Background
Under UK GDPR and the Data Protection Act 2018, where one party processes personal data on behalf of another, a written Data Processing Agreement must be in place. The care home operator (the ‘Controller’) is the data controller for personal data relating to its residents, staff, and other data subjects. Care-Meter (the ‘Processor’) processes that data on the Controller’s behalf to provide the Services.
This DPA supplements and forms part of the Subscription Agreement. In the event of conflict on data protection matters, this DPA prevails.
Definitions
| Term | Meaning |
|---|---|
| Personal Data | As defined in UK GDPR Art. 4(1) |
| Special Category Data | Health data, safeguarding data, and other Art. 9(1) categories |
| Processing | Any operation on Personal Data per UK GDPR Art. 4(2) |
| Data Subject | Individual to whom Personal Data relates: primarily care home residents, secondarily care staff |
| Sub-processor | Third party engaged by the Processor to process Personal Data on the Processor's behalf |
| Security Incident | Accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data |
| UK GDPR | The UK General Data Protection Regulation as retained in UK law and as amended by the Data (Use and Access) Act 2025 |
| Significant Automated Decision | A decision based solely on automated processing within the meaning of UK GDPR Articles 22A-22D, with no meaningful human involvement, that produces legal or similarly significant effects on a Data Subject |
| Supervisory Authority | The Information Commissioner's Office (ICO) |
| Services | As defined in the Subscription Agreement |
Scope
Full processing details are set out in Schedule 1 below.
Controller's Obligations
4.1 Lawful Basis
The Controller confirms it has a lawful basis under UK GDPR Art. 6 and Art. 9 for each category of Personal Data it instructs the Processor to process. For resident health data: Art. 6(1)(c) (CQC Regulation 17) and Art. 9(2)(h) (provision of health or social care).
4.2 Instructions
The Controller instructs the Processor to process Personal Data only as necessary to provide the Services. Additional written instructions may be given; processing outside this DPA’s scope may be charged at standard rates.
4.3 Controller Compliance
The Controller is responsible for its own UK GDPR obligations, including privacy notices, data subject requests, and maintaining its own RoPA.
4.4 Recognised Legitimate Interests
The Controller may instruct the Processor to support processing in reliance on a Recognised Legitimate Interest under UK GDPR Article 6(1)(ea), in particular for the safeguarding of vulnerable individuals (Annex 1 condition). Where the Controller relies on this basis, the Processor will give effect to the Controller’s documented instructions in accordance with Section 5 and will not require a Legitimate Interests Assessment from the Controller for such processing.
Processor's Obligations
5.1 Documented Instructions Only
The Processor will process Personal Data only on documented Controller instructions, except where required by law (in which case the Processor will notify the Controller before processing unless prohibited).
5.2 Confidentiality
The Processor will ensure all persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
5.3 Security
The Processor will implement and maintain appropriate technical and organisational measures as described in Schedule 2.
5.4 Sub-processors
The Controller grants general authorisation to engage the sub-processors listed in Schedule 3. The Processor will: (a) enter written agreements with sub-processors imposing equivalent obligations; (b) notify the Controller of proposed changes with 30 days’ notice; (c) remain fully liable for sub-processor acts and omissions.
5.5 Data Subject Rights
The Processor will assist the Controller in fulfilling UK GDPR Chapter III obligations. The Processor will forward data subject requests received directly to the Controller within 3 business days.
5.6 Deletion or Return
On termination, the Processor will, at the Controller’s choice: (a) delete all Personal Data and confirm in writing within 30 days; or (b) return all Personal Data in machine-readable format within 30 days.
5.7 Audit Rights
The Processor will make available information reasonably necessary to demonstrate compliance and permit audits by the Controller or appointed auditor on not less than 30 days’ written notice and at the Controller’s expense.
5.8 Automated Decision-Making
The Processor confirms that the Services do not make Significant Automated Decisions about Data Subjects. AI features (OCR, classification, risk scoring, copilot, governance flagging, PIR drafting, and operational-retrieval tools that surface staff personal data) generate suggestions that require meaningful human involvement by an Authorised User of the Controller before any record is finalised, any compliance status is set, any alert is treated as confirmed, or any regulatory submission is approved. The Processor maintains an audit record of human review for each such decision and will make this record available to the Controller on request.
The Processor will not introduce any feature that constitutes a Significant Automated Decision involving Special Category Data without the Controller’s prior written consent and a Data Protection Impact Assessment shared with the Controller.
