| |
Data Processing Terms for Platform Services (Medical AI) | |
Version: v1.0 June 2026
DATA PROCESSING TERMS
FOR
PLATFORM SERVICES
(MEDICAL AI)
1. PRELIMINARIES
1.1. The purpose of these Data Processing Terms is to describe the provisions applicable to the processing and security of the Customer’s Personal Data (defined below).
1.2. In these Data Processing Terms:
|
|
|
|
|
|
| |
|
|
|
|
|
|
1.3. Defined words and phrases used in these Data Processing Terms but not defined above shall have their respective meanings given in the Platform GTCs.
2. CUSTOMER’S PERSONAL DATA AND GROUNDS FOR PROCESSING
2.1. The parties have determined for the purposes of the Data Protection Legislation that:
2.1.1. the Customer is the controller of the Customer’s Personal Data; and
2.1.2. the Supplier shall be a processor of the Customer’s Personal Data when performing the Data Processing Activities.
2.2.1. comply with the Data Protection Legislation;
2.2.2. without prejudice to paragraph 2.2.1, ensure that all Customer’s Personal Data provided or made available to the Supplier (including through the Platform and within Prompts) is provided in compliance with the Data Protection Legislation (including, for the avoidance of doubt, by ensuring that all consents and notices are in place to enable the lawful transfer of the Customer’s Personal Data to the Supplier and, in particular, the conditions under the Data Protection Legislation for processing special category data have been met); and
2.2.3. ensure that all instructions it gives to the Supplier in respect of the Customer’s Personal Data are and shall be lawful and in compliance with the Data Protection Legislation.
2.3. For the purposes of paragraph 2.2.2, the parties wish to record their understanding and expectation that the grounds for processing special category data are:
2.3.1. explicit consent obtained by the Customer; or
2.3.2. the conduct of legal claims or judicial acts.
2.4. The parties agree that the processing of special category data (including as described in the AI Acceptable Use Policy) is necessary for the Purpose of the Platform (being an aid to the production of: (1) medical records summaries; (2) expert reports; (3) indexed and paginated bundles; and (4) chronologies, in each case, for use in legal proceedings) (including to ensure the continued performance and functionality of the Platform).
3.1. The Supplier shall, where it is carrying out Data Processing Activities:
3.1.1. comply with the Data Protection Legislation;
3.1.2. only process the Customer’s Personal Data in accordance with the Customer's documented instructions and, for this purpose, the Customer instructs the Supplier to process the Customer’s Personal Data to the extent and in such manner as is reasonably necessary for:
3.1.2.1. the performance of the Supplier’s obligations under the Agreement;
3.1.2.2. the Purpose of the Platform; or
3.1.2.3. as otherwise required by the Data Protection Legislation;
3.1.3. implement the technical and organisational measures set out in the Security Controls to protect against unauthorised or unlawful processing of Customer’s Personal Data and against accidental loss or destruction of, or damage to, Customer’s Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
3.1.4. ensure that its representatives and Sub-processors are subject to appropriate obligations of confidentiality;
3.1.5. taking into account the nature of the Platform Services, provide reasonable assistance (primarily through self-service access to the Platform) to the Customer, insofar as this is possible and at the Customer's cost, for the fulfilment of the Customer's obligations under the Data Protection Legislation in respect of data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; and the fulfilment of data subject's rights;
3.1.6. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer’s Personal Data;
3.1.7. at the Customer's written request, return or delete the Customer’s Personal Data and delete any existing copies of such Customer’s Personal Data in its possession unless required to retain such Customer’s Personal Data under applicable laws; and
3.1.8. maintain records to demonstrate its compliance with these Data Processing Terms.
3.2. The Customer consents to the Supplier engaging the Sub-processors set out in the Sub-processor List and provides its general authorisation to appoint Sub-processors provided that the Supplier complies with paragraphs 3.3 and 3.5.
3.3. The Supplier shall procure that Sub-processors are subject to contractual obligations which are, in all material respects, equivalent to those imposed on the Supplier under these Data Processing Terms.
3.4. The Supplier shall be responsible for the performance of its Sub-processors as described in the Agreement.
3.5. The Supplier will notify (which notice may be by e-mail or through the Platform) the Customer prior to adding a New Sub-processor. If the Customer objects to the Supplier’s use of a New Sub-processor on reasonable grounds that the New Sub-processor is unlikely to be able to comply with the terms of these Data Processing Terms then the Customer shall notify the Supplier promptly in writing within ten (10) days from receipt of the Supplier’s notice. The Customer’s failure to object in writing within such time period shall constitute approval to use the New Sub-processor.
3.6. The Customer acknowledges and agrees that the inability of the Supplier to use a particular New Sub-processor may result in a delay or suspension in the performance of the Platform Services, inability to perform the Platform Services or increased Fees.
3.7. The Supplier shall notify the Customer in writing of any change to Platform Services or Fees that would result from the Supplier’s inability to use a New Sub-processor to which the Customer has objected. The Customer may either execute a written amendment to the Agreement implementing such change or terminate the Agreement provided that such termination by the Customer shall be treated as a termination for convenience and not for breach of the Agreement.
3.8. The Customer acknowledges and agrees that the Customer’s Personal Data may be processed outside the UK, the European Economic Area, or the country where the Customer is located in order to carry out the Platform Services and the Supplier’s other obligations under this Agreement. The Supplier shall implement a data transfer solution to ensure any such transfers are compliant with the Data Protection Legislation.
3.9. The Supplier shall, in respect of the Data Processing Activities, use technical and organisational measures to protect Customer Personal Data stored by the Supplier (to the extent such storage is within the Supplier’s own infrastructure) against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration. The Customer agrees that it is solely responsible for determining whether such technical and organisational measures are appropriate, taking into account the nature, scope, context and purposes of the processing.
