Data Processing Agreement

Version 1.0 · Effective 28 April 2026

Plain English summary. When you upload personal data about your staff, residents, patients, clients, or other people, you (the Customer) are the data controller and Slatewick is the data processor. UK GDPR Article 28 requires that relationship to be in a contract. This is that contract. It applies automatically when you have an active Slatewick subscription that processes personal data on your behalf, and it sits alongside our Terms of Service.

1. Definitions

Capitalised terms have the meanings given in this Agreement or the Terms of Service. Where a term is defined in the UK GDPR (such as "personal data", "controller", "processor", "data subject", "personal data breach", and "supervisory authority"), that meaning applies.

Agreement: this Data Processing Agreement.
Customer: the legal entity that has subscribed to Slatewick.
Slatewick or we: Kronaxis Limited, trading as Slatewick, registered in England and Wales.
Customer Personal Data: personal data uploaded to or generated within the Service by or on behalf of the Customer.
Service: the Slatewick platform and any branded product within it (CarePad, DispensePad, VetPad and the other branded verticals).
Sub-processor: any third party engaged by Slatewick to process Customer Personal Data, listed at slatewick.co.uk/sub-processors.
Data Protection Laws: the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor or replacement legislation, together with binding guidance issued by the Information Commissioner's Office.

2. Scope and roles

For Customer Personal Data, the Customer is the controller and Slatewick is the processor. The Customer determines the purposes and means of processing; Slatewick processes Customer Personal Data only on documented instructions from the Customer and as set out in this Agreement and the Terms of Service.

For data Slatewick processes about the Customer's account holders (account name, login email, billing details, support correspondence), Slatewick acts as a separate controller. That processing is described in the Privacy Policy.

3. Subject matter, nature, and purpose of processing

Subject matter	Compliance documentation, inspection preparation, training records, incident reporting, complaint logging, controlled-drug registers, COSHH assessments, standard operating procedures, and AI-assisted document drafting for regulated industries.
Nature of processing	Storage, retrieval, organisation, structuring, AI-assisted generation of draft documents, export, and deletion. Processing occurs in response to Customer instructions issued through the Service interface.
Purpose	Providing the Service to the Customer in accordance with the Terms of Service.
Duration	For the term of the Customer's subscription, plus any retention period set out in clause 9 of this Agreement.

4. Types of personal data and categories of data subjects

Categories of data subjects	The Customer's staff (employees, contractors, locums, agency workers, volunteers); the Customer's clients, residents, patients, students, tenants, or other end users; visitors recorded in incident logs; complainants; suppliers and inspectors named in records.
Categories of personal data	Names, contact details, job roles, qualification numbers, training history, employment dates, incident descriptions, complaint correspondence, attendance records, operational notes, and any other personal data the Customer chooses to enter.
Special category and criminal-conviction data	The Customer may upload special category data within UK GDPR Article 9 (such as health information in care, dental, GP, vet, optician, hearing-aid, and pharmacy contexts) and Article 10 criminal-conviction data (such as DBS check status). The Customer is responsible for identifying its lawful basis under Articles 9 and 10. Slatewick processes such data only as instructed.

5. Customer obligations

The Customer warrants that it has a lawful basis under Article 6 (and where applicable Article 9 or 10) for any Customer Personal Data uploaded to the Service.
The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired that data.
The Customer must provide all required transparency information (such as privacy notices) to its data subjects.
The Customer must respond to data-subject rights requests addressed to it as the controller. Slatewick will assist as set out in clause 7.

6. Slatewick's processing obligations (Article 28(3))

Slatewick will:

Documented instructions. Process Customer Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by UK or member-state law applicable to Slatewick. Where such a legal requirement applies, Slatewick will inform the Customer before processing unless the law prohibits notification on important grounds of public interest.
Confidentiality. Ensure that all personnel authorised to process Customer Personal Data are bound by appropriate contractual or statutory confidentiality obligations.
Security. Implement appropriate technical and organisational measures under Article 32 of the UK GDPR. Current measures are described at slatewick.co.uk/security.
Sub-processors. Engage Sub-processors only as set out in clause 8.
Subject-rights assistance. Provide reasonable assistance to the Customer, taking into account the nature of processing, in fulfilling its obligation to respond to requests under Articles 12 to 23 of the UK GDPR. Where the Customer cannot self-serve through the Service interface, Slatewick will respond to a written request within 14 days.
Article 32–36 assistance. Provide reasonable assistance to the Customer in complying with Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Slatewick.
Return or deletion. At the Customer's choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies, unless UK or member-state law requires retention.
Information and audit. Make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Audits may be conducted no more than once per twelve-month period (except where required by a supervisory authority or following a personal data breach), at the Customer's cost, on at least 30 days' written notice, during business hours, in a manner that does not interfere with Slatewick's operations or the security of other customers, subject to confidentiality obligations. Slatewick may satisfy this clause by providing a current independent assurance report (such as ISO 27001 or SOC 2) where one is in place.

