Legal

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement ("DPA") forms part of the agreement between THRIVE ("Processor", "we", "us") and the organisation using the Thrive platform ("Controller", "you", "your organisation"). This DPA is entered into in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable data protection legislation.

By using the Thrive platform, you confirm that you are the data controller for the personal data processed through the Service and that you have the authority to enter into this DPA on behalf of your organisation.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
  • "Special Category Data" means data concerning health, as defined in Article 9 of UK GDPR, processed through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (including service users and staff).
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Service" means the Thrive clinical care management platform including the web application, mobile application, and associated infrastructure.

2. Scope & Purpose of Processing

Subject Matter

The provision of a clinical care management platform for Positive Behaviour Support organisations.

Duration

Processing shall continue for the duration of the Controller's subscription to the Service and any applicable retention period thereafter.

Nature & Purpose of Processing

Storage, retrieval, display, and management of clinical care data to enable the Controller to deliver and document Positive Behaviour Support services.

Categories of Data Subjects

  • Service users (patients/residents) of the Controller
  • Staff members of the Controller
  • Emergency contacts and next of kin of service users

Types of Personal Data

  • Names, dates of birth, NHS numbers, contact details
  • Health and care records (Special Category Data)
  • Behavioural assessments and incident reports
  • Medication records and administration logs
  • Care plans, daily observations, and progress notes
  • Staff employment details (name, email, role)
  • Photographs (evidence photos, body maps)

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by law
  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
    • Row Level Security enforced on all database tables
    • Role-based access control with granular permissions
    • Automatic session timeout (30 minutes inactivity)
    • Rate limiting and account lockout mechanisms
    • Immutable audit trails with field-level change tracking
  • Not engage another processor without prior written authorisation from the Controller (see Sub-Processors below)
  • Assist the Controller in responding to data subject access requests
  • Assist the Controller in ensuring compliance with data protection impact assessments where required
  • Delete or return all Personal Data at the end of the provision of services, unless retention is required by law
  • Make available to the Controller all information necessary to demonstrate compliance with these obligations

4. Obligations of the Controller

The Controller shall:

  • Ensure it has a lawful basis for processing Personal Data within the Service (typically Article 6(1)(e) public task or Article 6(1)(f) legitimate interests, and Article 9(2)(h) for health data)
  • Provide clear instructions to the Processor regarding the processing of Personal Data
  • Ensure the accuracy of data entered into the platform
  • Manage user access, including timely removal of staff who leave the organisation
  • Respond to data subject rights requests (with assistance from the Processor where needed)
  • Notify the Processor of any changes to processing instructions

5. Sub-Processors

The Controller authorises the engagement of the following Sub-Processors:

Sub-ProcessorPurposeLocation
Supabase Inc. (AWS)Database hosting, authentication, file storage, serverless functionseu-west-2 (London, UK)
Vercel Inc.Web application hosting, CDN, serverless computeEU edge network

The Processor shall inform the Controller of any intended changes to Sub-Processors, giving the Controller the opportunity to object. Both Sub-Processors operate under GDPR-compliant agreements with appropriate technical and organisational safeguards.

6. International Transfers

Personal Data is stored and processed within the United Kingdom (AWS eu-west-2, London). The Processor does not transfer Personal Data outside the UK unless required to do so by law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such disclosure.

Where Sub-Processor parent companies are based outside the UK (Supabase Inc. and Vercel Inc. are US-incorporated), appropriate safeguards are in place including Standard Contractual Clauses and the UK International Data Transfer Agreement (IDTA) where applicable. Data at rest remains in the UK.

7. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 of UK GDPR, including:
    • The nature of the breach including categories and approximate number of data subjects affected
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach
  • Cooperate with the Controller and take reasonable steps to assist in the investigation and mitigation of the breach
  • Not inform any third party of the breach without the Controller's prior approval, unless required by law

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests under Chapter III of UK GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20) — supported via CSV/Excel export

The Controller may fulfil most data subject requests directly through the platform's export and management features. For requests requiring Processor action, the Processor shall respond within 5 working days.

9. Data Retention & Deletion

Upon termination of the Service agreement:

  • The Controller may export all data within 30 days of termination
  • After the 30-day export period, data will be retained in accordance with applicable healthcare record-keeping requirements (8 years for adult health records per NHS Records Management Code of Practice)
  • Following the retention period, all Personal Data will be permanently and irreversibly deleted from all systems including backups
  • The Processor shall provide written confirmation of deletion upon request

10. Audit Rights

The Controller has the right to conduct audits (or appoint an independent auditor) to verify the Processor's compliance with this DPA. The Processor shall:

  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an authorised auditor
  • Immediately inform the Controller if, in its opinion, an instruction infringes UK GDPR or other data protection provisions

Audits shall be conducted with reasonable notice (minimum 14 days) and shall not unreasonably disrupt the Processor's operations.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

For DPA-related enquiries, to request a signed copy, or to report a data protection concern: [email protected]

See also: Privacy Policy · Security Overview · Terms of Service