ICO Registered: ZB456892 | UK GDPR Compliant | NHS Framework Participant
Request Data Access
Legal

Data Processing Agreement

Terms governing the processing of personal data in connection with MD DataVault’s services.

Version: 3.2 — effective 14 October 2025

Processor: MD DataVault Ltd, Registered in England & Wales No. 14927631

For Clients Requiring a Signed DPA

This page sets out our standard DPA terms. Clients requiring a countersigned DPA should contact dpo@mddatavault.co.uk. We typically turn around executed DPAs within 3 business days.

1. Scope and Purpose

This Data Processing Agreement (“DPA”) supplements the Master Services Agreement between MD DataVault Ltd (“Processor”) and the Client (“Controller”) and governs all processing of personal data carried out by the Processor on behalf of the Controller in connection with the Services.

All terms used in this DPA carry the meanings ascribed to them in UK GDPR and the Data Protection Act 2018 (“DPA 2018”).

2. Roles and Responsibilities

The parties acknowledge that:

  • The Controller determines the purposes and means of the processing of personal data.
  • The Processor processes personal data only on documented instructions from the Controller, except where required to do so by applicable law.
  • Where the Processor sources health datasets from NHS data controllers, the Processor acts as the data controller for that sourcing activity and takes full responsibility for compliance with applicable NHS information governance requirements.

3. Processing Details

Nature of Processing

Collection, extraction, de-identification, curation, standardisation, and delivery of health-related datasets.

Purpose of Processing

To provide the Client with anonymised or pseudonymised health datasets for research, clinical development, AI model training, or population health analytics as specified in the relevant Order Form.

Categories of Data Subjects

NHS patients and primary care registrants whose records are held by the relevant data controllers. All data is de-identified to a standard that satisfies the ICO’s anonymisation code of practice before delivery to the Client.

Special Category Data

Health data is special category data under UK GDPR Article 9. The Processor processes such data on the basis of Article 9(2)(j) (scientific research) subject to appropriate technical and organisational measures as set out in this DPA.

4. Processor Obligations

The Processor shall:

  • Process personal data only on the documented instructions of the Controller
  • Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations
  • Implement the technical and organisational security measures described in Schedule 1
  • Assist the Controller in meeting its obligations regarding data subject rights requests
  • Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach
  • Make available all information necessary to demonstrate compliance with this DPA
  • Delete or return all personal data on termination of the Services, as instructed by the Controller

5. Sub-processors

The Processor shall not engage a sub-processor without prior written authorisation from the Controller. A current list of approved sub-processors is available on request. Any new sub-processor will be notified to the Controller at least 30 days in advance.

6. Security Measures (Schedule 1)

  • ISO 27001-certified information security management system (certificate available on request)
  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control with multi-factor authentication
  • Penetration testing conducted annually by a CREST-accredited firm
  • Full audit logging of all data access events
  • NHS DSPT compliance maintained at “Standards Exceeded” level

7. Governing Law

This DPA is governed by the law of England and Wales. Disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.