Data Processing Agreement (DPA)
Summary for UK and European Economic Area customers where your practice is the data controller and PsycSuit processes personal data (including health data) on your behalf under GDPR / UK GDPR Article 28.
Not a substitute for counsel. This page summarizes standard DPA topics. Your executed DPA and Standard Contractual Clauses (if applicable) are provided during onboarding.
Last updated: May 2026
Roles
You determine purposes and means of processing patient and staff personal data in your practice. PsycSuit processes that data only on your documented instructions as set out in the DPA and Terms of Service.
Processing instructions
- Process personal data only to deliver the subscribed service and support.
- Inform you if we believe an instruction infringes GDPR, where legally permitted.
- Not engage another processor without your authorization (subprocessors listed below).
Security measures
We implement appropriate technical and organizational measures, including access control, encryption in transit, logging, and confidentiality commitments for personnel. See Trust & security.
Subprocessors
We use the following categories of subprocessors depending on features you enable. Your service agreement identifies which apply to your deployment.
| Provider | Purpose | What they may handle |
|---|---|---|
| Microsoft Azure | Application hosting, PostgreSQL database, backups, and optional Azure OpenAI | All clinic and patient data stored in your deployed region Microsoft offers a BAA for covered services when configured for HIPAA workloads. |
| Brevo | Transactional email (activation, portal verification, notifications) | Email addresses, message content you send via the platform |
| LiveKit | Secure video visits between clinician and patient | Video session connection details; video/audio per your setup Your practice confirms agreements cover telehealth if required. |
| Microsoft Azure OpenAI | Optional help drafting or polishing text (when your practice enables it) | Text you submit for that task only—processed to return writing suggestions Opt-in only; requires BAA on file and practice administrator enablement. |
| Microsoft Azure AI Speech | Optional session audio transcription for Session Capture (when enabled) | Session audio sent for transcription; raw audio discarded by default after text is returned Requires client portal consent before use. Clinician reviews transcript before signing notes. |
| Cloudflare Turnstile | Bot protection on client portal booking (when configured) | Technical signals, IP (abuse prevention) |
| DoseSpot / DrFirst (eRx partner) | Optional US e-prescribing when platform and clinic enable eRx add-on | Prescriber credentials, patient demographics, allergies, medication orders (via partner UI) Enabled per clinic; requires prescriber identity proofing (EPCS) through the vendor. |
International transfers
Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures described in your DPA.
Data subject rights
We assist you in responding to requests from individuals (access, rectification, erasure, restriction, portability) using product tools or support, within reasonable timeframes and as required by Article 28(3).
Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting your data in our systems, and provide information needed for your regulatory notifications.
Deletion & return
At end of service, we delete or return personal data per your instructions and the DPA, subject to legal retention requirements.
Audits
We make available information necessary to demonstrate compliance and allow audits described in the DPA, typically via documentation and questionnaires rather than on-site visits except where required by law.
How to obtain the DPA
Contact
← Plans & pricing · Trust center · BAA · DPA