Data Processing Agreement (DPA)

Data processing agreement for care home clients

Version 1.1 | Effective Date: 1 April 2025

This Data Processing Agreement ("Agreement") is entered into between More Days Limited, 120 Cavendish Place, Eastbourne, East Sussex BN21 3TZ ("Processor"), and the organisation that initiates a More Days Studio account registration ("Customer" or "Controller").

1. Background

This Agreement governs how More Days Limited processes personal data on behalf of the Customer in connection with the Customer's use of the More Days Studio platform.

2. Acceptance and incorporation

By submitting a request to create a More Days Studio account, the Customer confirms that it has reviewed and agrees to be bound by this Data Processing Agreement. This Agreement is incorporated into and forms part of the More Days Studio Terms of Use.

Automatic Acceptance: Account registration constitutes acceptance of this DPA.

3. Purpose and scope of processing

The Processor provides a digital platform to support activity planning and wellbeing monitoring in care environments. Processing is limited to what is necessary to deliver this service.

Element Details
Subject matter Digital wellbeing tools
Duration Duration of the Customer's use of the platform
Data subjects Care home staff, residents, authorised family members
Categories of data Names, contact details, wellbeing notes, login/access logs
Special category data Resident health and cognitive wellbeing observations

4. Obligations of the processor

The Processor shall:

  • Process personal data only on documented instructions from the Customer
  • Maintain confidentiality and ensure staff are trained in data protection
  • Implement appropriate security measures in line with Article 32 UK GDPR
  • Notify the Customer of personal data breaches without undue delay
  • Assist the Customer with data subject rights, security, and compliance
  • Maintain processing records and submit to audits if reasonably requested
  • Ensure all subprocessors are subject to equivalent data protection terms

5. Subprocessing

The Customer authorises the Processor to use subprocessors as reasonably necessary to deliver the service. A current list of subprocessors is available upon request by emailing talktous@moredays.co.uk. The Processor remains fully liable for subprocessors' compliance.

Full Liability: More Days Limited remains fully responsible for all subprocessor compliance with data protection requirements.

6. International data transfers

The Processor will ensure personal data is hosted in the UK or EEA. Where transfers outside these regions occur, appropriate safeguards (e.g. SCCs or IDTA) will apply.

Data Location: Primary hosting in UK/EEA with appropriate safeguards for any transfers outside these regions.

7. Termination and data handling

Upon termination of the Customer's use of the platform, the Processor will delete or return all personal data unless retention is required by law. The Processor may retain and use anonymised, non-identifiable data for analytical and service improvement purposes.

Data Deletion: Personal data deleted upon termination unless legal retention is required. Anonymised data may be retained for service improvement.

8. Controller responsibilities

The Customer confirms it will:

  • Act as the data controller for all personal data input into the platform
  • Have a lawful basis for processing resident and staff data
  • Inform residents and families of the use of More Days Studio as part of its care delivery
  • Limit data entry to only what is necessary, proportionate, and lawful

9. Audit rights

The Customer may request a summary of security and compliance documentation once per year or in response to a material security or privacy incident.

Audit Frequency: Annual documentation requests or incident-related audits available upon reasonable request.

10. Governing law

This Agreement is governed by and construed in accordance with the laws of England and Wales.

Schedule 1: Approved Subprocessors

Subprocessor Purpose Location Safeguards
Bubble.io Platform builder and web hosting United States Standard Contractual Clauses (SCCs)
Amazon Web Services (AWS) Infrastructure and data hosting EU/EEA (Ireland) SOC 2 Type II, ISO 27001
Google Analytics Analytics and usage monitoring United States Consent-based, IP anonymisation, SCCs

We may update this list as we onboard additional providers. Customers may request an up-to-date list or raise objections to new subprocessors by emailing talktous@moredays.co.uk.

Schedule 2: Technical and Organisational Measures (TOMs)

Version: 1.0 | Date: 1 April 2025

This Annex describes the technical and organisational measures implemented by More Days Limited in accordance with Article 32 of the UK GDPR.

1. Access control and authentication

  • Unique user accounts for platform access
  • Role-based access permissions for staff, care home administrators, and family users
  • Secure login sessions with token-based authentication
  • Session expiration and idle timeout controls
  • Staff and admin access is logged and auditable

2. Data encryption

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for data at rest on AWS-hosted infrastructure via Bubble.io
  • Encryption keys managed securely in accordance with industry best practice

3. Hosting and infrastructure security

  • Hosting on Amazon Web Services (AWS) in the EU/EEA (Ireland region)
  • AWS is SOC 2 Type II and ISO 27001 certified
  • Bubble.io (US-based) used as the application builder; protected via SCCs

4. Data backup and recovery

  • Automated daily backups
  • Secure offsite storage within EEA
  • Periodic restoration testing

5. Monitoring and logging

  • Application-level logging of user actions and access events
  • Anomaly detection and audit logs retained for a minimum of 12 months
  • Logs protected against tampering and reviewed as part of incident response

6. Staff training and confidentiality

  • All More Days personnel receive mandatory GDPR and information security training
  • Access to personal data restricted to authorised staff only
  • Confidentiality agreements in place for all personnel with access to data

7. Data minimisation and privacy by design

  • Platform designed to collect only necessary data for care coordination
  • Resident access to data is controlled and scoped by care home permissions
  • No unnecessary sharing or exposure of special category data

8. Incident response

  • Incident detection and internal reporting procedures in place
  • Personal data breaches reported to Customer without undue delay and within 72 hours
  • Root cause analysis conducted after each incident

9. Third-party management

  • Subprocessor due diligence and contractual safeguards in place
  • Standard Contractual Clauses (SCCs) used for subprocessors outside the UK/EEA
  • Subprocessor list maintained and available to Customers on request

10. Certifications and compliance

  • Cyber Essentials — valid certification held
  • Ongoing internal compliance reviews

DPA queries and compliance

For DPA queries, subprocessor information, or compliance documentation:

talktous@moredays.co.uk