Careframe

Data Processing Terms

Last updated: [DATE]

These Data Processing Terms summarise how Careframe, operated by [COMPANY LEGAL NAME] (company number [COMPANY NUMBER], registered address [REGISTERED ADDRESS]), processes personal data on behalf of its customers. They form part of the agreement between Careframe and the Customer and are designed to meet the requirements of Article 28 of the UK GDPR and the Data Protection Act 2018.

1. Roles

For personal data the Customer puts into the platform — including staff records and children’s records — the Customer is the data controller and Careframe is the data processor. Careframe processes that data only on the Customer’s documented instructions, which include using the platform as intended and these terms.

2. Subject matter, scope, and duration

  • Subject matter — the provision of the Careframe platform to the Customer.
  • Duration — for as long as the Customer’s subscription is active, plus any agreed period for return or deletion of data afterwards.
  • Nature and purpose — storing, organising, and making available the records the Customer needs to run its homes, manage staff, support children’s care, deliver training, and prepare for inspection.

3. Categories of data and data subjects

  • Data subjects — the Customer’s staff and workers, the children and young people in its care, and other individuals whose details the Customer chooses to record.
  • Categories of data — contact and identity details, employment and training records, rotas and timesheets, compliance records, care and safeguarding records, daily logs, and incident records. This includes special-category data (such as health information) and data relating to children.

4. Careframe's obligations as processor

  • Process personal data only on the Customer’s documented instructions, unless required to do otherwise by law (in which case we will tell the Customer where we are permitted to).
  • Make sure people authorised to process the data are under a duty of confidentiality.
  • Put in place appropriate technical and organisational security measures (see section 6).
  • Help the Customer respond to requests from data subjects and meet their own obligations around security, breach notification, and data protection impact assessments.
  • Not engage another sub-processor without the Customer’s general authorisation, and inform the Customer of changes so they can object (see section 5).
  • At the end of the service, delete or return personal data as the Customer chooses, unless we must keep it by law.
  • Make available the information needed to show compliance with these terms, and allow for reasonable audits.

5. Sub-processors

The Customer gives general authorisation for Careframe to use sub-processors to help deliver the platform — for example our hosting, database, email, and payment providers. We put written terms in place with each sub-processor that impose data-protection obligations no less protective than these terms, and we remain responsible for their performance. We maintain a current list of sub-processors and will give the Customer reasonable notice of any intended change, so the Customer has a chance to object on reasonable grounds.

6. Security measures

We maintain technical and organisational measures appropriate to the sensitivity of the data, including:

  • Encryption of data in transit and at rest.
  • Role-based access controls and least-privilege access.
  • Multi-factor authentication for access where appropriate.
  • Audit logging of significant activity.
  • Hosting in the UK or the EEA with reputable infrastructure providers.
  • Regular review and improvement of our security practices.

These are commitments to how we work; they are not claims of any particular external certification.

7. International transfers

Customer data is hosted in the UK or the European Economic Area (currently in EU data centres in Germany). Where customer personal data is processed outside the UK, this happens only in jurisdictions covered by UK adequacy regulations — which include the EEA — or with an appropriate safeguard in place, such as the International Data Transfer Agreement, and always consistently with the Customer’s instructions.

8. Breach notification

If we become aware of a personal-data breach affecting customer data, we will notify the Customer without undue delay and provide the information the Customer reasonably needs to meet its own obligations, including to the ICO and to affected individuals where required. We maintain procedures to detect, investigate, and respond to such breaches.

9. Return and deletion of data

On the end of the service, and at the Customer’s choice, we will return the customer personal data or delete it, and delete existing copies unless the law requires us to keep some of it. The Customer can also export or delete data through the platform during the subscription, in line with its own retention decisions.

10. Relationship to other terms

These Data Processing Terms supplement our Terms of Service and should be read with our Privacy Policy. A separate, signed data processing agreement is available for customers who need one — contact us to arrange it.

11. Contact

For any questions about these terms or to request a signed data processing agreement, contact us at hello@careframe.co.uk.