Data Processing Agreement

Data Processing Agreement

WANDIQ LIMITED
Company number 16888143
Incorporated in England and Wales

Effective date: 1 October 2025
Version: 1.0

This Data Processing Agreement (DPA) forms part of the agreement between:

Controller: The customer identified in the applicable order form or agreement

Processor: WANDIQ LIMITED

Together, the Parties.

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the provision of the services.

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the main agreement.

Data Protection Laws means the UK General Data Protection Regulation and the Data Protection Act 2018.

Personal Data, Special Category Data, Processing, Controller, Processor, and Personal Data Breach have the meanings given in Data Protection Laws.

2. Roles of the Parties

2.1 The Controller acts as Data Controller.
2.2 The Processor acts solely as a Data Processor and processes Personal Data only on the documented instructions of the Controller.
2.3 Nothing in this DPA creates a joint controller relationship.

3. Processor Obligations

The Processor shall:

a) process Personal Data only on documented instructions from the Controller
b) ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations
c) implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR
d) not disclose Personal Data to any third party except as permitted under this DPA
e) notify the Controller without undue delay upon becoming aware of a Personal Data Breach and, where feasible, within 48–72 hours
f) provide reasonable cooperation to support the Controller’s compliance with Data Protection Laws

4. Special Category Data

4.1 The Processor may process Special Category Data, including health-related data, strictly in accordance with the Controller’s instructions.
4.2 The Processor shall apply safeguards appropriate to the nature of such data, without committing to any specific certification or formal security standard.

5. Sub-processors

5.1 The Controller grants the Processor general authorisation to engage sub-processors.

5.2 The Processor maintains a publicly available list of sub-processors, available at:
https://wandiq.co.uk/subprocessors

5.3 The Processor may update that list from time to time. Publication of an updated list constitutes notice.

5.4 The Controller may object to a new sub-processor only on reasonable data protection grounds. Where no reasonable alternative is available, the Controller’s sole remedy is suspension or termination of the affected services.

5.5 The Processor remains responsible for the acts and omissions of its sub-processors.

6. International Transfers

6.1 Personal Data may be processed in the United Kingdom, the European Economic Area, and third countries, including the United States.

6.2 Where required, the Processor ensures appropriate safeguards are in place in accordance with Chapter V of the UK GDPR.

7. Audit and Information Rights

7.1 The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

7.2 Audit rights are limited to written information and documentation review.

7.3 On-site audits are excluded unless required by applicable law.

7.4 Audits must be reasonable, proportionate, and subject to advance notice.

8. Assistance to the Controller

8.1 The Processor shall provide reasonable assistance with data subject rights requests, data protection impact assessments, and regulatory enquiries.

8.2 Assistance is limited to Personal Data processed by the Processor and information reasonably available.

8.3 Assistance beyond routine cooperation may be chargeable at the Processor’s then-current rates.

8.4 The Processor does not provide legal advice.

9. Data Retention, Return, and Deletion

9.1 Upon termination of the services, the Processor shall, at the Controller’s choice, return or delete Personal Data within 30 days, unless retention is required for legal compliance or backup purposes.

9.2 Backup data shall be securely isolated and deleted in accordance with normal retention cycles.

10. Liability and Precedence

10.1 This DPA forms part of the main agreement between the Parties.

10.2 The main agreement prevails in the event of any conflict, except where Data Protection Laws require otherwise.

10.3 Liability arising under this DPA is subject to the same limitations and exclusions set out in the main agreement.

11. General

11.1 No amendment to this DPA is effective unless made in writing.
11.2 This DPA is governed by the law governing the main agreement.

Schedule 1 – Processing Details

Subject matter
Provision of the services

Duration
For the term of the services

Nature and purpose
Hosting, automation, system integration, communication, and related support services

Categories of data subjects
Patients, clients, staff, and authorised users of the Controller

Types of Personal Data
Contact details, appointment data, communications, identifiers

Special Category Data
Health-related data as determined by the Controller

Schedule 2 – Sub-processor Categories

Cloud infrastructure and hosting providers

CRM and customer communication platforms

Automation and system integration tools

Messaging and telephony service providers

Analytics, monitoring, and logging services

Security, backup, and disaster recovery providers

Further details are published at https://wandiq.co.uk/subprocessors.