Clinosa trust pack

Data Processing Addendum Template

Last updated 5 July 2026. This template is intended for UK veterinary clinics evaluating Clinosa. It is not signed, final legal advice, or a replacement for the customer agreement.

Contract Details

Processor
Clinosa Ltd
Controller
The veterinary clinic subscribing to Clinosa.
Jurisdiction
Registered in England and Wales
Privacy contact
[email protected]

Company number and registered office must be confirmed before the first signed customer.

1. Parties and roles

The clinic using Clinosa is the controller for clinic-owned client, patient, appointment, invoice, communication, and clinical records. Clinosa Ltd acts as processor for those records and processes them only to provide, secure, support, and improve the contracted service. Clinosa acts as controller for its own sales, account, security, support, and billing records.

2. Subject matter and duration

The processing covers the provision of Clinosa's veterinary practice-management, public website, booking, portal, payment, messaging, automation, reporting, and support services for the duration of the customer agreement and any agreed exit-assistance period.

3. Categories of data

Data may include staff account data, clinic profile data, pet-owner contact details, patient and appointment data, clinical notes, intake answers, invoices, payment references, consent records, service-message logs, audit events, support requests, and security telemetry.

4. Processing instructions

Clinosa processes clinic personal data according to the contract, documented product configuration, support instructions, and lawful instructions received from the clinic. Clinosa will notify the clinic if an instruction appears to conflict with applicable data-protection law.

5. Security measures

Clinosa uses backend-mediated access to application data, clinic-scoped authorization checks, encrypted transport, scoped secrets, audit trails, rate limiting, operational health checks, backup discipline, and least-privilege access for production support.

6. International transfers

Some subprocessors may process data outside the UK. Clinosa will use appropriate transfer safeguards, contractual controls, and vendor review before relying on a subprocessor for production customer data.

7. Breach notification

Clinosa will notify the clinic without undue delay after becoming aware of a personal-data breach affecting clinic-controlled data. The notice should include the known nature of the incident, affected systems or data categories, likely consequences, mitigation already taken, and the contact path for follow-up.

8. Assistance with rights requests

Clinosa will provide reasonable assistance for access, correction, deletion, restriction, portability, objection, and complaint handling where the request relates to clinic-controlled data processed in Clinosa.

9. Deletion and return on exit

On termination or written exit instruction, Clinosa will return or export available clinic data in an agreed format and delete or anonymise remaining processor copies unless retention is required for legal, audit, security, billing, or dispute-resolution purposes.

10. Audit and evidence

Clinosa will maintain operational evidence for relevant security, availability, backup, subprocessors, and privacy-request controls. Customer audit rights should be handled through a reasonable written request and scoped to the services used by the clinic.

Authorised Subprocessors

SubprocessorPurpose
SupabasePostgreSQL database, authentication, storage, and related managed platform services.
StripeCard payment processing, payment-intent references, refunds, receipts, and billing metadata.
TwilioSMS and messaging infrastructure for service communications where enabled by the clinic.
ResendTransactional email delivery for booking, portal, billing, and operational service messages.
Production VPS hostApplication runtime, reverse proxy, Docker networking, and production availability infrastructure.

Legal Review Status

This DPA is a starting template. Before first signature, it must be reviewed with the final customer agreement, company details, subprocessor register, transfer safeguards, liability terms, and applicable UK GDPR obligations.