GleamConnect logoGLEAMCONNECT

GleamConnect Data Processing Agreement (DPA)

Effective date: 18 April 2026Version: dpa-2026-04-18Article 28 GDPR data processing terms for clinic customers using GleamConnect.

GleamConnect Data Processing Agreement (DPA)

Provider: Gleam Connect Ltd
Company number: [insert after incorporation]
Registered office: [insert registered office]
Country of incorporation: Ireland
Primary contacts: legal@gleamconnect.com | privacy@gleamconnect.com | support@gleamconnect.com
Last updated: 18 April 2026
Status: Draft legal pack for implementation and external solicitor review before production launch

This DPA forms part of the agreement between the clinic customer identified in the applicable order form or signup flow (Controller) and Gleam Connect Ltd (Processor).

This DPA applies where Processor processes personal data on behalf of Controller in connection with the services and is intended to satisfy Article 28 GDPR and related requirements.

1. Definitions

Terms such as controller, processor, personal data, processing, special category data, data subject, and personal data breach have the meanings given in the GDPR unless otherwise defined here.

2. Subject matter, duration, and scope

Processor will process personal data only to provide the services, support them, secure them, maintain them, and otherwise perform obligations under the main agreement and Controller’s documented instructions.

Processing continues for the duration of the services and any limited post-termination period necessary for export, deletion, restricted archive retention, legal hold, or legally required retention.

3. Nature and purpose of processing

The processing includes collection, recording, organisation, storage, adaptation, retrieval, consultation, transmission, pseudonymisation, deletion, restriction, archive handling, and other operations necessary to operate the clinic management platform.

Purposes include booking administration, account management, intake capture, clinic workflow support, messaging, analytics, document generation, security operations, archive governance, and related support.

4. Categories of data and data subjects

4.1 Data subjects

  • clinic owners, managers, administrators, and staff;
  • patients, clients, customers, leads, and booking users;
  • support requesters and other authorised users.

4.2 Categories of personal data

  • names, contact information, account identifiers, login data;
  • booking and appointment information;
  • payment and billing references;
  • support communications;
  • clinic-entered notes and files;
  • intake and consent information;
  • health-related information or other special category data where submitted by Controller.

5. Controller obligations

Controller is responsible for:

  • ensuring a lawful basis and, where required, an Article 9 condition for special category data;
  • issuing legally adequate privacy notices;
  • obtaining any required consents;
  • ensuring the accuracy, quality, and lawfulness of instructions and uploaded data;
  • using the services in compliance with applicable law;
  • determining retention periods required by its own professional, insurer, and regulatory obligations.

6. Processor obligations

Processor shall:

  • process personal data only on documented instructions from Controller unless required otherwise by law;
  • ensure persons authorised to process personal data are bound by confidentiality;
  • implement appropriate technical and organisational measures;
  • assist Controller, taking into account the nature of processing, with data subject rights requests where reasonably practicable;
  • assist Controller with security, breach response, DPIA support, and consultation obligations where reasonably practicable and proportionate;
  • notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data;
  • delete or return personal data at the end of the provision of services, subject to restricted archive retention, backup cycles, legal holds, and legal obligations.

7. Security measures

Processor implements technical and organisational measures appropriate to the risk, including measures relating to:

  • least-privilege access controls;
  • environment and tenant separation;
  • encryption in transit and encryption at rest where applicable;
  • authentication and credential protection;
  • logging and monitoring;
  • vulnerability remediation and patching processes;
  • backup and resilience measures;
  • incident response processes.

A current high-level summary of measures is set out in the security policy and may evolve as the services change.

8. Sub-processors

Controller grants Processor a general authorisation to engage sub-processors for infrastructure, messaging, billing, support, document handling, analytics, and related operational services.

Processor shall:

  • maintain an up-to-date list of material sub-processors;
  • impose data protection obligations on sub-processors that are no less protective than those in this DPA;
  • remain responsible for the performance of sub-processors to the extent required by law.

A current schedule is set out in the Subprocessors and International Transfers Schedule.

9. International transfers

Where Processor or a sub-processor transfers personal data outside the EEA/UK, Processor shall ensure a valid transfer mechanism is used, such as adequacy decisions, standard contractual clauses, or another lawful mechanism.

10. Data subject requests

Taking into account the nature of processing, Processor shall assist Controller through appropriate technical and organisational measures, insofar as possible, for the fulfilment of Controller’s obligation to respond to requests for exercising the data subject’s rights.

If Processor receives a request relating to Controller data directly from a data subject, Processor may:

  • notify the Controller;
  • redirect the requester to the Controller;
  • respond directly only where authorised by Controller or required by law.

11. Personal data breaches

Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data and shall provide available information reasonably necessary to assist Controller in meeting its notification obligations.

Processor’s notice may be phased as information becomes available.

12. Audits and information rights

Processor shall make available to Controller information reasonably necessary to demonstrate compliance with this DPA.

Any audit request must:

  • be reasonable in scope;
  • avoid disruption to other customers or security;
  • be subject to confidentiality protections;
  • not require disclosure of another customer’s information or internal security secrets beyond what is reasonably necessary.

Processor may satisfy audit obligations using current certifications, summaries, reports, policies, or questionnaire responses where appropriate.

13. Return, deletion, archive retention, and legal hold

At the end of the services, Processor shall, at Controller’s choice and where technically practicable, delete or return Controller data, except to the extent Processor is required or permitted to retain restricted copies for:

  • legal compliance;
  • fraud prevention;
  • platform integrity;
  • service security;
  • dispute resolution;
  • establishing, exercising, or defending legal claims;
  • backup restoration cycles;
  • legal hold or regulator direction.

Any retained copies shall:

  • be restricted from normal operational use;
  • remain subject to appropriate safeguards;
  • be access-controlled and logged;
  • be deleted when lawful retention no longer applies.

14. Special category data and high-risk processing

Controller acknowledges that the services may involve special category data where the clinic chooses to process such data. Controller is responsible for ensuring that it is legally entitled to use the services for that processing and for conducting any DPIA or risk assessment required for its own role as controller, except to the extent Processor must support the Controller under Article 28 or Article 32 obligations.

15. Liability and precedence

This DPA is subject to the liability, limitation, and indemnity structure in the main agreement except to the extent applicable law requires otherwise.

If there is a conflict between this DPA and the main agreement regarding processing of personal data, this DPA prevails to the extent of that conflict.

Annex 1 — Processing details

Subject matter: clinic management software and related support services
Duration: subscription term plus limited post-termination export, archive, and legal hold periods
Nature of processing: collection, storage, retrieval, organisation, transmission, deletion, restriction, archive, and security operations
Purpose: operate the services for the Controller and maintain security, integrity, and support
Data subjects: clinic staff, patients, leads, support users
Categories of data: as described above

Annex 2 — Minimum technical and organisational measures

  • role-based access controls
  • secure credential handling
  • HTTPS / TLS for data in transit
  • encryption at rest where applicable
  • event logging and monitoring
  • controlled deployment and change management
  • environment protections and secret management
  • backup and restoration procedures
  • incident response and breach notification workflow
  • archive restriction controls and legal hold governance