Data Processing Agreement
Last updated: 27 June 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Psychiatry Ink Ltd and the customer using Psychiatry.Ink where Psychiatry Ink Ltd processes personal data on behalf of the customer.
This DPA is intended to be accepted during signup, organisation setup, or execution of an order form, and should be read together with the Privacy Notice and Terms of Service.
1. Parties
Customer / Controller: the individual clinician, practice, clinic, hospital, organisation, or other legal entity using Psychiatry.Ink and determining the purposes and means of processing personal data.
Processor:
Psychiatry Ink Ltd
71–75 Shelton Street
Covent Garden
London, WC2H 9JQ
United Kingdom
Company number: 17275704
2. Definitions
“Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR, and any other data protection law applicable to the processing under the customer’s use of Psychiatry.Ink.
“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, and “Special Category Data” have the meanings given in Applicable Data Protection Law.
“Customer Data” means personal data submitted to Psychiatry.Ink by or on behalf of the customer, including clinical documentation, user account data, and related metadata.
3. Roles
For clinical and patient-related Customer Data, the customer is the controller and Psychiatry Ink Ltd is the processor, unless the parties agree otherwise in writing.
For Psychiatry Ink Ltd’s own account, billing, website, legal, and business-administration data, Psychiatry Ink Ltd may act as controller as described in the Privacy Notice.
4. Subject matter and duration
The subject matter is the provision of Psychiatry.Ink, including psychiatric documentation, dictation, template, AI, medication, laboratory, workflow, account, support, billing, and security functions.
Processing continues for the duration of the customer’s subscription, trial, pilot, account, or order form, and afterwards only as needed for deletion, return, backup expiry, legal compliance, security, dispute resolution, or as otherwise agreed.
5. Nature and purpose of processing
Processing may include collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission to authorised sub-processors, output generation, deletion, and export.
Purposes include:
- providing the Psychiatry.Ink service;
- generating, editing, summarising, formatting, translating, or organising clinical documentation;
- processing dictation or transcription;
- managing medication, laboratory, risk, template, and workflow functions;
- providing AI-supported features selected by the user;
- providing support and troubleshooting;
- securing, monitoring, auditing, and improving the service;
- administering accounts, billing, subscriptions, and credits.
6. Categories of data subjects
Depending on customer use, data subjects may include:
- professional users;
- employees, contractors, or staff of the customer;
- patients or service users documented by the customer;
- relatives, carers, legal representatives, prison staff, court contacts, or other third parties mentioned in clinical records;
- support contacts and billing contacts.
7. Categories of personal data
Depending on customer use, Customer Data may include:
- user identity and account data;
- professional role and organisation data;
- clinical notes, psychiatric history, mental-state examination, diagnosis, treatment, medication, laboratory, and risk-assessment data;
- dictated text, generated drafts, templates, correspondence, and document outputs;
- metadata such as timestamps, feature use, token usage, audit logs, and access logs;
- billing and subscription metadata.
8. Special category data
Customer Data may include health data, psychiatric data, medication data, disability data, forensic or detention-related data, and other special category or sensitive data if entered by the customer.
The customer is responsible for ensuring that it has an appropriate legal basis and special-category condition for such processing.
9. Customer instructions
Psychiatry Ink Ltd will process Customer Data only on the customer’s documented instructions, including instructions in the main agreement, product settings, order form, this DPA, and lawful user actions inside the service.
If Psychiatry Ink Ltd believes an instruction infringes Applicable Data Protection Law, it will inform the customer unless prohibited by law.
10. Confidentiality
Psychiatry Ink Ltd will ensure that persons authorised to process Customer Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.
11. Security measures
Psychiatry Ink Ltd will implement appropriate technical and organisational measures designed to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include those listed in Annex 2.
12. Sub-processors
The customer gives general authorisation for Psychiatry Ink Ltd to use sub-processors to provide the service, subject to the conditions in this DPA.
Psychiatry Ink Ltd maintains a list of sub-processors on the Sub-processors page and will require sub-processors to provide data protection obligations substantially equivalent to those in this DPA where required by law.
