Data Protection Agreement

This Data Protection Agreement ("DPA") is entered into by and between:

  • North Star Counselling and Therapy Limited, a company incorporated in Scotland, United Kingdom with its registered office at 60 ST. Enoch Square, Level 5, Glasgow, United Kingdom, G1 4AG ("Processor");
  • and the Subscriber to the Nexus Wizard SaaS platform, acting as the data controller ("Controller"),

and forms part of the SaaS Subscription Agreement between the parties.

1. Introduction

1.1 This DPA ensures compliance with applicable UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended, replaced, or supplemented from time to time.

1.2 The Processor's data handling and protection practices, including storage regions and privacy safeguards, are outlined in the Nexus Wizard Privacy Policy, which is incorporated by reference.

2. Subject Matter and Duration

2.1 This DPA governs the processing of personal data under the SaaS Subscription Agreement between the parties.

2.2 This DPA remains in force for the duration of the SaaS Subscription Agreement. Notwithstanding expiry or termination of the SaaS Subscription Agreement, the Processor shall continue to process personal data only to the extent necessary for securely deleting or returning such data in accordance with Clause 12 including deletion from system backups and archives at the end of their ordinary lifecycle.

3. Nature and Purpose of Processing

3.1 Nature: Cloud-based digital storage, retrieval, encrypted communication, live reminders, and statistical calculations.

3.2 Purpose: To enable the Controller to use Nexus Wizard for case management, session scheduling, secure note-taking, and psychometric assessments.

4. Categories of Data and Data Subjects

4.1 Data Subjects: Clients and patients of the Controller.

4.2 Personal Data Types: Names, contact details, demographics, case history, therapy records, clinical notes, psychometric responses, appointment history, and clinical metadata.

4.3 The platform may process additional categories of personal data (e.g., payment data or enhanced contact data) in future feature updates. In such cases, the Controller will be notified, and amended DPA terms shall be provided in accordance with applicable law.

5. Controller Obligations

5.1 The Controller is solely responsible for:

  • Ensuring all data entered into Nexus Wizard is collected lawfully and transparently;
  • Providing clients with required information under Articles 13/14 UK GDPR;
  • Having a valid legal basis for processing under Article 6 (and 9, where applicable) of UK GDPR.

5.2 The Controller is responsible for responding to data subject requests, and shall promptly notify the Processor where assistance is required.

6. Processor Obligations

The Processor agrees to:

6.1 Process personal data only on documented and lawful instructions from the Controller.

6.2 Ensure authorised individuals are contractually bound to confidentiality.

6.3 Implement appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data.

6.4 Provide reasonable assistance, taking into account the nature of processing, to the Controller in responding to data subject requests and at the Controller's cost where such requests are manifestly unfounded, excessive or repetitive.

6.5 Notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of any personal data breach.

6.6 Support the Controller in conducting impact assessments or engaging with the ICO where relevant.

6.7 Upon termination of the subscription, delete or return all personal data as instructed by the Controller (see also Clause 12).

6.8 Maintain an up-to-date record of all personal data processing activities.

7. Sub-processors

7.1 The Controller authorises the Processor to engage sub-processors for hosting, infrastructure, and technical support functions.

7.2 The Processor shall inform the Controller in advance of any changes to sub-processors, giving the Controller 10 working days to reasonably object to such changes.

7.3 The Processor ensures all sub-processors are subject to written agreements imposing obligations that are materially equivalent to this DPA.

8. International Transfers

8.1 All international transfers of personal data outside the UK and EEA shall be subject to appropriate safeguards, including the use of UK Approved Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO), available at https://ico.org.uk/for-organisations/international-data-transfer-agreement.

8.2 Where technical support involves access from a country outside the UK/EU[V1] (e.g., support staff in India), such access shall be:

  • Strictly limited in scope (e.g., read-only metadata, technical logs);
  • Time-limited to 48 hours per incident, unless otherwise agreed and logged
  • Subject to explicit, documented consent from the Controller, who confirms that client consent has been obtained when required;
  • Logged with access records stored for a minimum of 12 months and made available upon request for audit by the Controller.

9. Security Measures

The following minimum standards apply:

  • UK and/or EU cloud storage environments;
  • Role-based access and user authentication;
  • Encryption of data both in transit and at rest;
  • Staff training and signed confidentiality agreements;
  • Audit trails of administrative access to personal data.

Full details may be made available where required for compliance purposes.

10. Data Subject Rights

Upon Controller request, the Processor shall assist in fulfilling data subjects' rights under UK GDPR, including:

  • Right of access, rectification or erasure;
  • Right to restrict or object to processing;
  • Right to data portability.

Requests shall be fulfilled within 30 calendar days, unless otherwise agreed.

