Data Processing Agreement

Version 0.1-draft · Effective 4 June 2026 · Operator: Andrei Trimbitas trading as Old Forge Technologies

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Andrei Trimbitas trading as Old Forge Technologies ("Felgate", "Processor", "we") and the Customer ("Controller", "you"). It applies whenever we process personal data on your behalf in connection with the Service. By accepting the Terms at signup you enter into this DPA. For a signed copy, contact legal@felgate.co.uk.

Data-protection terms have the meanings in UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025, together "Data Protection Law").

1. Roles

For the personal data of your clients and contacts that we process through the Service ("Client Data"), you are the controller and we are the processor. You are responsible for the lawfulness of Client Data - a valid lawful basis and, for health data, an Article 9 condition (normally explicit consent); the accuracy of the data; and providing your clients with the required privacy information. This DPA does not cover data for which we are the controller (your account and billing data) - see the Privacy Policy.

2. Our obligations as processor (Article 28(3))

We will:

(a) Process only on your instructions - comprising this DPA, the Terms, your configuration and use of the Service, and any further written instruction - including as to international transfers, unless required otherwise by law (in which case we will tell you unless the law prohibits it).
(b) Confidentiality - ensure people authorised to process Client Data are bound by confidentiality.
(c) Security - implement the measures in Schedule 2, appropriate to the risk (Article 32), recognising that Client Data includes special-category health data.
(d) Sub-processors - engage sub-processors only under section 4, flowing down equivalent obligations and remaining responsible to you for them.
(e) Assist with data-subject rights - taking into account the nature of processing, assist you to respond to requests; the Service provides self-service export and erasure tools, and we give reasonable additional help where they do not suffice.
(f) Assist with security, breach and DPIAs - assist you to comply with Articles 32-36, taking into account the information available to us.
(g) Deletion or return - at the end of the Service, at your choice, delete or return all Client Data and delete copies, unless law requires storage. By default, after the export window in the Terms (30 days), we delete Client Data in the ordinary course; backups purge on their rolling cycle.
(h) Demonstrate compliance and allow audits - make available the information reasonably necessary to demonstrate compliance, allow for and contribute to audits per section 7, and immediately inform you if, in our opinion, an instruction infringes Data Protection Law.

3. Personal-data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting Client Data, and provide the information you reasonably need to meet your own obligations (to the ICO within 72 hours, and to data subjects where required). We will take reasonable steps to mitigate and remediate. Notification is not an admission of fault.

4. Sub-processors

You give general authorisation for us to engage the sub-processors in Schedule 3 and others we appoint to provide the Service. We will give reasonable notice before adding or replacing one; if you reasonably object on data-protection grounds within 14 days we will work with you in good faith, and if unresolved you may terminate the affected Service as your sole remedy. We impose equivalent obligations on each sub-processor and remain liable to you for them.

5. International transfers

We will not transfer Client Data outside the UK except in compliance with Data Protection Law - relying on UK adequacy regulations or an approved mechanism (the IDTA or UK Addendum to the EU SCCs) and applying the post-DUAA-2025 "not materially lower" assessment. We prefer UK/EU regions for email and backups.

6. Your obligations

You will: give only lawful instructions; ensure you have the necessary lawful basis and Article 9 condition (explicit consent) for Client Data; provide required privacy information to your clients; configure the Service appropriately (including retention settings); use the export/erasure tools to honour rights; and not upload data you are not entitled to process.

7. Audits

We will respond to reasonable information requests and may satisfy audit rights by providing documentation of our measures (Schedule 2) and relevant reports. On-site audits, where genuinely required, will be on reasonable notice, no more than once a year (unless required by a regulator or after a breach), during business hours, subject to confidentiality, without compromising other customers' security, and at your cost.

8. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms, to the extent permitted by Data Protection Law. Nothing here limits a data subject's rights or either party's liability to the ICO.

9. Term and changes

This DPA runs for as long as we process Client Data for you. We may update it to reflect changes in law or the Service; material changes will be notified. On any conflict with the Terms on data-protection matters, this DPA prevails.

Schedule 1 - Details of processing

Subject matter: provision of the Felgate practice-management Service.
Duration: the term of the Terms, plus the deletion window.
Nature and purpose: hosting, storage, transmission, organisation, retrieval, encryption, backup and deletion of Client Data so you can manage your nutrition practice.
Types of personal data: identity and contact details; appointment data; messages; documents; and special-category health data - health questionnaires, food diaries, nutritional plans, clinical/practitioner notes and consent records.
Categories of data subjects: your clients (and their named contacts) and users you invite (for example team members).
Frequency: continuous, for the duration of the Service.

Schedule 2 - Technical and organisational security measures

Encryption in transit: TLS/HTTPS for all connections.
Encryption at rest: special-category fields encrypted with per-tenant keys (Fernet); the system fails closed rather than storing such data unencrypted.
Tenant isolation: each Customer has a separate database and encryption key; containers run unprivileged with dropped capabilities, no privilege escalation and resource limits.
Access control: role-based access, unique accounts, hashed passwords, multi-factor authentication, and secure session cookies.
Platform: reverse-proxy isolation, secrets injected at runtime and kept out of source control, production boot-guards that refuse to start with placeholder secrets.
Resilience: automated per-tenant database backups with a documented restore path.
Auditability: application audit logging of sensitive actions.
Organisational: least-privilege operational access, confidentiality obligations, version-controlled deployment.

Schedule 3 - Authorised sub-processors

Sub-processor	Purpose	Location / transfer basis
Stripe	Payment processing (billing data)	UK transfer mechanism
IONOS	Domain / DNS for tenant subdomains	UK / EU
Email provider	Transactional & onboarding email	UK / EU preferred
Backup provider (if used)	Encrypted off-site backups	UK / EU preferred

Core hosting and database operation are performed by Andrei Trimbitas trading as Old Forge Technologies on self-managed infrastructure (not a third-party cloud), which limits sub-processors. This schedule is updated whenever a sub-processor changes.