Data Processing Agreement

In this DPA, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the UK GDPR or the applicable service agreement.

• "Applicable Data Protection Law" means the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, and any subordinate legislation, guidance, or codes of practice issued under them, as amended or replaced from time to time.
• "Controller" means the institution that determines the purposes and means of processing Personal Data through SimChat, as identified in the applicable service agreement.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the SimChat platform.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processor" means Geeky Medics Limited, a company incorporated in England and Wales (company number 09523980), with its registered office at Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Services" means the SimChat AI-powered simulation training platform and related services provided by the Processor to the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2.1. The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Services, which includes:

• (a) providing and managing user accounts for the Controller's students and staff;
• (b) delivering AI-powered simulation scenarios, including text, voice, and video modes;
• (c) generating automated feedback, checklist marking, and performance scores;
• (d) producing reports and data exports as requested by the Controller or its authorised users;
• (e) providing technical support and platform maintenance.

2.2. The duration of processing shall be for the term of the applicable service agreement between the parties, plus any retention period specified in section 10 of this DPA.

3.1. The categories of Data Subjects are:

• (a) students and learners registered by or on behalf of the Controller;
• (b) staff and administrators designated by the Controller.

3.2. The categories of Personal Data processed are:

• (a) Registration data: email address, first name, last name, hashed password, preferred language;
• (b) Organisation data: organisation name, country, language, industry category;
• (c) Simulation data: conversation transcripts (text, voice-to-text, and video-to-text), AI-generated feedback, checklist marking results, performance scores, session durations. Note: voice and video audio is streamed directly to the AI provider for real-time processing and transcription; it is not stored by the Processor;
• (d) Self-assessment data: student answers to post-scenario questions and self-assessed results;
• (e) Technical data: IP address, browser type, operating system.

3.3. The Processor does not knowingly process special category data. The Controller must instruct its users not to enter special category data (e.g. health data about real individuals) into simulation conversations.

4.1. For the processing described in section 2 (provision of the Services), the Controller is the Data Controller and the Processor is the Data Processor within the meaning of Applicable Data Protection Law. The Processor shall process Personal Data only on the Controller's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by law.

4.2. The Processor may anonymise and aggregate Personal Data such that individual Data Subjects can no longer be identified. Once data has been irreversibly anonymised, it ceases to be Personal Data under Applicable Data Protection Law. The Processor may use such anonymised data as an independent Data Controller for its own legitimate purposes, including:

• (a) service improvement, product development, and quality assurance;
• (b) educational research and benchmarking (published only in aggregate, anonymised form);
• (c) AI model evaluation and platform performance monitoring.

4.3. The anonymisation process is irreversible and no attempt will be made to re-identify Data Subjects from anonymised data. The Processor's use of anonymised data does not affect or diminish the Controller's rights over identifiable Personal Data.

4.4. Anonymised transcripts may be retained indefinitely after account deletion. Identifiable transcripts will be handled in accordance with section 10.

The Processor shall:

5.1. Process Personal Data only on documented instructions from the Controller, unless required by law. If the Processor is required by law to process Personal Data other than on the Controller's instructions, it shall notify the Controller of that legal requirement before processing, unless prohibited from doing so by law.

5.2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex A of this DPA.

5.4. Comply with the conditions for engaging Sub-processors set out in section 6.

5.5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the UK GDPR.

5.6. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor.

5.7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless storage is required by law (see section 10).

5.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and scope.

5.9. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.

6.1. The Controller provides general written authorisation for the Processor to engage Sub-processors for the provision of the Services. The Processor shall:

• (a) maintain a list of current Sub-processors, as set out in Annex B of this DPA;
• (b) notify the Controller of any intended changes to the list of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification;
• (c) impose on each Sub-processor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA;
• (d) remain fully liable to the Controller for the performance of each Sub-processor's obligations.

6.2. If the Controller objects to a new Sub-processor on reasonable data protection grounds and the Processor cannot reasonably accommodate the objection, either party may terminate the affected Services by giving 30 days' written notice.

7.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.

