Last updated: 30/11/2025
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Clerkal Ltd (“Processor”) and the user or Clinic (“Controller”).
Clerkal processes personal data on behalf of the Controller for the purpose of providing clinical template and documentation services.
Controller: You (the clinician or Clinic)
Processor: Clerkal Ltd
Processing includes:
Storage
Encryption
Use for AI-assisted generation
Display within the Clerkal interface
Backup and security logging
Clinician user data (name, email)
Clinical text content
Optional patient-related text (not recommended)
Clerkal does not require identifiable patient data.
For the duration of the user’s or Clinic’s active account and up to 90 days after deletion.
Clerkal shall:
Process data only on documented instructions from the Controller.
Ensure staff are subject to confidentiality obligations.
Implement appropriate technical and organisational security measures.
Assist the Controller in responding to data subject rights requests.
Notify the Controller of data breaches within a reasonable timeframe.
Assist with audits related to compliance.
Not subcontract processing without appropriate agreements.
Clerkal uses subprocessors for:
Hosting
Email delivery
Payment processing
A current list will be provided on request.
All subprocessors receive only the minimum data required and must follow GDPR-compliant agreements.
Any international transfers will use:
Standard Contractual Clauses
Adequacy decisions
Other lawful safeguards
Upon termination:
Clerkal will delete personal data within 90 days, unless legally required to retain it.
Data exports may be requested prior to deletion.
Liability is governed by the overarching Terms of Service.
Last updated