GleamConnect – Data Processing Agreement (DPA)
Last updated: 10 February 2026
Processor: Nina Marketing Ltd (Company No. 765056)
8 Moylaragh Lane, Balbriggan, Dublin, K32 T044, Ireland
Privacy contact: privacy@gleamconnect.com
This Data Processing Agreement (“DPA”) forms part of the agreement between the Clinic (the “Controller”) and Nina Marketing Ltd, the operator of the GleamConnect platform (the “Processor”).
This DPA applies to processing of Personal Data by the Processor on behalf of the Controller in connection with the Services. It is intended to meet the requirements of GDPR Article 28 and related provisions.
1. Definitions
“Applicable Data Protection Laws” means GDPR and any applicable implementing laws and regulations.
“Controller”, “Processor”, “Personal Data”, “Special Category Data”, “Processing”, “Personal Data Breach” have the meanings given in GDPR.
“Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.
2. Roles and Scope
Controller determines the purposes and means of Processing Personal Data. Processor processes Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
3. Processor Obligations (GDPR Article 28)
3.1 Confidentiality
Processor will ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Security (Article 32)
Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II (TOMs).
3.3 Sub-processing
Controller grants Processor general authorisation to engage Sub-processors listed in Annex III. Processor will impose data protection obligations on Sub-processors that are no less protective than those in this DPA and remains fully responsible for their performance.
3.4 Assistance to Controller
Processor will assist Controller, taking into account the nature of processing, by appropriate technical and organisational measures insofar as possible, for the fulfilment of Controller’s obligation to respond to requests for exercising data subject rights.
Processor will also assist Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to Processor.
3.5 Breach Notification
Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data processed under this DPA, and will provide information reasonably required by Controller to meet its notification obligations.
3.6 Deletion or Return
At the choice of Controller, Processor will delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage.
3.7 Audits
Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable confidentiality and security requirements.
4. Controller Obligations
Controller is responsible for:
(a) establishing a lawful basis for processing, including for Special Category Data where applicable;
(b) providing required notices to data subjects;
(c) ensuring accuracy, minimisation, and storage limitation consistent with legal obligations;
(d) configuring access controls and ensuring Staff are authorised; and
(e) responding to data subject requests and regulatory queries.
5. International Transfers
Where Processing involves transfers of Personal Data outside the EEA, Processor will ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where required.
6. AI Features and Special Category Data
Where Controller enables AI-assisted features that process Personal Data, such processing remains under Controller’s instructions. AI outputs are assistive only and require human review. Processor does not use identifiable patient data to train general models for unrelated purposes.
Controller remains responsible for the lawful basis and appropriate safeguards for Special Category Data.
7. Liability and Precedence
Liability under this DPA is subject to the main agreement between the parties. If there is a conflict between this DPA and other terms, this DPA prevails to the extent of the conflict regarding Processing.
8. Governing Law
This DPA is governed by Irish law. The courts of Ireland have jurisdiction, subject to mandatory provisions of applicable data protection law.
Annex I – Details of Processing
|
Item |
Description |
|
Subject-matter |
Provision of clinic management SaaS, including bookings, staff operations, client records, communications, analytics and support. |
|
Duration |
For the term of the Services, plus backup retention and any lawful retention obligations. |
|
Nature of processing |
Collection, storage, organisation, consultation, use, disclosure by transmission (within clinic), and deletion/return. |
|
Purpose |
Operate the Services and provide requested functionality; security; support. |
|
Categories of data subjects |
Clinic clients/patients; clinic staff/contractors; clinic administrators. |
|
Types of personal data |
Identity/contact; booking details; service selections; notes; attachments; address (if collected); device/log data. |
|
Special category data |
Health-related intake information and contraindications where entered by Controller. |
Annex II – Technical and Organisational Measures (TOMs)
Processor maintains a security program designed to protect the confidentiality, integrity, and availability of Personal Data, including measures such as:
Encryption in transit using TLS for network communications.
Access controls: role-based access, least privilege, and separation of duties.
Authentication protections (including support for MFA where enabled).
Audit logging for administrative actions and key data access paths.
Secure secrets management and environment configuration controls.
Vulnerability management and security patching processes.
Backups and disaster recovery procedures with controlled access.
Monitoring and alerting for suspicious activity and operational anomalies.
Incident response plan including breach assessment and notification workflows.
Data minimisation and privacy-by-design practices in feature development.
Annex III – Approved Sub-processors
|
Sub-processor |
Service/Purpose |
|
Amazon Web Services (AWS) |
Hosting, compute, storage, networking, logging |
|
MongoDB |
Database services (managed hosting or software services as configured) |
|
Stripe |
Payment processing and billing |
|
Resend |
Transactional email delivery |
|
Vercel |
Web hosting and deployment (official website and/or web apps) |
|
Firebase |
Notifications/messaging (push notifications and related services, when enabled) |
Processor may update Sub-processors over time. Where required, Processor will provide notice of material changes and maintain contractual protections with Sub-processors.