1. Parties
This DPA is between:
- Nemora Healthcare Solutions Ltd ("Nemora", the "Processor"), a company registered in England and Wales under company number 17097373, with registered office at 29 Fernwood, Runcorn, Cheshire, WA7 6UT; and
- The customer (the "Controller") that has agreed to use Willow for one or more residents under our Terms of Service or under a separate written order form.
2. Definitions
Capitalised terms not defined in this DPA take their meaning from the UK GDPR. "UK GDPR" means the United Kingdom General Data Protection Regulation (the EU GDPR as it forms part of UK domestic law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018). "Processing" has the meaning given to it in UK GDPR Article 4.
3. Subject matter, duration, nature and purpose
| Field | Description |
|---|---|
| Subject matter | Provision of the Willow dementia-companion service and the Willow Companion family app. |
| Duration | The term of the Controller's subscription to Willow, plus any post-termination retention required by section 12 below. |
| Nature | Hosting, transmission, storage and limited automated processing (e.g. message delivery, push notifications, video-call signalling) of personal data the Controller and its authorised users provide. |
| Purpose | Delivery of the Service in accordance with the Controller's documented instructions. |
| Type of personal data | Resident first name and preferred name; resident decade of birth; optional life-story content (text, photographs, audio); resident wellbeing preferences. Family-member name, relationship and email address. Push notification tokens. Family messages. |
| Categories of data subject | Care-home residents, family members of residents, and care staff. |
4. Controller's instructions
Nemora will process personal data only on the Controller's documented instructions. The instructions for the routine operation of the Service are set out in our Terms of Service, this DPA, and the Controller's configuration of the Service. Any other processing requires a separate written instruction from the Controller. Nemora will inform the Controller without delay if, in Nemora's opinion, an instruction infringes UK data-protection law.
5. Confidentiality
Nemora ensures that anyone authorised to process personal data is bound by a duty of confidentiality (whether by contract, employment terms, or statutory obligation) and is appropriately trained in data protection.
6. Security measures
Nemora implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include, at a minimum:
- TLS 1.2+ encryption for all data in transit between the apps and our servers.
- Encryption at rest for sensitive fields stored in our backend data store (Cloudflare KV).
- Short-lived authentication tokens; long-lived database credentials are not exposed to client devices.
- Cloudflare Workers serverless architecture, which removes a class of server-administration risk.
- Role-based access for Nemora staff; access on a need-to-know basis only; logged.
- Annual review of security measures, with updates as the threat landscape changes.
- An incident-response plan covering detection, containment, notification and post-incident review.
A current security overview is published at nemorahealthcaresolutions.com/security.
7. Subprocessors
The Controller authorises Nemora to engage the subprocessors listed at nemorahealthcaresolutions.com/subprocessors. We will give the Controller at least 30 days' notice of any new subprocessor by updating that page; the Controller may object to a new subprocessor on reasonable data-protection grounds within that notice period. Nemora ensures every subprocessor is bound by data-protection terms equivalent to those in this DPA.
8. International transfers
Where Nemora or its subprocessors process personal data outside the United Kingdom, Nemora relies on one of the transfer mechanisms permitted by UK GDPR, typically the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, or an equivalent UK adequacy decision. The current list of subprocessors and their processing locations is at /subprocessors.
9. Data subject rights
The Controller is responsible for responding to data subject requests under UK GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making). Nemora will assist the Controller, taking into account the nature of the processing, by providing appropriate technical and organisational measures, including:
- Tools in the carer dashboard for exporting and deleting resident data.
- A point of contact at info@nemorahealthcaresolutions.com for requests that the dashboard cannot satisfy.
- Reasonable cooperation with the Controller's responses, at no additional charge except where requests are manifestly unfounded or excessive.
10. Personal data breach notification
Nemora will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification will include:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned
- The likely consequences
- The measures taken or proposed to address the breach and mitigate its effects
- Contact details of Nemora's data protection point of contact
11. Audits
On reasonable written notice (at least 30 days, except in the event of a breach), the Controller may audit Nemora's compliance with this DPA. Audits may be carried out remotely by reviewing documentation, or, where strictly necessary, on-site at Nemora's offices during business hours. The Controller will bear its own audit costs and Nemora's reasonable costs of supporting an on-site audit. The Controller will treat any information obtained during an audit as Nemora's confidential information.
12. Return or deletion of personal data
On termination of the underlying Service contract, and at the Controller's written option, Nemora will either:
- Return the Controller's personal data in a machine-readable format; or
- Delete the Controller's personal data, and instruct subprocessors to do the same, except to the extent applicable law requires Nemora to retain it.
Deletion will be completed within 30 days of termination unless the Controller requests a different period in writing. Nemora will provide written confirmation of deletion on request.
13. Liability
Each party's liability under this DPA is subject to the liability framework in the Terms of Service or order form between the parties. Nothing in this DPA limits liability that cannot be limited at law (including liability for death or personal injury caused by negligence, fraud, or wilful misconduct).
14. Order of precedence
In the event of conflict, the terms of this DPA prevail over the Terms of Service in respect of the processing of personal data. If a separate countersigned order form between the parties contains conflicting data-protection terms, that order form prevails.
15. Governing law
This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it.
16. Contact
Data-protection point of contact:
info@nemorahealthcaresolutions.com
Nemora Healthcare Solutions Ltd
ICO registration ZC107502
Annex A — Technical and organisational measures
See section 6 above and the public security overview at /security. The list of subprocessors at /subprocessors forms part of Annex A.
Annex B — Subprocessor list
Maintained as a living document at nemorahealthcaresolutions.com/subprocessors. The list at the time of signature forms part of this DPA, and the notification process in section 7 governs subsequent changes.
Signature block
This DPA is incorporated by reference into the Service order between the parties; no separate signature is required for it to take effect when the order is signed. If your procurement process requires a countersigned copy, please email info@nemorahealthcaresolutions.com and we will provide a Word/PDF version for execution.