5.9 Staff-Data Tool Surface — Purpose Limitation
Where the Services surface staff personal data through the Copilot (operational-retrieval tools covering shifts, training status, NMC revalidation status, and supervisions due), the Processor confirms that this surface exists solely to support: (i) operational visibility; and (ii) statutory compliance evidencing (CQC Regulations 18 and 19, NMC revalidation where applicable). The Processor warrants that this surface does notexist to evaluate individual employee performance, produce comparative staff rankings, inform disciplinary action, or feed automated decisions affecting an employee’s job. The Processor enforces this limitation at the code level via build-blocking safety evaluations and at the tool-contract level via a documented purpose declaration for every staff-data tool. Any future feature that crosses this boundary is out of scope and requires the Controller’s prior written consent and a Data Protection Impact Assessment shared with the Controller.
Security Incident Notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident. The notification will include:
- Nature of the incident and categories of data affected
- Approximate number of data subjects affected
- Data protection contact: privacy@care-meter.co.uk
- Likely consequences of the incident
- Measures taken or proposed
International Transfers
The Processor will not transfer Personal Data outside the UK without the Controller’s prior written consent. All processing takes place within AWS eu-west-2 (London) unless otherwise agreed in writing.
Term
This DPA takes effect on the date of acceptance and remains in force for as long as the Processor processes Personal Data under the Subscription Agreement.
Changes to This DPA
Care-Meter may update this DPA. For material changes, at least 14 days’ notice will be given by email and via a prominent in-platform notice. Previous versions are available on request from privacy@care-meter.co.uk.
Governing Law and Jurisdiction
This Agreement and any dispute or claim arising out of or in connection with it (including non-contractual disputes) shall be governed by and construed in accordance with the laws of England and Wales.
The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction over any dispute or claim arising out of or in connection with this Agreement, save that nothing prevents either party from seeking emergency injunctive relief in any court of competent jurisdiction.
Schedule 1 — Details of Processing
| Item | Details |
|---|---|
| Subject matter | Digital care record management, AI-assisted classification, governance monitoring, operational-retrieval (Copilot) over resident and staff data, and inspection readiness for UK adult social care homes |
| Duration | Duration of the Subscription Agreement, plus 30 days for export purposes |
| Nature of processing | Collection, recording, organisation, structuring, storage, retrieval, use, disclosure, erasure, and destruction of care records and staff operational records. AI-assisted classification, risk scoring, and operational-retrieval (each subject to meaningful human involvement before any record is finalised or any compliance status is set). Deterministic ontology-tag projection for evidence retrieval. No vector or semantic retrieval tier is in use. |
| Purpose | Digitising handwritten care notes; structuring and classifying records against CQC quality statements; surfacing governance alerts; supporting inspection preparation; assisting with PIR drafting; surfacing operational visibility (shifts, assignments, coverage) and statutory compliance evidencing (training, supervision, NMC revalidation) through the Copilot. |
| Types of Personal Data — resident | Resident care notes; medication records; incident descriptions; safeguarding records; mood/behaviour observations; clinical assessments; resident identifiers (name, DOB, key worker, next-of-kin). |
| Types of Personal Data — staff | Staff identity (name, role, Cognito identity); shift records; training completions and due dates; NMC revalidation evidence (PIN, expiry, reflective account); supervision records (topics, action points, notes). |
| Data Subject categories | Primary: residents of the Controller's registered adult social care homes. Secondary: care staff employed by or contracted to the Controller. Tertiary: family or next-of-kin contacts of residents; account holders (registered manager, owner, administrator). |
| Special Category Data | Health data (UK GDPR Art. 9(1)) of residents: health, medication, safeguarding, and clinical information. Conditional special-category content may arise in staff supervision notes and NMC reflective accounts (Art. 9(2)(b) — employment) — access to verbatim free-text is restricted to manager-class roles. |
| Criminal-offence data (Art. 10) | Possible — safeguarding records may reference allegations or convictions. Processed under DPA 2018 Schedule 1 conditions for safeguarding of children and individuals at risk. |
| Voice audio (where used) | Captured solely for transcription. Audio files are deleted within 30 days of processing. No biometric template is created, retained, or used for identification or authentication. Voice audio is therefore not processed as biometric data within the meaning of UK GDPR Article 9(1). |
