Clinosa trust pack
Data Processing Addendum Template
Last updated 5 July 2026. This template is intended for UK veterinary clinics evaluating Clinosa. It is not signed, final legal advice, or a replacement for the customer agreement.
Contract Details
- Processor
- Clinosa Ltd
- Controller
- The veterinary clinic subscribing to Clinosa.
- Jurisdiction
- Registered in England and Wales
- Privacy contact
- [email protected]
Company number and registered office must be confirmed before the first signed customer.
1. Parties and roles
The clinic using Clinosa is the controller for clinic-owned client, patient, appointment, invoice, communication, and clinical records. Clinosa Ltd acts as processor for those records and processes them only to provide, secure, support, and improve the contracted service. Clinosa acts as controller for its own sales, account, security, support, and billing records.
2. Subject matter and duration
The processing covers the provision of Clinosa's veterinary practice-management, public website, booking, portal, payment, messaging, automation, reporting, and support services for the duration of the customer agreement and any agreed exit-assistance period.
3. Categories of data
Data may include staff account data, clinic profile data, pet-owner contact details, patient and appointment data, clinical notes, intake answers, invoices, payment references, consent records, service-message logs, audit events, support requests, and security telemetry.
4. Processing instructions
Clinosa processes clinic personal data according to the contract, documented product configuration, support instructions, and lawful instructions received from the clinic. Clinosa will notify the clinic if an instruction appears to conflict with applicable data-protection law.
5. Security measures
Clinosa uses backend-mediated access to application data, clinic-scoped authorization checks, encrypted transport, scoped secrets, audit trails, rate limiting, operational health checks, backup discipline, and least-privilege access for production support.
6. International transfers
Some subprocessors may process data outside the UK. Clinosa will use appropriate transfer safeguards, contractual controls, and vendor review before relying on a subprocessor for production customer data.
7. Breach notification
Clinosa will notify the clinic without undue delay after becoming aware of a personal-data breach affecting clinic-controlled data. The notice should include the known nature of the incident, affected systems or data categories, likely consequences, mitigation already taken, and the contact path for follow-up.
8. Assistance with rights requests
Clinosa will provide reasonable assistance for access, correction, deletion, restriction, portability, objection, and complaint handling where the request relates to clinic-controlled data processed in Clinosa.
9. Deletion and return on exit
On termination or written exit instruction, Clinosa will return or export available clinic data in an agreed format and delete or anonymise remaining processor copies unless retention is required for legal, audit, security, billing, or dispute-resolution purposes.
10. Audit and evidence
Clinosa will maintain operational evidence for relevant security, availability, backup, subprocessors, and privacy-request controls. Customer audit rights should be handled through a reasonable written request and scoped to the services used by the clinic.
Authorised Subprocessors
| Subprocessor | Purpose |
|---|---|
| Supabase | PostgreSQL database, authentication, storage, and related managed platform services. |
| Stripe | Card payment processing, payment-intent references, refunds, receipts, and billing metadata. |
| Twilio | SMS and messaging infrastructure for service communications where enabled by the clinic. |
| Resend | Transactional email delivery for booking, portal, billing, and operational service messages. |
| Production VPS host | Application runtime, reverse proxy, Docker networking, and production availability infrastructure. |
Legal Review Status
This DPA is a starting template. Before first signature, it must be reviewed with the final customer agreement, company details, subprocessor register, transfer safeguards, liability terms, and applicable UK GDPR obligations.