Data Processing Agreement

Parties and status

This Data Processing Agreement, version 2026-05-05, is entered into between Theramie as the Provider and the subscribing therapist as the Controller. It applies whenever Theramie processes personal data on the Controller's behalf through the platform.

Where a therapist uses Theramie as part of a clinic, charity, school, employer or other organisation, the "Controller" means the person or organisation that determines the purposes and means of the therapy record processing carried out in Theramie. This DPA applies only to therapist-controlled personal data for which Theramie acts as processor. It does not change the separate Theramie-controlled processing described in the privacy notice.

This DPA supplements the main Terms of Service. If there is a conflict about controller-to-processor data protection duties, this DPA takes priority.

1. Processing instructions

Theramie will process client and practice data only on the documented instructions of the Controller as expressed through the product configuration, API calls, session creation, messaging, note storage, billing and video features. Theramie may also process data where required by law, in which case it will inform the Controller unless legally prohibited.

If Theramie believes an instruction infringes data protection law, it may suspend the affected processing and will inform the Controller unless doing so is legally prohibited.

2. Controller responsibilities in therapy work

The Controller remains responsible for the lawfulness, fairness and transparency of the therapy-related processing it chooses to carry out through Theramie. This is especially important because Controller data may include confidential therapy records, data about children or vulnerable individuals, and special-category personal data such as information about physical or mental health.

• The Controller must identify and document its own Article 6 lawful basis, Article 9 condition and, where required by UK law, any Schedule 1 condition or appropriate policy document.
• The Controller must give clients clear privacy information, explain the relevant circle of confidentiality and ensure its use of Theramie is compatible with its professional, employment, commissioning and organisational confidentiality duties.
• The Controller decides what information to record in Theramie, whether to minimise or pseudonymise identifiers, how long to retain records, and whether any safeguarding, complaint-handling, insurance or sector-specific rules require additional retention or disclosure steps.
• Clinical decisions, safeguarding decisions, decisions about disclosures to supervisors or other third parties, and decisions about whether a legal exemption or restriction applies to a rights request remain the Controller's responsibility.

3. Confidentiality and authorised staff

Theramie will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations and only access data to the extent needed to operate, secure, support or maintain the service.

Theramie will require its own recipients of Controller personal data, including approved sub-processors, to handle that data under contractual or statutory confidentiality obligations appropriate to the nature of confidential therapy information.

4. Security

Theramie will implement and maintain appropriate technical and organisational measures, taking into account the nature of therapy records and the risks associated with special-category data. The current measures are listed in Annex 2 below and include access control, encryption and signed service-to-service checks evidenced in the application.

Where Theramie's note tooling encrypts clinical note content in the browser before storage, Theramie does not need routine access to plaintext note content to host the service. Other Controller data, such as schedules, messages, billing records and session metadata, may still be processed in readable form where needed to operate the service.

5. Sub-processors

The Controller authorises Theramie to use the sub-processors listed in Annex 2. Theramie will remain responsible for its sub-processors' performance of processing obligations to the extent required by UK GDPR.

Theramie will keep the Annex 2 list up to date and will give the Controller reasonable prior notice of any material new or replacement sub-processor that will process Controller data, unless a quicker change is reasonably necessary for security, legal compliance or service continuity.

Theramie will impose materially equivalent data protection obligations on approved sub-processors. The Controller may object to a material new or replacement sub-processor on reasonable data protection grounds by contacting admin@theramie.co.uk within a reasonable time after notice. If the parties cannot resolve the objection, the Controller may stop using the affected processing or terminate the relevant services in accordance with the main contract.

6. Data subject rights and assistance

Where Theramie receives a request that relates to data controlled by a therapist, Theramie will, where reasonably possible, direct the request to the Controller and assist the Controller with access, correction, erasure, restriction and other UK GDPR rights requests using the tools and support reasonably available in the service.

Requests about therapy records should normally be handled under the Controller's instruction because the Controller decides whether any clinical, safeguarding, legal or serious-harm restriction or exemption may apply.

7. DPIAs, prior consultation and security assistance

Taking into account the nature of the processing and the information available to Theramie, Theramie will provide reasonable assistance with data protection impact assessments, transfer-risk reviews and any regulator consultation that is required because of the processing carried out through the service.

The parties recognise that processing confidential therapy records, data about children or other vulnerable individuals, or any future innovative technology features may require a DPIA. The Controller remains responsible for deciding whether a DPIA, transfer assessment or other sector-specific governance record is required for its use of Theramie.

8. Personal data breaches

Theramie will notify the Controller without undue delay after becoming aware of a personal data breach that affects Controller data and will provide information reasonably required for the Controller to assess the incident and comply with its reporting duties.

The Controller remains responsible for determining whether the breach must be notified to the ICO, affected individuals or any other regulator, commissioner or professional body that applies to the Controller's practice.

9. Audit information and compliance evidence

Theramie will make available to the Controller the information reasonably necessary to demonstrate compliance with its processor obligations under UK GDPR. Where the Controller reasonably requires more than written information, the parties will work in good faith on a proportionate audit or inspection process that protects other customers' confidentiality, system security and Theramie's legitimate operational constraints.

10. International transfers

A restricted transfer can include Controller data being accessed from outside the UK. Where Controller data is processed outside the UK, or accessed from outside the UK, Theramie will ensure that a valid transfer mechanism required by UK GDPR is in place and will provide reasonable information about that mechanism on request.

Some suppliers, especially payment, hosting, email and video providers, may process personal data outside the UK or permit access to it from outside the UK. Where that happens, Theramie relies on the supplier's adequacy decision or another UK GDPR transfer mechanism, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. Contact us if you want more detail about the safeguard used for a particular supplier.

11. Deletion and return

On termination of the services, Theramie will delete or return Controller personal data in accordance with the main contract, the Controller's instructions and any records that Theramie must retain for legal, security, fraud-prevention or accounting reasons.

Where the service provides an export or closure window before deletion, the Controller must use that period to export data it needs to keep. Theramie may retain only the minimum information needed to evidence deletion, maintain ledger integrity, comply with law or defend legal claims.

Annex 1: Subject matter and categories

Annex 2: Technical and organisational measures

• Access to application data is limited through Supabase authentication checks and row-level security policies on the core tables.
• Clinical notes are encrypted in the browser with AES-256-GCM before storage, and therapist vault keys are derived with PBKDF2 and stored in wrapped form.
• Stripe webhook events are verified with webhook signatures before billing changes are applied.
• Background cron routes require a shared secret before operational jobs can run.
• Sensitive service credentials are loaded from server-side environment variables rather than being shipped to the browser.
• Application routes use server-side session checks and ownership validation before returning account, billing, client or session data.
• Video-session credit controls and session entry links use signed tokens and server-side checks to limit unauthorised access.

Approved sub-processors