| Staff-data tool purpose limitation | Operational visibility and statutory compliance evidencing only. Not performance management, ranking, disciplinary input, or automated employment-affecting decisions. See clause 5.9 above. |
| Sub-processors | As listed in Schedule 3 |
Schedule 2 — Technical and Organisational Security Measures
Access Control
- Role-based access control via AWS Cognito: ADMIN, MANAGER, CARER, FAMILY, least-privilege
- MFA required for ADMIN and MANAGER roles
- All service-to-service authentication via AWS IAM, no unauthenticated Lambda Function URLs
- Tenant isolation enforced at AppSync authorisation layer; no cross-tenant data access
- Staff access revoked immediately on departure
Encryption
- In transit: HTTPS/TLS 1.2+ for all data transfers
- At rest: S3 SSE-S3 and DynamoDB default encryption for all data at rest
- Customer-managed KMS keys for special-category data storage (target: before first external customer)
Infrastructure Security
- All infrastructure in AWS eu-west-2 (London)
- Infrastructure defined as code (Amplify Gen 2 CDK); all changes require PR review and CI approval
- Lambda functions within VPC; rate limiting on AI and copilot endpoints
Audit and Logging
- Immutable audit log with SHA-256 chain hash for all governance-critical actions
- S3 Object Lock (WORM) on audit vault, target: pre-pilot
- CloudWatch logs: metadata only, no Personal Data in application logs
Incident Response
- Documented Incident Response Plan: detection, containment, notification, post-incident review
- ICO notification within 72 hours; Controller notification within 24 hours of confirming a breach
AI-Specific Safeguards
- Meaningful human involvement required for every AI output (clause 5.8) — no AI suggestion is recorded as confirmed, used to trigger an alert, or referenced in a regulatory submission without explicit human review by an Authorised User
- Staff-performance prohibition (clause 5.9) enforced via build-blocking safety evaluations: the Processor maintains automated test cases that exercise the prohibition on each new release and fails the build on regression
- Aggregate-cohort minimum for operational and analytical aggregate queries: a hard minimum cohort size (default of five subjects) is enforced to defeat deanonymising filter combinations. The guard is verified by a continuous-integration test that asserts the threshold cannot be bypassed by tool-call construction
- No vector or semantic retrieval tier for Personal Data. Care-evidence retrieval uses a deterministic ontology-tag projection; operational retrieval uses structured queries against the Personal Data store. This bounds the surface area for model hallucination
- No training on Customer Data. The Processor does not use Customer Data, in identifiable, pseudonymised, or anonymised form, to train third-party AI or machine-learning models. AWS Bedrock terms commit Anthropic and Amazon Nova to the same; the Processor verifies these terms annually
- Manager-correction audit trail (
CorrectionEvent): every human override of an AI suggestion is captured as a structured append-only record, providing both an evidentiary trail and a feedback loop into the eval corpus
Organisational Measures
- All staff and contractors subject to confidentiality obligations
- Annual data security awareness training for all personnel with production access
- Master Care-Meter Data Protection Impact Assessment maintained and reviewed annually; sibling DPIAs maintained per processing surface and reviewed on the same cadence
Schedule 3 — Approved Sub-processors
| Sub-processor | Purpose | Location | Contractual basis |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure: DynamoDB, S3, Lambda, Cognito, SES, CloudWatch, Amplify | eu-west-2 (London) | AWS GDPR DPA (AWS Artifact) |
| AWS Bedrock — Anthropic Claude | AI inference: OCR structuring, classification, Copilot, PIR drafting (no training on customer data; no retention beyond the request lifecycle) | eu-west-2 (London) | AWS Bedrock Terms; AWS DPA |
| AWS Bedrock — Amazon Nova | AI inference: CQC classification (no training on customer data) | eu-west-2 (London) | AWS Bedrock Terms; AWS DPA |
| Amazon Textract | OCR processing of handwritten care notes | eu-west-2 (London) | AWS DPA |
| Amazon Transcribe | Server-side audio transcription (fallback path only) | eu-west-2 (London) | AWS DPA |
| Amazon Simple Email Service (SES) | Transactional email: receipts, alerts, system notifications (no marketing) | eu-west-2 (London) | AWS DPA |
| Amazon CloudWatch | Application monitoring and logging (metadata only; no Personal Data in application logs) | eu-west-2 (London) | AWS DPA |
Region commitment. All processing of Personal Data by the sub-processors above takes place in eu-west-2(London). The Processor will not invoke a sub-processor in any other AWS region without first updating this Schedule and giving the Controller 30 days’ notice.
Retired sub-processor (v1.1 → v1.2). Amazon OpenSearch Service is no longer engaged as a sub-processor. The legacy vector-search retrieval path it supported has been retired in favour of a deterministic ontology-tag projection and structured queries against the Personal Data store. No customer data remains in OpenSearch.
Care-Meter will notify the Controller of any proposed addition to or replacement of sub-processors with 30 days’ notice. The Controller may object on reasonable grounds within that period.