3.10. Upon written request, the Supplier shall make available to the Customer such information as is reasonably necessary to demonstrate the Supplier's compliance with its obligations under this paragraph 3.
3.11. The Customer or the Customer's representatives (bound by appropriate obligations of confidentiality) shall, in respect of the Data Processing Activities, have the right to audit and inspect the Supplier’s premises (excluding the premises of third parties or of the Supplier’s Cloud) to ascertain compliance with this paragraph 3, provided such an audit is carried out:
3.11.1. during the Supplier's normal business hours and upon not less than twenty (20) business days’ notice;
3.11.2. not more than once in each Contract Year;
3.11.3. in a manner that causes minimal disruption to the Supplier's business and excludes from its scope any internal pricing information, information relating to other customers of the Supplier or other the Supplier's own internal reports; and
3.11.4. at the Customer's own cost.
3.12. The Data Processing Activities carried out by the Supplier under the Agreement and in connection with the provision of the Platform Services are described as follows:
3.12.1. Subject matter: The Supplier shall be a data processor where, as part of the provision of the Platform Services, it is processing the Customer’s Personal Data for the following purposes on behalf of the Customer:
3.12.1.1. processing through the functionality of the Platform to create medical records summaries, expert reports, indexed and paginated bundles, and chronologies in each case for use in legal proceedings;
3.12.1.2. support and maintenance with respect to Customer’s Personal Data hosted on the Platform;
3.12.1.3. hosting management with respect to Customer’s Personal Data hosted on the Platform; and
3.12.1.4. such other purposes where the Supplier processes Customer’s Personal Data on behalf of the Customer as its data processor.
3.12.2. Duration: The duration of the Platform Services.
3.12.3. Nature and purpose: To enable the Supplier to deliver the Platform Services.
3.12.4. Categories of data subjects: As submitted to the Platform by the Customer through the Prompts.
3.12.5. Types of personal data: Name, employer, email address, telephone number, location from which the Platform is accessed and other Customer’s Personal Data as provided and/or made available by the Customer or the Authorised Users.
3.12.6. Types of special category data: As submitted to the Platform by the Customer through the Prompts.
4.1. This paragraph 4 describes the Security Controls applied to the Platform and to the Customer's Personal Data processed in connection with the Platform Services.
4.2. Operational security measures
4.2.1. access to the production environment (including production databases) is restricted to authorised members of the Supplier's operations and engineering teams on a least-privilege, role-based basis;
4.2.2. production Customer's Personal Data is not copied to, or used within, the Supplier's development, test or staging environments; and
4.2.3. credentials are managed centrally, rotated on a defined schedule, and access rights are revoked promptly (and in any event within one (1) business day) on termination of employment or change of role;
4.2.4. access rights to production systems are reviewed at least every six (6) months; and
4.2.5. administrative access to production systems requires multi-factor authentication.
4.3. Technical security measures
4.3.1. penetration testing of the Platform by an independent third party at least annually, and following material changes to the Platform architecture;
4.3.2. a documented vulnerability management programme, including regular automated vulnerability scanning, with critical and high-severity vulnerabilities remediated or mitigated in line with the Supplier's published remediation timelines;
4.3.3. a secure software development lifecycle, including peer code review, automated dependency scanning, secrets scanning and static application security testing prior to deployment to production;
4.3.4. web application firewall, network firewalling and DDoS protection at the network edge;
4.3.5. audit logging of security-relevant events on the Platform, including authentication events and administrative actions performed by Authorised Users;
4.3.6. centralised security monitoring and alerting through a managed observability and SIEM-equivalent platform;
4.3.7. encryption of Customer's Personal Data at rest using AES-256 or stronger;
4.3.8. encryption of Customer's Personal Data in transit using TLS 1.2 or higher;
4.3.9. anti-malware controls deployed on endpoints with access to production systems and to Customer's Personal Data;
4.3.10. network segmentation between production, staging and development environments and between tenant data stores where applicable; and
4.3.11. encrypted backups of Customer's Personal Data, with periodic restoration testing to validate backup integrity.
4.4. Account security measures
4.4.1. access to the Supplier's regional dashboards (UK, US and Australia) requires, at the Customer's election:
4.4.1.1. email address and password authentication with account lockout following a reasonable number of consecutive failed attempts; or
4.4.1.2. federated single sign-on or multi-factor authentication, configured in agreement with the Customer;
4.4.2. password complexity, session timeout and lockout thresholds applied by the Supplier are aligned with current NCSC and NIST guidance and are reviewed periodically;
4.4.3. the Supplier supports federated SSO (including SAML 2.0 and OIDC) for the Customer's Authorised Users where the Customer requires it;
4.4.4. for all regions:
4.4.4.1. access via magic link (one tap/click to authenticate from email or SMS) unless expressly requested to be deactivated by the Customer in writing to the Supplier; and
4.4.4.2. email address and password authentication where expressly requested to be activated by the Customer in writing to the Supplier.
4.5. Cloud and infrastructure security measures
4.5.1. the Platform is hosted on Amazon Web Services. The Supplier utilises AWS region, availability zone and account-isolation features to support data residency, segregation and resilience;
4.5.2. administrative access to the Supplier's production infrastructure is restricted to authenticated sessions originating from approved networks or via secure remote access controls;
4.5.3. multi-factor authentication is required for all administrative access to AWS and to other cloud services that comprise the Platform;
4.5.4. secrets, API keys and infrastructure credentials are stored in dedicated secrets management services and are not embedded in source code or configuration files; and
4.5.5. infrastructure changes to production are managed through version-controlled, peer-reviewed change processes.