7. Data subject rights

The Service provides Customer-administered tools for export, rectification, and deletion of Customer Personal Data, allowing the Customer to fulfil access, rectification, erasure, and portability requests directly. Where assistance beyond the Service tools is required, the Customer may email privacy@slatewick.co.uk. Slatewick will not respond to data-subject requests directly except to refer the requester to the Customer, unless instructed by the Customer or required by law.

8. Sub-processors

The Customer grants Slatewick general written authorisation to engage Sub-processors. The current list of Sub-processors is published at slatewick.co.uk/sub-processors and forms part of this Agreement.

Slatewick will give the Customer at least 30 days' notice of any intended addition or replacement of a Sub-processor by updating the published list. The Customer may object on reasonable data-protection grounds within that 30-day period by email to privacy@slatewick.co.uk. If the parties cannot agree on an alternative arrangement, the Customer may terminate the affected service on 30 days' written notice without penalty, with a pro-rata refund of pre-paid fees.

Slatewick imposes data-protection obligations on Sub-processors that are no less protective than those in this Agreement and remains liable to the Customer for the performance of each Sub-processor.

9. Data return and deletion

The Customer may export Customer Personal Data in CSV format from within the Service at any time during the subscription term.
On termination of the subscription, the Customer has 30 days to request a final export and to confirm whether Slatewick should delete or return Customer Personal Data.
Absent contrary instructions, all Customer Personal Data is deleted from production systems within 30 days of subscription termination.
Backups containing Customer Personal Data are deleted within 90 days of termination on a rolling cycle. During that 90-day window, backups remain encrypted and are not used for any purpose other than disaster recovery.
Slatewick will, on written request, certify the deletion in writing.

10. International transfers

Customer Personal Data is stored on servers located in the United Kingdom. Where a Sub-processor processes Customer Personal Data outside the United Kingdom, the transfer is governed by the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another transfer mechanism approved under Article 46 of the UK GDPR. The transfer mechanism for each Sub-processor is identified at slatewick.co.uk/sub-processors.

11. Personal data breaches

Slatewick will notify the Customer of any personal data breach affecting Customer Personal Data without undue delay and in any event within 72 hours of becoming aware of it. Notifications will, to the extent known at the time, describe the nature of the breach, the categories and approximate numbers of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point for further information.

Slatewick will provide reasonable assistance to the Customer in fulfilling the Customer's own breach-notification obligations to supervisory authorities and to data subjects under Articles 33 and 34 of the UK GDPR.

12. Liability

Liability under this Agreement is subject to the limitations set out in clause 9 of the Terms of Service, save that nothing limits each party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) administrative fines under Article 83 of the UK GDPR imposed on that party for its own breach; or (d) any other liability that cannot be excluded or limited by law.

13. Term and termination

This Agreement takes effect on the date the Customer first uploads Customer Personal Data and continues until all Customer Personal Data has been deleted or returned in accordance with clause 9. Termination of the Terms of Service automatically terminates this Agreement, save for the obligations in clauses 9, 11, and 12, which survive.

14. Order of precedence

If there is a conflict between this Agreement and the Terms of Service in respect of the processing of Customer Personal Data, this Agreement prevails. In all other respects the Terms of Service prevail.

15. Governing law

This Agreement is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

16. Signing this Agreement

Most customers do not need a counter-signed copy: this Agreement applies automatically to every active Slatewick subscription, and self-acceptance through Service registration is sufficient under UK GDPR Article 28(9). If your procurement process requires a counter-signed PDF, email privacy@slatewick.co.uk with your organisation name, registered address, and the registered details of your account, and we will return a signed copy within five working days at no charge.

17. Contact

Data protection enquiries: privacy@slatewick.co.uk