7.2. The notification shall include, to the extent available:

• (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• (b) the name and contact details of the Processor's data protection contact;
• (c) a description of the likely consequences of the breach;
• (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

7.3. The Processor shall co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8.1. The Processor stores and processes the majority of Personal Data within the United Kingdom, as detailed in Annex B.

8.2. Where a Sub-processor is located outside the United Kingdom or European Economic Area, the Processor shall ensure that an appropriate transfer mechanism is in place, such as:

• (a) UK adequacy regulations;
• (b) the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
• (c) any other mechanism approved under Applicable Data Protection Law.

8.3. The Processor offers an Azure OpenAI UK configuration that processes all AI data within the United Kingdom, enabling institutions to keep all data within the UK/EU. The Controller may request this configuration at any time.

9.1. The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under Chapter III of the UK GDPR (including access, rectification, erasure, restriction, portability, and objection).

9.2. The Processor shall not respond to any such request directly unless authorised by the Controller or required by law.

9.3. The Processor shall provide the Controller with reasonable assistance in responding to Data Subject requests, taking into account the nature of the processing.

10.1. This DPA shall remain in effect for the duration of the service agreement between the parties and shall automatically terminate when the service agreement ends.

10.2. Upon termination or expiry of the service agreement, the Processor shall, at the Controller's choice:

• (a) return all Personal Data to the Controller in a commonly used, machine-readable format (e.g. CSV, PDF); or
• (b) securely delete all Personal Data and confirm deletion in writing.

10.3. The Controller shall communicate its choice within 30 days of termination. If no instruction is received within 90 days of termination, the Processor shall securely delete all identifiable Personal Data.

10.4. Anonymised data, from which individual Data Subjects cannot be re-identified, may be retained by the Processor indefinitely in accordance with section 4.2 of this DPA.

10.5. Sections 4 (roles), 7 (breach notification), 8 (international transfers), and this section 10 shall survive termination of this DPA.

11.1. Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the applicable service agreement.

11.2. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law to the extent such limitation is not permitted by law.

12.1. This DPA is governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising under this DPA.

12.2. In the event of any conflict between the terms of this DPA and the applicable service agreement, the terms of this DPA shall prevail with respect to data protection matters.

12.3. The Processor's Data Protection Lead is Dr Lewis Potter, contactable at support@simchat.ai.

The Processor implements the following measures to protect Personal Data:

A.1 Encryption

• All data in transit is encrypted using TLS 1.2 or higher (HTTPS).
• Passwords are hashed using PBKDF2 with a SHA-256 digest and are never stored in plaintext.
• Database connections are encrypted in transit.

A.2 Access control

• Role-based access control: users, authors, admins, and owners have distinct permission levels.
• Multi-tenant architecture ensures strict data isolation between organisations.
• Two-factor authentication is available for all user accounts.
• Staff access to production systems is restricted to authorised personnel.

A.3 Infrastructure security

• Platform hosted on DigitalOcean with managed infrastructure security.
• Cloudflare provides DDoS protection, WAF, and SSL termination.
• Regular security updates and patching of server software.

A.4 Data isolation

• Each organisation operates as a separate tenant with isolated data.
• Organisation subdomains enforce tenant boundaries at the application level.
• Cross-tenant data access is prevented by application-level controls.

A.5 Monitoring and incident response

• Application errors and exceptions are tracked via Sentry for rapid identification and resolution.
• Incident response procedures are in place for security events and Personal Data Breaches.

A.6 Backups and availability

• Regular automated database backups.
• File storage on AWS S3 with built-in redundancy.

The following Sub-processors are authorised to process Personal Data on behalf of the Controller as at the date of this DPA:

* OpenAI is listed for completeness. Institutional customers are configured to use Microsoft Azure OpenAI Service (UK) by default, meaning no data is sent to OpenAI's US servers. The Controller may request confirmation of their AI provider configuration at any time.

Brevo (marketing emails) and Crisp (support chat) are used by the Processor for its own direct-to-consumer operations and do not process Personal Data submitted by institutional Controllers or their Data Subjects.

The Controller will be notified of changes to this list in accordance with section 6 of this DPA.