Data Processing Agreement (DPA)

This DPA sets out the obligations of both parties regarding the processing of Personal Data in connection with the Services. It is designed to ensure full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable healthcare data protection standards.

The Customer is the Data Controller and BodySync AI Ltd is the Data Processor. BodySync will only process Personal Data on behalf of the Customer and in accordance with the Customer's documented instructions.

Full details of the processing activities are set out in Appendix 1.

The Services involve the processing of Special Category Data (health data).

BodySync applies robust pseudonymisation safeguards by separating patient identifiers from clinical content before any AI processing. BodySync processes only the minimum data necessary and does not attempt to re-identify data.

The Customer acknowledges that all outputs generated by the Services constitute AI-assisted guidance only. Full clinical responsibility and accountability for all patient care remains solely with the Customer's qualified healthcare professionals.

The Customer warrants that it has a valid lawful basis for processing (including Article 9 UK GDPR where applicable) and the right to transfer Personal Data to BodySync for the purposes outlined in this DPA.

BodySync undertakes to:

• Process Personal Data only on documented instructions from the Customer;
• Implement and maintain appropriate technical and organisational measures (see Appendix 2);
• Ensure all personnel are bound by confidentiality obligations and receive regular training;
• Notify the Customer of any Personal Data Breach without undue delay and within 48 hours;
• Assist the Customer with Data Subject Rights and compliance requests (at the Customer's reasonable expense);
• Maintain records of processing activities as required by law.

BodySync operates a strict multi-tenant architecture with logical data segregation between clinics. Access to Customer data by BodySync personnel is strictly limited, requires explicit consent for support purposes, and is fully logged.

BodySync does not use Customer Personal Data to train general AI models.

BodySync uses the Sub-processors listed in Appendix 3. The Customer provides general authorisation for these Sub-processors. BodySync remains fully liable for their compliance.

BodySync primarily uses UK and EEA-based cloud regions. Any international transfers are protected by appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) and Transfer Risk Assessments.

The Customer may request reasonable information to demonstrate BodySync's compliance with this DPA. Audits may be conducted upon reasonable notice.

Upon termination of the Services and at the Customer's request, BodySync will securely delete or return all Personal Data, subject to any legal retention requirements.

This DPA is governed by the laws of England and Wales.