Data Processing Agreement
Last updated March 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller: The therapist or organisation (“you”, “Controller”) who creates an account on Formulate and enters client data.
- Data Processor: Formulate Tools Ltd, Company No. 17065550, registered in England & Wales, 11 Chantry Close, TW16 7TH (“we”, “Processor”).
This DPA supplements the Terms of Service and Privacy Policy.
2. Subject matter & duration
The Processor processes personal data on behalf of the Controller for the purpose of providing the Formulate platform — a clinical psychology worksheet and formulation tool. Processing begins when the Controller creates an account and continues until the account is deleted or this DPA is terminated.
3. Nature & purpose of processing
Processing includes:
- Storage and display of pseudonymised client records (labels, case notes, assigned worksheets)
- Storage and display of client-submitted homework responses
- AI-assisted worksheet generation using PII-stripped input
- Email delivery for homework links and account notifications
- Payment processing for subscription billing
4. Types of personal data
Therapist data
Email address, name, organisation name (optional), subscription and billing details, usage logs.
Client data (pseudonymised)
Client labels (initials or codes — never full names or email addresses), worksheet responses, homework completion status. The platform enforces pseudonymity through input validation.
Special category data
Worksheet responses may contain health-related data. All such data is pseudonymised and encrypted at rest (AES-256). Only the assigning therapist can access response content.
5. Data subjects
- Therapists and other healthcare professionals who use the platform
- Clients of those therapists (pseudonymised records only)
6. Processor obligations
6.1 Security measures
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Row-level security (RLS) enforced at database level — each therapist can only access their own data
- PII stripping before any data is sent to AI sub-processors
- Strict Content Security Policy with per-request nonces
- Primary database hosted in AWS eu-west-2 (London)
For full details, see our Security page.
6.2 Breach notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach, providing the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
6.3 Confidentiality
All persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.4 Assistance with data subject rights
The Processor will assist the Controller in responding to data subject access requests, rectification, erasure (right to be forgotten under GDPR Article 17), and data portability requests. Clients can independently request deletion through their secure data portal.
6.5 Data return & deletion
Upon termination of the agreement, the Processor will, at the Controller's choice, return all personal data or delete it permanently. Deleted data is purged after a 90-day retention window to allow for recovery from accidental deletion.
7. Sub-processors
The Controller authorises the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication & file storage | EU (London, AWS eu-west-2) |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email | US |
| Anthropic | AI worksheet generation (PII-stripped input only) | US |
| Vercel | Application hosting & CDN | Global edge |
| Sentry | Error monitoring (no clinical data) | US |
8. International transfers
The primary database is hosted in the UK (AWS eu-west-2, London). Where personal data is transferred to sub-processors outside the UK/EEA (Stripe, Resend, Anthropic, Sentry), such transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards under UK GDPR.
Data sent to Anthropic for AI processing is PII-stripped before transmission. No identifiable client data leaves the UK database.
9. Data subject rights
Formulate supports the following data subject rights:
- Right of access: Clients can view their submitted responses via their secure data portal.
- Right to erasure: Clients can request deletion via their portal. Therapists can delete client records at any time. Deleted data is purged after 90 days.
- Right to data portability: Therapists can export worksheet data and client records.
- Right to rectification: Therapists can edit client records and worksheet responses.
10. Audit rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor will make available all information necessary to demonstrate compliance and allow for, and contribute to, audits and inspections conducted by the Controller or an authorised auditor, subject to reasonable notice and confidentiality obligations.
11. Termination
This DPA remains in effect for the duration of the Controller's use of the Formulate platform. Upon termination, Section 6.5 (Data return & deletion) applies. Obligations relating to confidentiality and data protection survive termination.
Contact
For questions about this DPA or to exercise any rights under it, contact us at hello@formulatetools.co.uk.