This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller: the care home or organisation that has subscribed to CareSentinel (“the Organisation”).
• Data Processor: Kevin Jager trading as Pin High Media, the operator of CareSentinel (“we”, “us”, “CareSentinel”).

This DPA forms part of, and is incorporated into, the Terms of Service between the parties. In the event of a conflict, this DPA takes precedence with respect to data protection matters.

This DPA governs the processing of personal data by CareSentinel on behalf of the Organisation for the purpose of providing the CareSentinel health and safety compliance management service.

This DPA is effective from the date the Organisation first uses the Service and remains in force until the earlier of: termination of the subscription; or deletion of all personal data following termination.

CareSentinel processes personal data on behalf of the Organisation for the following purposes:

• Storing and retrieving health and safety records entered by the Organisation's staff.
• Sending automated compliance alerts and notifications to designated club users.
• Providing audit trails and activity logs for regulatory purposes.
• Generating compliance reports on behalf of the Organisation.

We process personal data only on the documented instructions of the Organisation (as expressed through use of the Service features) and do not process data for our own purposes beyond what is necessary to provide the Service.

The following categories of personal data are processed under this DPA:

• Identity data: staff full names.
• Contact data: staff email addresses.
• Employment data: job titles, departments, roles within the organisation.
• Training records: training course names, completion dates, expiry dates, training status.
• Incident data: incident descriptions, dates, locations, persons involved, injury details, investigation notes, RIDDOR reportable information.
• DBS / safeguarding data: DBS check status, issue dates, expiry dates (where entered by the club).
• Activity log data: user actions and timestamps for audit trail purposes.

The personal data processed relates to the following categories of data subjects:

• Organisation staff, employees, and volunteers.
• Club members and participants, where their details are included in incident or safeguarding records.
• Third-party contractors, where their details are included in maintenance or inspection records.

CareSentinel agrees to:

• Process personal data only on the Organisation's documented instructions, unless required by law to do otherwise.
• Ensure that all personnel with access to personal data are subject to appropriate confidentiality obligations.
• Implement the technical and organisational security measures described in Section 10 of this DPA.
• Not engage sub-processors without the Organisation's prior general or specific written authorisation (general authorisation is given in Section 7 below).
• Assist the Organisation in responding to data subject rights requests under UK GDPR Articles 15–22.
• Notify the Organisation without undue delay upon becoming aware of a personal data breach affecting the Organisation's data.
• At the Organisation's choice, delete or return all personal data on termination of the Service.
• Provide the Organisation with all information necessary to demonstrate compliance with this DPA.

The Club provides general authorisation for CareSentinel to engage the following sub-processors:

We will notify the Organisation of any intended changes to sub-processors by updating this DPA. The Club may object to such changes within 30 days; if no objection is received, the change is deemed accepted.

CareSentinel will provide reasonable technical assistance to help the Organisation fulfil its obligations to respond to data subject requests. This includes:

• Providing data export functionality so the Organisation can respond to access requests.
• Enabling deletion of individual user records where instructed by the Organisation.
• Providing audit logs to assist with accountability obligations.

The Club, as Data Controller, remains responsible for handling all data subject requests in accordance with UK GDPR.

CareSentinel implements the following technical and organisational security measures:

• Encryption at rest: all data stored in Supabase is encrypted using AES-256.
• Encryption in transit: all data transmitted between clients and servers uses TLS 1.2 or higher (HTTPS).
• Access controls: row-level security (RLS) policies ensure strict data isolation between organisations. Users can only access data belonging to their own club.
• Authentication: secure password hashing via bcrypt; support for strong password policies.
• Role-based access: user permissions within a club are controlled by role (admin, manager, H&S officer, staff).
• Audit logging: all material changes to data are logged with user identity and timestamp.
• Backup: automatic daily backups maintained by Supabase with point-in-time recovery.
• Vulnerability management: dependencies are monitored and updated regularly.

In the event of a personal data breach affecting the Organisation's data, CareSentinel will:

• Notify the Organisation within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences.
• Describe the measures taken or proposed to address the breach and mitigate its effects.

The Club remains responsible for notifying the ICO and affected data subjects in accordance with UK GDPR Articles 33 and 34.

Upon termination of the subscription for any reason:

• The Club's data will remain accessible for 30 days to allow export.
• After 30 days, all personal data will be permanently and irreversibly deleted from production systems.
• Backup copies may persist for up to 90 days before being purged from backup systems.
• We will provide written confirmation of deletion upon request.

The Club may, with at least 30 days' written notice and no more than once per calendar year, request an audit of CareSentinel's data processing activities relevant to this DPA. We may satisfy audit requests by:

• Providing up-to-date certifications or third-party audit reports.
• Responding to reasonable written questionnaires.
• Facilitating an on-site audit at a mutually agreed time (costs to be borne by the Organisation).

Where personal data is transferred to a country outside the UK/EEA (for example, to Anthropic in the United States), such transfers are made subject to appropriate safeguards including UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs), as applicable.

This DPA is governed by the laws of England and Wales. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.