Data Processing Agreement

1. Roles and responsibilities

For clinical records you create about your clients (session notes, assessments, correspondence) you are the data controller and attune is the data processor. You decide why and how those records are processed; we host them on your behalf under your written instructions, which are the standing instructions captured in this agreement and any further instructions you give us in writing.

For platform-level data (the matching pipeline, billing, account security, marketing communications) attune is the controller in its own right.

2. Confidentiality and access

Only authorised attune personnel acting under a duty of confidence will access your client data, and only when strictly necessary to operate, support or secure the platform. We will not use client data to train AI models without your explicit, separate consent.

3. Security measures

• Encryption at rest using AES-256-GCM for messages and clinical session notes.
• TLS 1.2+ for all data in transit.
• Role-based access control with the principle of least privilege for our staff.
• UK and EEA data residency, clinical records are stored in UK or EU data centres.
• Regular backups with the same encryption standard.

4. Personal data breach notification

If we become aware of a personal data breach affecting your client records we will notify you, in writing, without undue delay and in any event within 24 hours of discovery. The notification will include what we know about the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take. This window is tighter than the regulator-facing 72-hour deadline so you have time to make your own assessment before reporting to the ICO.

5. Retention

We retain clinical records for seven (7) yearsafter the last booked session or last activity on the client's account, consistent with BACP and NHS post-discharge guidance for adult mental-health records. You may request earlier erasure by giving us written instructions; we will honour those instructions except where retention is required by law or to defend a legal claim.

6. Sub-processors

We use a small number of vetted sub-processors. The current list is published at attune-therapeutics.uk/legal/sub-processors and includes (placeholders, kept current there):

• Hosting and storage, Hetzner (UK / EU regions).
• Email delivery, Resend.
• Payments, Stripe (PCI-DSS scope only).
• Scheduling, Cal.com.
• Product analytics, PostHog (EU region).
• Error monitoring, Sentry.

We will give you written notice before adding or replacing a sub-processor. If you reasonably object on data-protection grounds we will work with you to resolve the issue or, if we cannot, allow you to terminate without penalty.

7. International transfers

Where a sub-processor processes data outside the UK or EEA, the transfer is covered by the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision in force at the time.

8. Assistance with your obligations

We will assist you, taking into account the nature of the processing, with responding to data-subject requests (access, rectification, erasure, portability, restriction and objection) and with your security, breach-reporting and DPIA obligations. Self-service tooling for the common cases is built into the therapist dashboard.

9. Return or deletion on termination

On termination of your account, and at your written choice, we will return or delete the client data we hold on your behalf, subject to clause 5 (retention required by law).

10. Audit

On reasonable written notice we will make available the information necessary to demonstrate compliance with this agreement, including, where required, allowing for and contributing to audits conducted by you or an auditor mandated by you. We may satisfy this obligation by sharing third-party certifications and audit reports where appropriate.

11. Governing law

This agreement is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with it.

Sub-processors

attune engages a small set of vendors to deliver the platform - hosting, payments, transactional email, error tracking. The full, current list (provider, purpose, region, transfer mechanism) is published at /legal/sub-processors and is updated whenever the supply chain changes.

We will give you at least 30 days' written notice before adding or replacing a sub-processor. You may object in writing during that window by emailing [email protected]; if we cannot reasonably mitigate the objection you may terminate the affected services without penalty.