Psychiatry Ink Ltd will provide notice of material new sub-processors by updating the Sub-processors page, email, in-app notice, or another reasonable method. The customer may object on reasonable data-protection grounds within 30 days of that notice.
13. International transfers
Where Customer Data is transferred internationally, Psychiatry Ink Ltd will use appropriate safeguards where required, such as adequacy regulations, EU Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other legally recognised safeguards.
For EU/EEA customers or EU/EEA data, the parties will complete the relevant SCC modules where required.
14. Assistance with data subject rights
Taking into account the nature of processing, Psychiatry Ink Ltd will provide reasonable assistance to the customer in responding to data subject requests where required by law and where the request relates to Customer Data processed by Psychiatry Ink Ltd as processor.
If Psychiatry Ink Ltd receives a request directly from a data subject relating to Customer Data, it will, where legally permitted and reasonably identifiable, forward the request to the customer or advise the requester to contact the customer.
15. Assistance with compliance
Taking into account the nature of processing and the information available to Psychiatry Ink Ltd, Psychiatry Ink Ltd will provide reasonable assistance with security, breach notification, data protection impact assessments, prior consultations, and related compliance obligations where required by Applicable Data Protection Law.
16. Personal data breach
Psychiatry Ink Ltd will notify the customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include available information reasonably required to help the customer meet its breach notification obligations.
17. Deletion and return
At the customer’s choice and subject to technical feasibility, legal retention duties, backup expiry, and payment obligations, Psychiatry Ink Ltd will delete or return Customer Data after the end of the service.
Backup copies may persist for a limited period until overwritten or deleted according to the backup retention schedule.
18. Audit and information rights
Psychiatry Ink Ltd will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, subject to confidentiality, limited to data-protection controls relevant to the service, and must not compromise security, other customers, trade secrets, or third-party confidentiality.
Psychiatry Ink Ltd may satisfy audit obligations through security documentation, questionnaires, third-party reports, certifications, or structured written responses.
19. Customer obligations
The customer must:
- use the service lawfully;
- configure privacy and retention settings appropriately;
- avoid unnecessary direct identifiers in AI features where possible;
- ensure end users are authorised and trained;
- maintain endpoint, password, and local-key security;
- provide required patient or staff privacy notices;
- ensure local clinical, institutional, and legal compliance;
- use production clinical data only when contractual and technical safeguards are in place.
20. Order of precedence
If there is a conflict between this DPA and the Terms of Service concerning processing of Customer Data as processor, this DPA takes precedence. If Standard Contractual Clauses apply, they take precedence where required by law.
Annex 1: Processing details
- Subject matter: provision of Psychiatry.Ink clinical documentation and workflow software.
- Duration: subscription, trial, pilot, account, or order-form period, and the deletion/retention wind-down.
- Nature: hosting, storage, retrieval, generation, transcription, editing, support, security, billing metadata, deletion/export.
- Purpose: providing and securing psychiatric documentation and workflow tools.
- Data subjects: professional users, customer staff, patients, relatives, carers, and third parties mentioned in clinical records.
- Personal data: account data, clinical notes, psychiatric documentation, medication/lab/risk data, user metadata, billing metadata.
- Special category data: health data and psychiatric data if entered by the customer.
- Frequency: continuous during use of the service.
Annex 2: Technical and organisational measures
Measures include:
- encryption in transit using HTTPS/TLS;
- encryption at rest where supported by infrastructure providers;
- a client-side encrypted local vault for selected identifiers and mappings where enabled;
- role-based access control;
- authentication and session controls;
- audit logging of relevant access and actions;
- separation of customer organisations where applicable;
- minimisation and de-identification features;
- backup and recovery controls;
- vulnerability and dependency management;
- security monitoring and an incident response process;
- staff or contractor confidentiality obligations;
- sub-processor due diligence;
- restricted production access;
- deletion/export workflows where available.
Annex 3: Sub-processors
The current sub-processor list is published on the Sub-processors page. The customer should review that page before using production clinical data.