Data Processing Agreement
Between Ophthalmic Supplies and Solutions Ltd t/a CQC IQ (Processor) and Customer (Controller) · Version 1.0 · Effective Date: 9 April 2026
This Data Processing Agreement ("DPA") is entered into between:
This DPA forms part of the Terms of Service between CQC IQ and the Customer and applies where CQC IQ processes personal data on behalf of the Customer in connection with the Service. This DPA is intended to comply with the requirements of UK GDPR Article 28.
1. Definitions
- "Applicable Data Protection Law"
- The UK General Data Protection Regulation as it forms part of retained EU law by virtue of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018, as amended from time to time.
- "Personal Data"
- Has the meaning given in Applicable Data Protection Law.
- "Processing"
- Has the meaning given in Applicable Data Protection Law.
- "Data Subject"
- An identified or identifiable natural person whose personal data is processed.
- "Sub-processor"
- Any third party engaged by CQC IQ to process Personal Data under this DPA.
- "Security Incident"
- Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles of the Parties
The parties acknowledge that:
- The Customer is the Data Controller in respect of Personal Data processed through the Service
- CQC IQ is a Data Processor, processing Personal Data only on behalf of and on the instructions of the Customer
- Each party is independently responsible for its own compliance with Applicable Data Protection Law
3. Details of Processing
3.1 Subject Matter
CQC IQ processes Personal Data to provide the CQC IQ platform and associated services as described in the Terms of Service.
3.2 Duration
CQC IQ will process Personal Data for the duration of the Customer's Subscription and for 30 days thereafter (for the purposes of data export), unless a longer retention period is required by law.
3.3 Nature and Purpose of Processing
Processing is carried out for the purpose of providing the Service, which includes:
- Storing and retrieving checklist completion data
- Processing AI mock inspector session inputs and outputs
- Analysing video frames for compliance issues (Clinic Walkthrough Scan)
- Sending transactional emails to Authorised Users
- Providing readiness scores and reporting
3.4 Types of Personal Data
The Personal Data processed includes:
- Names and email addresses of Authorised Users
- Job titles and organisational roles
- Activity data and usage logs
- Content entered into the Service by Authorised Users (notes, action descriptions, playbook content)
3.5 Categories of Data Subjects
The Data Subjects are Authorised Users of the Service — employees, contractors and agents of the Customer.
4. CQC IQ's Obligations
4.1 Instructions
CQC IQ will process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Terms of Service and this DPA constitute the Customer's instructions to CQC IQ.
4.2 Confidentiality
CQC IQ will ensure that all personnel authorised to process the Personal Data are bound by appropriate confidentiality obligations.
4.3 Security
CQC IQ will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- Pseudonymisation and encryption of Personal Data
- Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems
- Ability to restore availability and access to Personal Data in a timely manner in the event of an incident
- Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures
4.4 Sub-processors
The Customer provides general authorisation to CQC IQ to engage sub-processors. CQC IQ will:
- Inform the Customer of any intended changes to sub-processors with at least 14 days' notice
- Impose equivalent data protection obligations on sub-processors by contract
- Remain liable to the Customer for the performance of sub-processors' obligations
4.5 Data Subject Rights
CQC IQ will assist the Customer in fulfilling its obligations to respond to Data Subject rights requests, having regard to the nature of the processing. Given the nature of the Service, most Data Subject rights requests will relate to Authorised Users who can exercise their rights directly through account settings.
4.6 Data Protection Impact Assessments
CQC IQ will provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities where required.
4.7 Security Incidents
CQC IQ will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification will include, to the extent available:
- A description of the nature of the Security Incident
- The categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of CQC IQ's data protection contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
4.8 Deletion or Return
Upon termination of the Service, CQC IQ will, at the Customer's choice, delete or return all Personal Data to the Customer within 30 days, and delete existing copies unless required to retain them by law.
4.9 Audit
CQC IQ will make available all information necessary to demonstrate compliance with the obligations in this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor. The Customer may request such an audit no more than once per year and must give at least 30 days' written notice.
5. Customer's Obligations
The Customer represents and warrants that:
- It has a lawful basis for the processing of Personal Data through the Service
- It has provided all necessary notices to Data Subjects and obtained all necessary consents
- The Personal Data provided to CQC IQ does not include patient-identifiable information or special category data
- It will comply with its obligations as Data Controller under Applicable Data Protection Law
- It will only instruct CQC IQ to process Personal Data in accordance with Applicable Data Protection Law
6. International Transfers
The parties acknowledge that CQC IQ uses Anthropic, Inc. (USA) as a sub-processor for AI features. This transfer is subject to appropriate safeguards in accordance with UK GDPR, including the UK International Data Transfer Agreement (IDTA) or equivalent mechanism. By using AI features, the Customer consents to this transfer on the basis of such safeguards.
7. Term and Termination
This DPA shall continue in force for so long as CQC IQ processes Personal Data on behalf of the Customer. It automatically terminates upon termination of the Terms of Service and completion of data deletion obligations.
8. Governing Law
This DPA is governed by the laws of England and Wales.
9. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of the subject matter of data protection.
Schedule 1 — Approved Sub-processors
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic, Inc. | AI processing (Mock Inspector, Scenarios, Walkthrough Scan) | USA | UK IDTA / SCCs |
| Amazon Web Services | Cloud hosting, database, file storage | EU (Ireland) | AWS DPA |
| Stripe, Inc. | Payment processing | USA | Stripe DPA / SCCs |
| Twilio / SendGrid | Transactional email | USA | SCCs |
| Railway / Render | Application hosting | EU | Standard terms |