Data Processing Agreement

Parties

Data Processor: Arctic Parade Ltd, a company registered in England and Wales (company number 17033806), registered address: 9 Haigh Road, Huddersfield, HD3 2AE ("Arctic Parade", "Processor", "we", "us").

Data Controller: The clinic or business that has created an account on the Arctic Parade platform and accepted the Terms of Service ("Controller", "you").

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between the parties. In the event of a conflict between this DPA and the Terms of Service, this DPA takes precedence in relation to the processing of personal data.

1. Definitions

In this DPA:

• "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable subordinate legislation or guidance issued by the Information Commissioner's Office (ICO), as amended from time to time.
• "Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given in UK GDPR.
• "Controller Personal Data" means any personal data that the Controller submits to, or that is generated by the Controller's use of, the Service.
• "Service" means the Arctic Parade clinic management platform provided under the Terms of Service.
• "Sub-processor" means any third party engaged by Arctic Parade to process Controller Personal Data on its behalf.

2. Scope and role of the parties

The Controller determines the purposes and means of processing Controller Personal Data. Arctic Parade processes Controller Personal Data solely as a Processor, acting on the Controller's instructions, for the purpose of providing the Service.

The categories of data subjects and types of personal data processed under this DPA will typically include:

• Patients / clients: name, contact details, date of birth, appointment history, consultation notes, consent records, health information, and communications
• Clinic staff: name, email address, role, login credentials, and activity logs
• Prospective patients (leads/enquiries): name and contact details

The nature of the processing is the collection, storage, retrieval, display, export, and deletion of the above data through the Arctic Parade platform. The duration of processing is the term of the Controller's subscription plus any post-termination retention period as described in Section 7.

3. Processor obligations

Arctic Parade agrees to:

• Process Controller Personal Data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service, unless required to do so by applicable law (in which case Arctic Parade will inform the Controller unless prohibited by law)
• Ensure that persons authorised to process Controller Personal Data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to protect Controller Personal Data in accordance with Section 5 below
• Assist the Controller in meeting its obligations under Data Protection Laws, including in respect of data subject rights requests (Section 6), security (Section 5), and breach notification (Section 8)
• Delete or return all Controller Personal Data on termination of the Service, in accordance with Section 7
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audit requests, subject to reasonable notice and confidentiality protections

4. Sub-processors

The Controller grants Arctic Parade general authorisation to engage sub-processors. Arctic Parade currently engages the following sub-processors to support the Service:

Arctic Parade will provide the Controller with at least 30 days' notice of any intended changes to its sub-processor list that may affect the Controller's Personal Data. If the Controller reasonably objects to a new sub-processor, it may terminate the Service in accordance with the Terms of Service.

Arctic Parade remains liable to the Controller for the acts and omissions of its sub-processors to the same extent as if it had performed the processing itself.

5. Security

Arctic Parade will implement and maintain appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to:

• Encryption of data in transit using TLS
• Role-based access controls limiting access to authorised personnel
• Clinic-scoped data isolation (each clinic's data is logically separated)
• Managed cloud infrastructure with security controls provided by Microsoft Azure
• Error monitoring and alerting through Sentry

Further details are available in Arctic Parade's Security overview.

6. Data subject rights

Arctic Parade will, taking into account the nature of the processing, assist the Controller with its obligations to respond to data subject rights requests (access, rectification, erasure, restriction, portability, and objection) by providing the Controller with appropriate tools and functionality within the Service.

The Controller is responsible for handling and responding to data subject rights requests it receives. Arctic Parade will forward to the Controller, without undue delay, any data subject requests it receives directly that relate to the Controller's data.

7. Retention and deletion

Arctic Parade will retain Controller Personal Data for the duration of the subscription. Following termination or expiry of the subscription:

• The Controller should export any data required before their access ends
• Arctic Parade will retain Controller Personal Data for up to 60 days after termination to allow for any disputes, legal obligations, or recovery requests
• After that period, Controller Personal Data will be deleted or anonymised unless Arctic Parade is required to retain it by applicable law

The Controller may request earlier deletion of specific data by contacting Arctic Parade, subject to any legal or contractual retention obligations.

8. Personal data breaches

Arctic Parade will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Controller Personal Data. The notification will include, to the extent known at the time:

• The nature of the breach and categories of data affected
• The approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

The Controller is responsible for determining whether it is required to notify the ICO or affected data subjects, and for making any such notifications.

9. International transfers

Controller Personal Data is primarily stored and processed within the UK and EEA. Where sub-processors are located outside the UK/EEA (see Section 4), Arctic Parade ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO or the European Commission, as applicable.

10. Controller obligations

The Controller warrants and agrees that it:

• Has a lawful basis for processing each category of Controller Personal Data entered into the Service
• Has provided any required privacy notices to its patients and staff regarding the use of the Service
• Will comply with all applicable Data Protection Laws in relation to the Controller Personal Data it processes through the Service
• Will not instruct Arctic Parade to process Controller Personal Data in a way that would breach Data Protection Laws

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits liability for death or personal injury caused by negligence, for fraud, or for anything else that cannot be limited by law.

12. Governing law

This DPA is governed by the law of England and Wales. Any disputes arising under this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

13. How this DPA takes effect

By accepting the Arctic Parade Terms of Service, the Controller agrees to the terms of this DPA. No separate signature is required. If a signed copy is required for your organisation's records, please contact us to request a countersigned PDF.