Data processing agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

• Data Controller: the organisation or individual named in the Clerkfolio account or service agreement (“Controller” or “Customer”); and
• Data Processor: Clerkfolio Ltd, a company registered in England and Wales (“Processor” or “Clerkfolio”).

This DPA forms part of the Terms of Service between the parties. Where there is a conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.

2. Subject matter, duration, nature, and purpose

Clerkfolio provides a web application that allows medical students, foundation doctors, and other healthcare trainees to organise, store, and export their personal portfolio records, anonymised case notes, evidence files, specialty trackers, and related training material.

The processing is carried out for the duration of the agreement between the parties and for such further period as is reasonably necessary to comply with legal obligations or to complete the return or deletion of data as described in section 12.

The nature of the processing includes: collection, storage, retrieval, display, export, backup, transmission, and deletion of personal data via the Clerkfolio platform.

3. Data subject categories

The data subjects are:

• Medical students, foundation doctors, specialty trainees, and other healthcare professionals who use Clerkfolio as end users; and
• Where applicable, supervisors, verifiers, or other individuals whose details are entered by users in connection with their portfolio (e.g. name of a supervisor referenced in an entry).

4. Personal data categories

The personal data processed may include:

• Identity and contact data: name, email address (including .ac.uk or NHS institutional addresses), career stage.
• Account and authentication data: hashed passwords, session tokens, subscription tier, onboarding status.
• Portfolio content: entries, notes, reflections, case titles, clinical areas, specialty tags, competency themes, dates, and evidence file metadata.
• Special category data (Article 9 UK GDPR): anonymised case diary entries may incidentally contain information relating to the health of third parties (patients). Clerkfolio is designed for anonymised records only; users must not enter patient-identifiable data. To the extent that health-related information is processed, the lawful basis under Article 9(2)(a) UK GDPR is the explicit consent of the data subject (the Clerkfolio user) given at account registration and confirmed by the Terms of Service.
• Payment data: Stripe customer ID, subscription status. Card data is processed by Stripe directly and is not stored by Clerkfolio.
• Technical data: IP address hashes, session fingerprints, browser/device metadata.

5. Controller obligations

The Controller shall:

• Ensure it has a lawful basis under UK GDPR for instructing Clerkfolio to process personal data.
• Provide data subjects with any required notice of the processing, including reference to Clerkfolio as a processor.
• Comply with applicable data protection law in relation to its instructions to Clerkfolio.
• Notify Clerkfolio promptly of any changes to instructions or applicable requirements.
• Ensure that users of the platform (where the Controller manages accounts) are notified of and comply with the prohibition on entering patient-identifiable data.

6. Processor obligations

Clerkfolio shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by law, in which case Clerkfolio shall inform the Controller of that legal requirement beforehand unless prohibited from doing so.
• Ensure that persons authorised to process personal data are subject to a duty of confidentiality.
• Implement the technical and organisational security measures described in section 9 and at clerkfolio.co.uk/security.
• Assist the Controller with its obligations in respect of data subject rights requests, data protection impact assessments, and prior consultation where required.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, subject to any confidentiality obligations and upon reasonable notice.
• Promptly inform the Controller if, in Clerkfolio's opinion, any instruction infringes applicable data protection law.

7. Subprocessors

The Controller grants general written authorisation for Clerkfolio to engage the subprocessors listed at clerkfolio.co.uk/subprocessors, as updated from time to time.

Clerkfolio will notify the Controller of any intended changes to subprocessors by email to the account contact address at least 30 days before the change takes effect. The Controller may object to any new subprocessor by contacting admin@clerkfolio.co.uk within that notice period. If the parties cannot resolve a reasonable objection, the Controller may terminate the agreement on written notice.

Clerkfolio imposes data protection obligations on each subprocessor equivalent to those in this DPA and remains liable to the Controller for any failure by a subprocessor to meet those obligations.

8. International transfers

Core application data and evidence files are stored in Supabase eu-west-2 (London, UK). Some subprocessors are based in or transfer data to the United States:

• Resend (email delivery): participates in the EU-US Data Privacy Framework and has executed a UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as applicable.
• Vercel (hosting infrastructure): participates in the EU-US Data Privacy Framework. Production deployments are served from the London region (lhr1). Limited personal data (e.g. request logs) may be processed in the US.

Transfers to the United States rely on adequacy decisions, the UK IDTA, SCCs, or the Data Privacy Framework as applicable to each processor. See the subprocessors page for links to each provider's transfer safeguards.

9. Security measures

Clerkfolio implements the following technical and organisational security measures, described in detail at clerkfolio.co.uk/security:

• Encryption at rest (Supabase eu-west-2 managed encryption) and in transit (HTTPS/TLS).
• Row-level security (RLS) on all database tables - users can only access their own data.
• Authentication via Supabase Auth with PKCE; session management with expiry and revocation.
• Hashed PINs for share links; hashed IP addresses for share access audit logs.
• Rate limiting on public endpoints via Upstash Redis.
• CSRF origin validation on state-changing API routes.
• File type validation and malware scan status tracking for evidence uploads.
• Soft-delete only; data is not immediately purged on user-initiated deletion.
• Security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy).

10. Audit rights

Clerkfolio shall, upon reasonable written request and at the Controller's cost, provide the Controller with all information necessary to demonstrate compliance with the obligations set out in this DPA. Where the Controller wishes to conduct an audit or inspection, the parties shall agree the scope, timing, and confidentiality obligations in advance. Clerkfolio may satisfy audit requests by providing third-party audit reports or certifications where available.

11. Personal data breach notification

Clerkfolio shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will include, to the extent available at the time:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
• The name and contact details of the data protection contact at Clerkfolio.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach.

Notification should be sent to the contact address on the Controller's account. The Controller remains responsible for notifying the ICO and affected data subjects as required by applicable law.

12. Return and deletion of data

Upon termination of the agreement, or on written request, Clerkfolio shall at the Controller's choice:

• Return personal data to the Controller in a machine-readable format within 30 days; or
• Securely delete all personal data and confirm deletion in writing within 30 days,

unless Clerkfolio is required by applicable law to retain some or all of the personal data. In that case, Clerkfolio shall inform the Controller of the legal requirement and the categories of data retained. Backups may take up to a further 30 days to purge.

13. Governing law

This DPA is governed by the laws of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless the parties agree otherwise in writing.

14. Contact

Data protection and DPA queries should be directed to admin@clerkfolio.co.uk. For enterprise DPA negotiations, please contact the same address to arrange a signed bilateral agreement.