Data Processing Agreement

This Data Processing Agreement ("DPA") is between:

• Data Processor: New Vantage Co Ltd, a company registered in England and Wales, trading as SightSync ("we", "us", "Processor").
• Data Controller: The optical practice or organisation that has agreed to the SightSync Terms of Service ("you", "Practice", "Controller").

This DPA is incorporated into and forms part of the SightSync Terms of Service. By using SightSync, you agree to this DPA on behalf of your organisation.

Terms used in this DPA have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• Patient Data means personal data relating to the Controller's patients uploaded to SightSync.
• Sub-processor means any third party engaged by the Processor to process personal data on behalf of the Controller.

The Processor operates the SightSync platform, which provides AI-powered patient recall services for UK optical practices. Processing activities include:

• Storing patient names, phone numbers, email addresses, date of birth, NHS number, and last examination date
• Initiating outbound AI voice calls to patients on behalf of the Controller
• Recording call transcripts and outcomes
• Syncing appointment bookings with practice management systems and calendars
• Sending SMS and email follow-up messages
• Screening numbers against TPS/CTPS registers

Processing begins when the Controller first uploads patient data and continues until the earlier of:

• The Controller's account is cancelled and the 90-day data retention period expires
• The Controller submits a valid erasure request and the Processor fulfils it
• The Processor ceases to operate the SightSync platform

The Controller warrants and undertakes that:

• It has a lawful basis under UK GDPR to share patient data with the Processor (typically legitimate interests, Article 6(1)(f), for recall of existing patients)
• It has made the required privacy disclosures to patients and maintained its own ICO registration as a data controller
• It is registered with and in good standing with the General Optical Council (GOC)
• It will not upload special category data (as defined in Article 9 UK GDPR) beyond what is necessary for recall purposes
• It will promptly notify the Processor of any data subject requests that require action under this DPA

The Processor undertakes to:

• Process patient data only on documented instructions from the Controller (as set out in these terms and the platform's intended use)
• Ensure all personnel with access to patient data are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 8)
• Assist the Controller in responding to data subject requests within statutory timeframes
• Notify the Controller without undue delay upon becoming aware of a personal data breach affecting patient data, and in any case within 72 hours of becoming aware
• Delete or return all patient data upon the Controller's written request or account termination, subject to the retention periods in Section 9
• Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

The Controller grants general authorisation for the Processor to engage the following sub-processors. The Processor will notify the Controller by email of any intended addition or replacement of sub-processors at least 14 days before the change takes effect. If the Controller objects in writing within that period, the Processor will not engage the new sub-processor without the Controller's written consent. If no objection is received within 14 days, the Processor may proceed.

SCCs = Standard Contractual Clauses approved by the UK ICO for international transfers (IDTA where applicable).

The Processor maintains the following technical and organisational measures:

• Encryption in transit: TLS 1.3 for all data in transit
• Encryption at rest: AES-256 via Supabase managed encryption
• Access control: Row-level security (RLS). Each practice can only access their own data; no cross-tenant data access is possible.
• Authentication: Supabase Auth with bcrypt-hashed passwords; passkey (WebAuthn) support; new device login alerts
• API security: Bearer token authentication; rate limiting; audit logging of all API calls
• Breach detection: Anomaly detection cron (daily); new device alerts sent to practice owner immediately
• Third-party credentials: PMS API keys and OAuth tokens encrypted at the application layer before storage
• Call recordings: Recording URLs purged after 12 months; transcripts purged after 24 months
• Vulnerability management: Weekly automated security scan; dependency audit

When the Processor receives a data subject request (access, erasure, rectification, portability, restriction, or objection) relating to patient data controlled by a Practice, the Processor will:

• Notify the Controller within 5 working days
• Provide the Controller with technical assistance to fulfil the request within the UK GDPR 30-day deadline
• Not respond directly to the data subject without the Controller's authorisation (unless required by law)

Practices can manage GDPR requests directly in the SightSync dashboard under Settings → Data Requests, or via the API at POST /api/v1/data-requests.

In the event of a personal data breach affecting patient data, the Processor will:

• Notify the Controller without undue delay and within 72 hours of becoming aware of the breach
• Provide information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
• Cooperate fully with the Controller and the ICO where required

The Controller is responsible for notifying the ICO and affected data subjects as required by UK GDPR Article 33 and 34.

Upon termination of the service agreement (cancellation of account):

• The Controller has 90 days to export patient data via the dashboard
• After 90 days, all patient PII is permanently and irreversibly deleted
• Billing records, opt-out records, and compliance audit logs are retained as described in Section 9

To request earlier deletion, contact us at care@sightsync.io or use the account deletion feature in Settings.

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

This DPA reflects the requirements of UK GDPR and the Data Protection Act 2018. References to "GDPR" throughout this document mean the UK GDPR as applicable in the United Kingdom following Brexit.

For any questions about this DPA, data subject requests, or to report a suspected breach:

New Vantage Co Ltd (SightSync)
Email: care@sightsync.io
Phone: 020 3435 6769