Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between ITLOX LTD (“Processor”, “ITLOX”) and the customer identified on the applicable order form (“Controller”, “Customer”) for use of careos platform (the “Service”), and should be read together with the Terms of Service and the Privacy Policy.

1. Roles and relationship

1.1 With respect to Customer Personal Data processed through the Service, Customer is the Controller and ITLOX is the Processor. Where Customer is itself a processor for a further controller, Customer warrants that it has authority from that further controller to engage ITLOX as a sub-processor on the terms of this DPA.

1.2 Where the Service processes Protected Health Information (“PHI ”) on behalf of a US Covered Entity, ITLOX acts as a Business Associate under HIPAA and the parties will execute a Business Associate Agreement (“BAA”) consistent with 45 CFR Parts 160 and 164. In the event of conflict between the BAA and this DPA in respect of PHI, the BAA prevails.

2. Subject matter, duration and purpose

2.1 Subject matter. The processing of Customer Personal Data necessary for ITLOX to provide the Service in accordance with the order form, Terms of Service and Documentation.

2.2 Duration. From the effective date of the order form until termination, plus any data retention period required for return or deletion.

2.3 Purpose. Orchestrating regulated care delivery using the Care Graph, AgentOS, Evidence Ledger and related modules subscribed to by Customer.

2.4 Nature of processing. Hosting, storing, retrieving, transmitting, analysing, aggregating, encrypting, logging, and deleting Customer Personal Data, including automated processing by governed AI workers within AgentOS.

2.5 Types of personal data. Identity, contact, clinical, operational, financial (where billing is handled inside the tenant), device, location (where applicable), and special category data including health, genetic and, where enabled, biometric data.

2.6 Categories of data subjects. Patients, service users, carers and proxies, clinicians, operational staff, and authorised users of the Customer.

3. Customer instructions

3.1 ITLOX shall process Customer Personal Data only on documented instructions from Customer, including the instructions embodied in the order form, this DPA, the Documentation, and the tenant configuration set by Customer through the Service. ITLOX shall promptly inform Customer if, in its opinion, an instruction infringes applicable data protection law.

3.2 ITLOX may process Customer Personal Data without Customer instructions where required to do so by law, in which case ITLOX shall inform Customer of the legal requirement before processing, unless prohibited by that law on important grounds of public interest.

4. Confidentiality

4.1 ITLOX ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations, have received appropriate training, and are granted access on a strict need-to-know basis.

5. Technical and organisational measures

5.1 ITLOX implements and maintains appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, as further described in Schedule B. The TOMs include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
• Tenant isolation with server-side scoped access on every path and database-level guardrails;
• Role-based access control, multi-factor authentication, device trust, and just-in-time elevation with break-glass review;
• Append-only audit via the Evidence Ledger, with cryptographic anchoring and tamper-evidence;
• Vulnerability management, dependency scanning, code review and periodic penetration testing;
• Security monitoring, anomaly detection and incident response with defined severity model and communication path;
• Backup, restore and quarterly restore testing with evidence;
• Change management with feature flags, canary releases and rollback paths;
• Supplier management with due diligence, contractual protections and monitoring.

6. Sub-processors

6.1 Customer grants ITLOX general authorisation to engage sub-processors to provide the Service, subject to the obligations of this Section 6.

6.2 ITLOX maintains a current list of sub-processors in Schedule C, available at a URL notified to Customer. ITLOX will give Customer at least 30 days’ notice of the addition or replacement of a sub-processor before authorising that sub-processor to process Customer Personal Data. Customer may object on reasonable grounds related to data protection; the parties will work in good faith to resolve the objection. If unresolved, Customer may terminate the affected part of the order form without penalty.

6.3 ITLOX shall impose data protection obligations on its sub-processors that are no less protective than those in this DPA and remains liable to Customer for the performance of its sub-processors.

7. International data transfers

7.1 ITLOX will not transfer Customer Personal Data outside the UK or EEA to a jurisdiction without an adequacy decision unless appropriate safeguards are in place. Customer instructs ITLOX to enter into the UK International Data Transfer Agreement (“IDTA”) or the EU Standard Contractual Clauses (“SCCs”) with sub-processors where applicable.

7.2 Where Customer has selected a UK or US regional deployment on the order form, ITLOX will keep Customer Personal Data within that region in normal operation, subject to incidental remote access for support under contractual safeguards and logging.

7.3 ITLOX has conducted transfer impact assessments for its default sub-processor set and will provide summaries to Customer on reasonable request.

