format; or
• Delete all Customer Personal Data,

within 90 days, unless storage is required by applicable law.

If the Customer provides no instruction within 90 days after termination, SimPatient will delete all Customer Personal Data.

Nothing in this clause prevents SimPatient from retaining data that has been irreversibly anonymised in such a way that it no longer constitutes Personal Data.

Data in routine backup media will be deleted in accordance with SimPatient's backup rotation schedule, and will remain subject to the security measures in Annex 2 until overwritten.

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the main agreement. This DPA does not increase either party's liability beyond the caps set out in the main agreement.

This DPA takes effect on the effective date and continues for the term of the main agreement and for so long as SimPatient processes Customer Personal Data.

If there is a conflict between this DPA and any other part of the main agreement, this DPA prevails in relation to data-protection matters.

If any provision is held invalid or unenforceable, the remaining provisions continue in full force.

This DPA is governed by the laws of Scotland, and the parties submit to the exclusive jurisdiction of the courts of Scotland.

Processing of Personal Data by SimPatient as necessary to provide the Service to the Customer under the main agreement.

For the term of the main agreement plus any post-termination retention or deletion period set out in clause 13.

• Provision of an AI-powered medical training simulation platform, including text, audio, and video consultation modes.
• Storage, retrieval, and display of transcripts, reflections, and feedback.
• Routing of content through AI sub-processors to generate simulated patient responses, voices, avatars, and feedback.
• Authentication, authorisation, billing (credits), and organisation administration.
• Security monitoring, abuse prevention, support, and service improvement (on an anonymised or aggregated basis).

• Identity and contact data: name, email address, profile image
• Account and access data: user role, organisation ID, hashed password, session tokens, MFA codes
• Consultation data: text transcripts, audio recordings, video session metadata, reflection answers, AI-generated feedback
• Technical data: IP address, user agent, timestamps, log data
• Consent and audit data: policy version, consent timestamps, administrator access logs
• Usage and billing data: credit balances, credit transactions, usage tracking records

• Learners (students / medical trainees)
• Organisation administrators
• Invited users (prospective learners)
• Customer personnel with administrative access to the Service

The Service is not designed to process special category data as defined in Article 9 UK GDPR. The Customer is responsible for ensuring that its users do not enter real patient data or other third-party health information into the Service.

Where the Service processes a learner's audio or facial video, it does so only to convert speech to text and to render the simulation (for example, real-time avatar interaction). It does not process audio or facial imagery for the purpose of uniquely identifying an individual, and therefore does not process biometric data within the meaning of Article 9 UK GDPR. SimPatient will not introduce voice or facial authentication or any other identification feature without first reassessing this position and updating this DPA.

SimPatient implements and maintains the following technical and organisational measures:

• Role-based access control enforced server-side on every API route
• JWT-based authentication with HttpOnly, Secure session cookies
• Multi-factor authentication for privileged (super administrator) accounts
• Principle of least privilege for personnel access to production systems
• Regular review of access rights

• In transit: TLS 1.2 or higher for all connections between clients, the application, and sub-processors
• At rest: Encryption of the primary database (Google Cloud Firestore) and file storage using provider-managed keys
• Password hashing with bcrypt (salted, 10 rounds)

• Server-side-only database access (no direct client-to-database writes)
• Firestore security rules deny all client-side read/write access
• Input validation and output encoding to mitigate injection and XSS
• Dependency scanning and regular patching
• Secrets management via environment variables on the hosting platform

• Application and audit logs retained for operational and security purposes
• Audit logging of super administrator access to Customer Personal Data
• Error monitoring and anomaly detection

• Automated backups through the hosting provider's resilient infrastructure
• Geographic redundancy within the EU/UK region
• Documented incident response and business continuity procedures

• Confidentiality obligations for all personnel with access to Customer Personal Data
• Data-protection and security training at onboarding and periodically thereafter
• Background checks where required by law or by the Customer's agreement

• Documented Personal Data Breach response plan
• 72-hour notification commitment to Controllers (clause 10 above)
• Root-cause analysis and remediation tracking

• Role-scoped data access (users see only what their role permits)
• Documented retention periods published in the Privacy Policy
• Deletion on request and on account closure

• Written Data Processing Agreement with each Sub-processor
• Contractual restriction to EU/UK processing regions
• Contractual prohibition on using Customer Personal Data to train AI models
• Periodic review of Sub-processors

• Reliance on the physical security of certified cloud providers (Google Cloud, Vercel)
• No SimPatient-operated physical data centres

SimPatient engages a small number of Sub-processors to deliver the Service, across the following categories: cloud hosting and edge delivery; database, authentication and file storage; AI model inference (large language models and speech-to-text); voice synthesis and real-time avatar generation; transactional email; and in-app feedback and support.

A current, itemised list of the specific Sub-processors engaged (including each Sub-processor's identity, role, the categories of Customer Personal Data processed, and the processing region) is provided to the Customer on request by emailing hello@simpatient.co.uk, and is kept up to date.

Each Sub-processor is bound by a written Data Processing Agreement that includes:

• A commitment to process Customer Personal Data only in the EU/UK region
• A prohibition on using Customer Personal Data to train AI models
• Appropriate technical and organisational security measures
• Flow-down of Data Subject rights assistance
• Sub-processor transparency

This DPA is incorporated by reference into the main agreement between the Customer and SimPatient and does not require separate signature. Where the Customer requires a signed version, please contact hello@simpatient.co.uk.