1. Our role
For website enquiries and our own business records, ServPatch acts as data controller. For care record data that customers enter into the ServPatch platform, ServPatch acts as data processor, and the customer organisation is the data controller.
2. Lawful basis
We rely on contract, legitimate interest and legal obligation as our lawful bases, as set out in full in our Privacy Policy. Customers using the platform for care records are responsible for identifying their own lawful basis for processing service-user and staff data, typically a mix of contract, legal obligation and vital interests.
3. Data Processing Agreement
Every customer contract is supported by a Data Processing Agreement (DPA) covering the scope of processing, sub-processors, security measures, breach notification and data return or deletion on termination. A copy of our standard DPA is available on request from [email protected].
4. Security measures
Data is hosted in UK data centres, encrypted in transit and at rest, and protected by role-based access control. Access is logged and reviewed. Formal NHS DSPT and Cyber Essentials accreditation are on our roadmap.
5. International transfers
We do not routinely transfer personal data outside the UK. Where a sub-processor requires a transfer, we rely on an appropriate safeguard such as the UK International Data Transfer Addendum.
6. Data subject rights
Individuals can request access, correction, deletion, restriction or portability of their personal data. Where ServPatch is a data processor, such requests are usually directed to the relevant care provider as data controller; we support our customers in responding within statutory timeframes.
7. Breach notification
In the event of a personal data breach, we will notify affected customers without undue delay so they can meet their own regulatory notification obligations, including to the Information Commissioner's Office where required.
8. Contact us
Data protection queries can be sent to [email protected].