8. Assistance to Customer

8.1 Taking into account the nature of processing and the information available, ITLOX shall assist Customer in fulfilling Customer’s obligations to:

• Respond to requests for exercise of data subject rights (Art. 12–22);
• Ensure security of processing, notification of personal data breaches, and communication of breaches to data subjects where required (Art. 32–34);
• Carry out data protection impact assessments and prior consultation (Art. 35–36).

9. Personal data breaches

9.1 ITLOX shall notify Customer without undue delay and in any event within 24 hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent known, the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

9.2 Where ITLOX acts as a Business Associate under HIPAA, breach notification to Customer shall meet the requirements of 45 CFR 164.410.

9.3 ITLOX will cooperate with Customer’s regulatory notifications, including notification to the ICO within 72 hours where applicable under Art. 33.

10. Audit rights

10.1 ITLOX shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. ITLOX will satisfy audit obligations primarily by providing:

• Third-party certifications and attestations, including ISO/IEC 27001 and SOC 2 Type II (on the roadmap or, once achieved, current reports);
• Summaries of penetration test results and remediation status;
• Responses to Customer security questionnaires once per year;
• An annual desk-based audit questionnaire with supporting evidence.

10.2 Where the above is insufficient to meet a binding regulatory requirement, Customer may conduct an on-site audit with at least 30 days’ notice, at Customer’s cost, during business hours, subject to confidentiality and without materially disrupting the Service. Audits must not compromise the security, confidentiality or availability of other customers’ data.

11. Return and deletion

11.1 At Customer’s choice, on termination of the Service, ITLOX will return or delete all Customer Personal Data, unless retention is required by law. The return or deletion shall be completed within 30 days of termination, with confirmation supplied on request.

11.2 Backups will be overwritten in accordance with the standard retention window and then permanently deleted.

12. Liability

12.1 Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service and the order form, except where applicable law prohibits such limitation.

13. Precedence and changes

13.1 In the event of conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails. ITLOX may update this DPA from time to time to reflect changes in law, guidance from supervisory authorities, or evolving industry practice. Material changes will be notified to Customer administrators at least 30 days in advance.

Schedule A — Processing details

• Subject matter: provision of careos platform to Customer.
• Duration: the term of the order form plus required retention.
• Nature and purpose: hosting, orchestrating, analysing and auditing data used in the delivery of regulated care.
• Types of personal data: identity, contact, clinical, operational, device, and special category data including health data.
• Categories of data subjects: patients, carers, clinicians, operational staff, authorised users.
• Sensitive data: health, genetic and, where enabled, biometric data, subject to heightened controls.
• Frequency of transfer: continuous, for the duration of the contract.
• Retention: per Customer configuration and the Privacy Policy; typically retained for the contract duration plus the window specified in the order form.

Schedule B — Technical and organisational measures

• Access control and authentication: SSO, MFA, device trust, least-privilege, JIT elevation with break-glass review.
• Encryption: TLS 1.2+ in transit; AES-256 at rest for databases, files, backups and search indices; managed key rotation.
• Network security: segmented environments, private networks, WAF, DDoS protection and rate limiting.
• Application security: secure SDLC, code review, dependency scanning, SAST/DAST, periodic penetration testing.
• Logging and monitoring: Evidence Ledger, SIEM, anomaly detection, real-time alerting.
• Incident response: documented playbooks, defined severity and communication model, customer notification commitments.
• Backup and recovery: encrypted backups, RPO ≤ 15 minutes and RTO ≤ 4 hours for core services, quarterly restore tests with evidence.
• Physical security: provided through certified cloud infrastructure providers with ISO 27001 and SOC 2.
• Personnel: background screening where lawful, annual training, confidentiality obligations, timely offboarding.
• Supplier management: due diligence, contractual controls, periodic reassessment.
• Change management: feature flags, canary releases, rollback paths, change advisory for high-risk changes.
• Business continuity: multi-zone deployment, documented disaster recovery runbooks, periodic drills.

Schedule C — Approved sub-processors

The current list of sub-processors is maintained by ITLOX and available to Customer administrators on request. As of the effective date of this DPA, the categories of sub-processor include:

• Cloud infrastructure: primary hosting for Europe and the USA regions.
• Observability and error tracking: collection of application telemetry and diagnostic events, excluding PHI by design.
• Transactional email delivery: service notifications, account and security communications.
• Model providers: where AgentOS uses third-party foundation models, providers are contractually prevented from training on Customer Personal Data.
• Support tooling: ticketing and customer communications, without default access to tenant content.
• Billing and invoicing: commercial administration only, no PHI.

Contact

Data protection enquiries: dpo@careosp.com
Legal: legal@careosp.com
General: hello@careosp.com