This Data Processing Addendum ("DPA") supplements the Terms of Service between JG Core Ltd, trading as Revitaco ("Processor") and the subscribing care home operator ("Controller"). It meets the requirements of UK GDPR Article 28.
1. Definitions
- "Controller" means the care home operator who determines the purposes and means of processing Personal Data
- "Processor" means JG Core Ltd (trading as Revitaco), processing Personal Data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual whose Personal Data is processed
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
2. Scope of Processing
2.1 Subject Matter
The Processor will process Personal Data as necessary to provide the Revitaco care management platform to the Controller under the Terms of Service.
2.2 Nature and Purpose
Processing activities include:
- Storage and retrieval of care records and assessments
- Management of medication administration records
- Processing of incident reports and care notes
- Facilitation of family communications
- Generation of reports and analytics
- Platform authentication and access control
2.3 Categories of Data Subjects
- Residents of the care home
- Residents' family members and contacts
- Care home staff and employees
- Healthcare professionals
2.4 Types of Personal Data
- Identity data (name, date of birth, identifiers)
- Contact data (address, phone, email)
- Health data (medical conditions, care needs, medications)
- Care records (daily notes, assessments, incidents)
- Employment data (staff roles, qualifications, schedules)
2.5 Special Category Data
This DPA covers the processing of special category personal data, including health data, as defined in Article 9 UK GDPR. Processing of such data is permitted under Article 9(2)(h): processing necessary for the provision of health or social care, or the management of health or social care systems and services, under the responsibility of a professional subject to confidentiality obligations.
2.6 Duration
Processing continues for the duration of the Terms of Service, plus retention periods as specified in section 8.
3. Processor Obligations
3.1 Lawful Processing
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Inform the Controller if an instruction infringes data protection law
- Not process Personal Data except as required by law or Controller instruction
3.2 Confidentiality
The Processor shall:
- Ensure all personnel are bound by confidentiality obligations
- Limit access to Personal Data to authorised personnel only
- Provide data protection training to relevant staff
3.3 Security
The Processor shall implement appropriate technical and organisational measures, including:
- Encryption of Personal Data in transit and at rest
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Incident detection and response capabilities
- Backup and recovery procedures
- Physical security of data centre facilities
3.4 Sub-processing
The Processor shall:
- Not engage a Sub-processor without prior written authorisation
- Maintain a list of approved Sub-processors (see Trust & Compliance)
- Notify the Controller of any intended additions with 30 days notice
- Ensure Sub-processors are bound by equivalent obligations
- Remain liable for Sub-processor compliance
3.5 Assistance to Controller
The Processor shall assist the Controller with:
- Responding to Data Subject requests (access, rectification, erasure, etc.)
- Security incident investigation and notification
- Data protection impact assessments where relevant
- Prior consultation with supervisory authorities
4. Controller Obligations
The Controller shall:
- Ensure lawful basis exists for processing Personal Data
- Provide appropriate privacy notices to Data Subjects
- Respond to Data Subject requests with Processor assistance
- Report any data protection concerns to the Processor
- Ensure accuracy of Personal Data input into the platform
5. Data Subject Rights
5.1 Support for Rights
The Processor shall assist the Controller in fulfilling Data Subject requests, including:
- Right of access (providing data exports)
- Right to rectification (enabling data correction)
- Right to erasure (deleting data on instruction)
- Right to restriction (limiting processing)
- Right to data portability (standard format exports)
5.2 Response Timeline
The Processor shall respond to Controller requests related to Data Subject rights within 7 working days, enabling the Controller to meet the statutory 30-day response period.
6. Security Incidents
6.1 Notification
The Processor shall notify the Controller without undue delay (and within 48 hours) upon becoming aware of a Personal Data breach.
6.2 Notification Contents
Notifications shall include:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Categories and approximate number of affected records
- Likely consequences of the breach
- Measures taken or proposed to address the breach
6.3 Cooperation
The Processor shall cooperate with the Controller in investigating breaches, mitigating harm, and notifying supervisory authorities and Data Subjects as required.
7. Audits and Inspections
7.1 Documentation
The Processor shall make available all information necessary to demonstrate compliance with this DPA.
7.2 Audit Rights
The Controller or an appointed auditor may conduct audits with reasonable notice (minimum 30 days). Audits shall:
- Be conducted during normal business hours
- Not unreasonably disrupt Processor operations
- Be limited to once per year unless required by regulatory obligation
- Maintain confidentiality of Processor information
7.3 Third-Party Certifications
The Processor may satisfy audit requirements by providing relevant third-party certifications, audit reports (e.g., SOC 2), or attestations.
8. Data Retention and Deletion
8.1 During Subscription
The Processor shall retain Personal Data as necessary to provide services and comply with Controller instructions.
8.2 Upon Termination
At Controller's choice, the Processor shall either:
- Return Personal Data in a standard format (CSV, PDF), or
- Delete Personal Data and provide written confirmation
The Controller has 30 days from termination to request data return. After this period, data will be deleted within 90 days.
8.3 Retention Exceptions
The Processor may retain Personal Data as required by law. In such cases, the Controller will be informed of the legal requirement and the data retained.
9. International Data Transfers
9.1 Primary Storage
Primary data storage is located in the United Kingdom.
9.2 Transfer Safeguards
Where Personal Data is transferred outside the UK (e.g., to Sub-processors), the Processor shall ensure appropriate safeguards are in place:
- UK adequacy decisions
- Standard Contractual Clauses (UK ICO approved)
- Binding Corporate Rules
- Supplementary measures where required
10. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service. Neither party excludes liability for:
- Breaches of data protection law resulting from negligence
- Fines or penalties imposed by supervisory authorities
- Claims by Data Subjects
11. Amendments
This DPA may be updated to reflect changes in data protection law or practice. Material changes will be notified with at least 30 days notice.
12. Governing Law
This DPA is governed by English law. Disputes will be resolved in accordance with the dispute resolution procedures in the Terms of Service.
13. Contact
For questions about this DPA or data processing practices:
JG Core Ltd (trading as Revitaco)
Data Protection Contact: legal@revitaco.io