Data processing agreement

This data processing agreement (DPA), is an agreement between an organisation (Controller) using CareHQ and CRMHQ Limited (Processor). It regulates any personal data processing conducted for business purposes.

Introduction

These Data Processing Terms (“Data Processing Terms”) constitute an integral part, and shall be read within the context of, at any time applicable, with the terms and conditions set out in your CRMHQ CRM SAAS agreement. The Service is operated by CRMHQ Limited (“us”, “we”, or “our”).

The Data Processing Terms apply only when you, as a subscriber to the Service;

  1. are subject to Regulation 2016/679 The General Data Protection Regulation (“GDPR”), and,
  2. within the period set out in Section 5 - Commencement and Duration of your CRMHQ CRM SAAS agreement.

These Data Processing Terms govern our processing of personal data as processor, on behalf of you as controller. All terms used herein which coincide with terms used in the GDPR shall have the meaning assigned to them in the GDPR.

Purpose and subject matter

We will process personal data on behalf of you as the controller, for the purposes of providing the Service in accordance with your CRMHQ CRM SAAS agreement. We anonymize and aggregate personal data when using data to provide, improve or modify the Services. Processing of personal data will cover the categories of personal data that are facilitated for by the Service, for the purposes specified above and only to the extent necessary to fulfil such purposes.

The categories of data subjects are:

  • Care seekers
    • Contact information
    • Email and SMS records
    • Comments
  • Service users
    • Contact information
    • Care requirements and needs
    • Email and SMS records
    • Comments
    • Documents
    • Expense records
  • Key contacts for service users
    • Contact information
    • Invoices
  • Key contacts for locations
    • Contact information
    • Invoices

Your rights and obligations as controller

You agree and warrant that:

  1. You have a legal basis to submit the personal data to us for processing, and that you are responsible for the accuracy, integrity, content and legality of the personal data processing, including the legality of any third country transfer or additional instructions.
  2. The processing of personal data is not in violation of the GDPR and any local law applicable to You.
  3. You, as controller of the processing, are the party responsible to notify applicable regulatory authorities and/or data subjects in case of a personal data breach, pursuant to the GDPR and other applicable data protection regulations.
  4. You, by way of your risk assessment, have verified that the Services’ security measures are appropriate and proportionate to the applicable processing.
  5. We have provided sufficient guarantees in terms of logical, technical and organisational security measures.

Our obligations as Processor

We will;

  1. only process personal data in accordance with these Data Processing Terms and the Terms and Conditions, or pursuant to your reasonable written instructions.
  2. ensure that persons authorised to process the personal data are subject to adequate confidentiality obligations.
  3. ensure where data for UK subjects is processed either on EU-controlled servers or by sub-processors that are GDRP compliant.
  4. seek to ensure appropriate security when processing personal data, by means of planned and systematic organisation and technical measures pursuant to GDPR article 32.
  5. by appropriate technical and organisational measures, insofar as this is possible, provide reasonable assistance with your obligations pursuant to GDPR article 32 to 36 and for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights as set out in GDPR Chapter III.
  6. in case of a personal data breach, notify you without undue delay after becoming aware of the personal data breach, and assist in providing information necessary for you to comply with your obligations under GDPR article 33 and 34.
  7. unless prohibited by law, notify you of government access requests, and only disclose personal data to government authorities or third parties when strictly necessary to comply with a legally binding request.

Audit

You accept and acknowledge that security audits and inspections will be performed through an independent third party. We will ensure regular self-audits on our data processing activities and systems, as well as our technical and organisational measures. The results of audits and inspections will be made available to you upon request, and we will reasonably assist in providing additional information should the audit results not be satisfactory for you to demonstrate compliance with statutory data protection regulations.

Use of Sub-processor

We will, by written agreement with our sub-processors, ensure that any processing of personal data carried out by a sub-processor is governed by the same obligations and limitations as those set out in these Data Processing Terms. We currently use the sub-processors listed here: https://carehq.co.uk/eula/sub-processors, which you provide us with your prior and specific authorisation to do. You also provide us with your general written authorisation to change an existing or add a new sub-processor. We will provide 14 days notice of any plans to change an existing or add a new sub-processor. You are entitled to object to such an addition or change, and must do so by terminating your use of the Service.

Deletion of Data

As part of the CareHQ application setup process for your organisation you will have agreed data retention periods for care enquiry and service user records. When data records exceed their retention period they are either deleted or anonymized.

The following table sets out the data retention periods for other types of personal data:

Data type Data retention period
Care enquiries including associated; actions, assessments, contacts, comments, documents, home visits, messages. Configured per client. Recommended 365 days.
Service users including associated; actions, contacts, comments, documents, messages. Configured per client.Recommended 2556 days.
Change logs (audit trail) Until termination of account.
Invoices Until termination of account.
Expense ledger entries Until termination of account.

Should your account expire or the Terms and Conditions otherwise terminate, all personal data will be deleted within 48 hours. The deletion of personal data will be done in a secure manner and in accordance with requirements.

Please note; after data is deleted from the CareHQ application it will remain within back up systems for up to 90 days before being automatically permanently deleted.

Duration and termination

These Terms shall come into effect upon the date of execution. The termination or expiration of this Agreement shall not relieve the data processor from their confidentiality obligations.

Governing Law and Jurisdiction

These Terms are governed in accordance with the law of England and Wales. Any dispute arising in connection with this Agreement, which the parties will not be able to resolve amicably, will be submitted to the under exclusive jurisdiction of English and Welsh courts.

Severability

If any term or provision of these Terms are determined by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the provision will be severed from this Agreement and the remaining provisions will continue in full force and effect without amendment.

Last updated 18th May 2023