11. Personal Data Breach

11.1 The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours of any personal data breach becoming known.

11.2 This notification will include:

  • A description of the nature of the breach;
  • Categories and approximate number of data subjects and records affected;
  • Likely consequences;
  • Measures taken or proposed to address the breach.

12. Return or Deletion of Data

12.1 Upon termination of the SaaS Agreement, the Processor shall, at the Controller's discretion, permanently delete or return all personal data. Unless otherwise required by law, the Processor shall complete such deletion or return within a reasonable period not exceeding 60 days, subject to technical feasibility.

12.2 Confirmation of deletion will be provided upon request.

12.3 No data shall be retained beyond 60 days unless legally required or agreed otherwise in writing.

13. Audit Rights

13.1 The Controller has the right to audit the Processor's compliance with this DPA.

13.2 Audits must be requested with at least 10 business days' prior notice and may be conducted no more than once per calendar year, unless in the event of a breach or regulatory request.

13.3 The Processor may satisfy audit obligations by providing:

  • Summary audit reports (e.g., ISO 27001/ SOC2);
  • Responses to security questionnaires;
  • Virtual site visits if appropriate.

14. Liability and Indemnity

14.1 Each party shall indemnify and keep indemnified the other party against losses, damages, claims, or penalties directly arising from the Indemnifying Party's material breach of this DPA, including third-party claims and regulatory penalties.

14.2 The Processor's total aggregate liability under this DPA (whether in contract, tort, or otherwise) shall be limited to the total fees paid by the Controller under the SaaS Subscription Agreement in the 12 months preceding the event giving rise to liability, except where liability arises from the Processor's wilful misconduct, fraud, or death or personal injury caused by negligence.

14.3 The Processor shall not be liable to the Controller for any loss arising from: (i) the Controller's unlawful collection or processing of personal data; (ii) the Controller's misconfiguration or misuse of the services; or (iii) the Processor's compliance with the Controller's documented instructions.

15. Governing Law and Jurisdiction

15.1 This DPA shall be governed by Scottish law.

15.2 The parties agree that any disputes shall be exclusively resolved by the courts of Scotland, unless otherwise required by applicable law.

16. Entire Agreement

This DPA forms part of and is incorporated into the SaaS Subscription Agreement. It supersedes all prior data protection terms between the parties.

17. Standard Contractual Clauses (SCCs)

17.1 All international transfers of personal data under this Agreement shall be governed by the applicable laws, including UK Standard Contractual Clauses (International Data Transfer Agreement) as approved by the Information Commissioner's Office (ICO), available at https://ico.org.uk/for-organisations/international-data-transfer-agreement.

17.2 The Controller agrees to accept SCCs electronically through acceptance of this DPA during onboarding or support engagement. SCCs will be provided for execution where legally required.

18. Additional Data Protection Laws and Compliance

The Processor acknowledges that Controllers may use the services in jurisdictions outside the United Kingdom. Where local data-protection or health-privacy laws (for example, the United States Health Insurance Portability and Accountability Act (HIPAA) or equivalent state laws) apply to the processing of personal data, the Processor shall provide reasonable cooperation to the Controller to adapt this DPA to comply with those legal requirements to the extent it is consistent with and does not conflict with UK law.

The Processor shall not be deemed a covered entity or business associate under local data-protection or health-privacy laws of jurisdictions outside the United Kingdom unless expressly agreed in writing. Where such laws apply directly to the Controller, the Processor will provide reasonable cooperation.

19. Sub-processor Objection

If the Controller reasonably objects to the appointment or replacement of a sub-processor notified under clause 7, the Processor will use commercially reasonable efforts to provide a functionally equivalent alternative sub-processor or to modify the services so as to avoid the use of the objected sub-processor. If the Processor cannot provide an alternative within a reasonable period, the Controller may terminate the relevant services [V5]without penalty by giving written notice within thirty (30) days of being informed of the change.[V6]

20. Data Protection Officer and Breach Contact

The Processor has appointed a Data Protection Officer (DPO) who can be contacted at dpo@nexuswizard.com for any queries relating to data protection or breach notifications under this DPA. The Processor will ensure that the DPO's contact details remain current and will notify the Controller of any changes.

21. Cyber-Liability Insurance

The Processor shall maintain commercially reasonable cyber-liability insurance appropriate to the size and nature of its business covering data-breach response costs andthird-party claims.. Evidence of such coverage shall be provided to the Controller upon reasonable written request, subject to confidentiality obligations.

Last updated: 31 August 2025

Image Image Dark
Image Image Dark
Image Image Dark

Quick links

Features

Contact us

60 St. Enoch Square, Level 5, Glasgow,
United Kingdom, G1 4AG

+44 7534 282 542

info@nexuswizard.com

Nexus Wizard © 2025, All rights reserved.

English