Data Processing Addendum

Terms governing DraftDesk's processing of personal data on your practice's behalf, where your practice is the controller and DraftDesk is the processor.

[REVIEW: legal copy required - full DPA, reviewed by a UK GDPR adviser]

Roles & scope

Your practice is the data controller; DraftDesk processes personal data only on your documented instructions to provide the service.

[REVIEW: subject-matter, duration, nature and purpose of processing, and data categories]

Sub-processors

DraftDesk engages the sub-processors listed in the sub-processor register.

[REVIEW: sub-processor change-notification mechanism and objection rights]

Security, breach & deletion

[REVIEW: technical/organisational measures, breach-notification timelines, and return/deletion on termination]

International transfers

[REVIEW: transfer mechanism (e.g. UK IDTA / SCCs) for any processing outside the UK]