Data Processing Agreement
UK GDPR Article 28
This Data Processing Agreement forms part of the Improval Terms of Service and is incorporated by reference into the agreement between 23 Lobsters Ltd and the Customer.
For the purposes of this agreement:
Controller: The organisation or individual using Improval who determines the purposes and means of processing personal data.
Processor: 23 Lobsters Ltd (Company No. 14754401), provider of the Improval platform.
Contact: hello@improval.com
These Terms remain in force for as long as the Processor provides services involving the processing of personal data on behalf of the Controller.
Special Category Data
Personal Data
23 Lobsters Ltd acts solely as a data processor and does not determine the purposes for which consultation recordings are processed.
The Processor shall ensure that all sub-processors are subject to data protection obligations no less protective than those contained in these Terms.
This Data Processing Agreement forms part of the Improval Terms of Service and is incorporated by reference into the agreement between 23 Lobsters Ltd and the Customer.
For the purposes of this agreement:
Controller: The organisation or individual using Improval who determines the purposes and means of processing personal data.
Processor: 23 Lobsters Ltd (Company No. 14754401), provider of the Improval platform.
Contact: hello@improval.com
Scope and Duration
These Terms apply to the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Improval platform.These Terms remain in force for as long as the Processor provides services involving the processing of personal data on behalf of the Controller.
Nature and Purpose of Processing
The Processor processes personal data solely to provide the services requested by the Controller, including:- securely recording consultations and educational encounters;
- securely storing consultation recordings;
- enabling educational supervision and review;
- appraisal and portfolio management;
- professional learning and assessment;
- AI-assisted educational tools;
- secure document storage and collaboration;
- administration, reporting and audit functionality.
Categories of Data Subjects
Processing may relate to:- patients participating in recorded consultations;
- healthcare professionals, trainees and learners;
- supervisors, educators and assessors;
- authorised administrative users.
Categories of Personal Data
The Processor may process the following categories of personal data.Special Category Data
- video recordings;
- audio recordings;
- information relating to an individual’s physical or mental health disclosed during a consultation.
Personal Data
- names and contact details;
- user account information;
- professional role and organisation;
- recording metadata (such as date, time and duration);
- educational feedback, annotations and assessment information.
Roles of the Parties
The Controller remains responsible for determining the purposes and lawful basis for processing personal data.23 Lobsters Ltd acts solely as a data processor and does not determine the purposes for which consultation recordings are processed.
Processor Commitments
The Processor shall:- process personal data only on the documented instructions of the Controller;
- ensure all authorised personnel are subject to appropriate confidentiality obligations;
- implement appropriate technical and organisational security measures;
- assist the Controller in responding to requests from data subjects where reasonably required;
- assist the Controller in meeting its obligations under Articles 32–36 UK GDPR;
- notify the Controller without undue delay, and in any event within 48 hours, of any personal data breach affecting the Controller’s data;
- make available information reasonably necessary to demonstrate compliance with these Terms;
- delete or return personal data upon termination of the service, unless retention is required by law.
Sub-processors
The Controller authorises the Processor to engage sub-processors where reasonably necessary to provide the Services.The Processor shall ensure that all sub-processors are subject to data protection obligations no less protective than those contained in these Terms.
A current list of authorised sub-processors is available on request.
Where reasonably required, the Parties may agree appropriate audit arrangements.
These measures include:
Hosting
Encryption
Access Control
Data Retention
Security Management
Certifications
Use of AI
Customer data is never used by third-party AI providers to train or improve their foundation models. 23 Lobsters may use anonymised and aggregated information to evaluate and improve the Improval platform and its AI-assisted features.
International Transfers
Consultation recordings and associated personal data are stored within the United Kingdom.
Certain optional AI-powered features may involve limited processing outside the UK where this is necessary to provide the requested functionality. Where this occurs, appropriate safeguards under UK GDPR are applied, including contractual protections and ensuring that customer data is not used to train third-party AI models. This is currently only the patient simulation feature which uses OpenAI.
Certain optional AI-powered features may involve limited processing outside the UK where this is necessary to provide the requested functionality. Where this occurs, appropriate safeguards under UK GDPR are applied, including contractual protections and ensuring that customer data is not used to train third-party AI models. This is currently only the patient simulation feature which uses OpenAI.
Demonstrating Compliance
The Processor will make available information reasonably necessary to demonstrate compliance with these Terms, including relevant security documentation, NHS DSP Toolkit compliance, DTAC documentation and certification details where applicable.Where reasonably required, the Parties may agree appropriate audit arrangements.
Schedule 1 – Technical and Organisational Measures
The Processor maintains appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.These measures include:
Hosting
- UK (London) hosting and storage.
Encryption
- TLS encryption for data in transit.
- Encryption at rest for databases and stored recordings.
Access Control
- Role-based access control.
- Multi-factor authentication.
- Administrative access restricted to authorised personnel.
- Audit logging of system activity.
Data Retention
- Configurable retention periods.
- Controllers may delete recordings at any time.
- Automatic deletion at the end of the configured retention period.
Security Management
- Continuous security monitoring.
- Documented incident response procedures.
- Regular patching and vulnerability management.
- Staff confidentiality agreements and security awareness training.
Certifications
- ISO 27001 certified
- Cyber Essentials Plus certified
- NHS DSP Toolkit
- DTAC assessment completed