Data Processing Agreement

This Data Processing Agreement ("Agreement") is made and entered by the following parties:

  1. Coherent Healthcare, a company registered under the laws of the United Kingdom, with its principal office located at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ (Company Registration Number: 15067010; ICO Registration Number: ZB797722) ("Coherent"), and

  2. The entity or organisation that uses Coherent Healthcare’s services to undertake data processing on their behalf, ("Customer").

Coherent and the Customer may collectively be referred to as the "Parties" or individually as a "Party".

RECITALS

  1. WHEREAS, the Customer has entered into a separate agreement with the Data Processor to provide services ("Main Agreement");

  2. WHEREAS, Coherent will process certain personal data on behalf of the Customer as part of the services provided under the Main Agreement;

  3. NOW, THEREFORE, the Parties agree to the following terms and conditions regarding the processing of personal data and will ensure that it will meet their obligations under the Data Protection Legislation.

1. Definitions and interpretations

For the purposes of this Agreement, the following terms shall have the meanings set out below, except where otherwise stated or the context otherwise requires:

  • “Controller” means a natural or legal person or organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed;

  • “Processor” in relation to Personal Data, means any person (other than an employee of the Controller) who processes Personal Data on behalf of the Controller;

  • "Personal Data" means any information related to an identifiable natural person which can identify that individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

  • "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means;

  • "Data Subject" means the individual to whom the Personal Data relates;

  • "Sub-Processor" means any third party engaged by the Data Processor to process Personal Data;

  • "Data Protection Legislation" means (i) the UK GDPR; (ii) the DPA 2018 to the extent that it relates to the Processing of Personal Data and privacy; and (iii) any other Law in force from time to time with regards to the Processing of Personal Data and privacy, which may apply to either Party in respect of its activities under this Agreement;

  • “Services” means the service provided by Coherent Healthcare Limited; this service consists of payment facilitation and processing, using which Customers are able to generate and send payment links to Data Subjects, for payment online or on Customer premises.

  • “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK's Data Protection Act 2018.

2. Scope of this Data Processing Agreement

2.1 This Data Processing Agreement applies to all data processing activities undertaken by Coherent on behalf of the Customer.

2.2 This Data Processing Agreement constitutes the written instructions of the Customer to Coherent to process Personal data in the manner described in the Schedule. Such instructions may be supplemented by the Customer from time to time if there are any changes to the services provided by Coherent.

3. Duration of Processing

3.1 This Data Processing Agreement shall remain in full force and effect for as long as the Customer continues to use the Services.

3.2 This Data Processing Agreement shall terminate automatically once the Customer no longer uses or has access to the Services.

4. Governing law and jurisdiction

4.1 This Data Processing Agreement is governed by and construed in accordance with the laws of England and Wales.

4.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement, or its subject matter or formation.

5. Data Controller’s Obligations

5.1 The Customer and Coherent acknowledge that, for the purpose of the Data Protection Legislation:

  • 5.1.1 the Customer is the Controller and Coherent is the Processor;

  • 5.1.2 the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the processing instructions it gives to Coherent.

5.2 The Customer warrants and represents that Coherent’s processing of Personal Data as contemplated under this Data Processing Agreement will comply with the Data Protection Legislation.

5.3 The Customer acknowledges that:

  • 5.3.1 it is responsible for ensuring its use of Coherent’s services is appropriate and complies with Data Protection Legislation; and

  • 5.3.2 and that its employees will not use the Services provided by Coherent in a manner which is unlawful or harmful.

5.4 The Schedule has been reviewed and approved by the Customer and sets out:

  • 5.4.1 the types of Personal Data and categories of Data Subject whose Personal Data are Processed;

  • 5.4.2 the categories of Processing carried out under this Data Processing Agreement; and

  • 5.4.3 a description of the technical and organisational measures adopted by Coherent to protect the Personal Data.

6. Coherent’s Obligations as the Data Processor

Processing Instructions:

6.1 Coherent must only process the Personal Data to the extent, and in such a manner, as is necessary for the purpose of providing the Services and in accordance with the Customer’s instructions. Coherent will not process the Personal Data in any other way or in a way that does not comply with this Data Processing Agreement or the Data Protection Legislation. Coherent will notify the Customer immediately if, in Coherent’s opinion, the Customer's instructions infringe Data Protection Legislation.

6.2 Coherent must comply with any Customer instruction to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

6.3 Coherent must maintain the confidentiality of the Personal Data and not disclose the Personal Data to third parties, unless the Customer or this Data Processing Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Information Commissioner's Office). If a domestic law, court or regulator requires Coherent to process or disclose the Personal Data to a third party, Coherent must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

6.4 Coherent must delete or return all Personal Data to the Customer, at the choice of the Customer, as requested at the point of termination of this Data Processing Agreement and shall provide confirmation that all copies of the Personal Data have been deleted within 90 days after termination of this Data Processing Agreement.

Rights of the Data Subject

6.5 Coherent must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable them to comply with:

  • 6.5.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and

  • 6.5.2 information or assessment notices served on the Customer by the Information Commissioner's Office under the Data Protection Legislation.

6.6 Coherent must notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

6.7 Coherent must notify the Customer within 5 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation. Subject to clause 6.20, if Coherent receives a request or other correspondence from a Data Subject, and such communication relates to the Personal Data Coherent is processing on behalf of the Customer, Coherent shall be entitled to respond to the Data Subject directly, but only to the extent necessary to assist the Data Subject in raising their response directly with the Customer. The provisions of this clause requiring Coherent to notify the Customer do not apply in circumstances where Coherent is unable to identify which Customer the relevant Data Subject is linked to (such as where the only information Coherent has about that Data Subject following a communication from them is an email address or mobile phone number).

6.8 Coherent will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.

6.9 Coherent must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, this Data Processing Agreement, or as required by domestic law.

Security Measures

6.10 Coherent must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure, or damage of Personal Data including, but not limited to, the security measures set out in the Schedule.

6.11 Coherent must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  • 6.11.1 the pseudonymisation and encryption of Personal Data;

  • 6.11.2 the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

  • 6.11.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

  • 6.11.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

Compliance

6.12 Coherent will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of Coherent's processing and the information available to Coherent, including in relation to Data Subjects' rights, data protection impact assessments and reporting to and consulting with the Information Commissioner's Office under the Data Protection Legislation. Coherent shall appoint an individual within Coherent to act as a point of contact for any enquiries from the Customer relating to the Personal Data Coherent is processing on behalf of the Customer. They can be contacted at dpo@coherenthealthcare.com.

6.13 Such assistance provided by Coherent under clause 6.12 may include:

  • 6.13.1 the provision of all data reasonably requested by the Customer within the timescale reasonably specified by the Customer in each case, including full details and copies of any complaint, communication or request and any Personal Data it holds in relation to a Data Subject;

  • 6.13.2 where applicable, providing such assistance as is reasonably requested by the Customer to enable them to comply with the relevant request within the Data Protection Legislation statutory timescales;

  • 6.13.3 providing the Customer, at their request with any Personal Data it holds in relation to a Data Subject, such as may be required to assist the Customer to respond to a query from a Data Subject; and

  • 6.13.4 assistance as requested by the Customer with respect to any request from a Supervisory Authority, or any consultation by the Customer with a Supervisory Authority (as such term is defined in the UK GDPR).

6.14 For assistance provided by Coherent in the preparation of any data protection impact assessment under clause 6.12, such assistance may include:

  • 6.14.1 providing a systematic description of the envisaged processing operations and the purpose of the processing;

  • 6.14.2 an assessment of the necessity and proportionality of the processing operations in relation to this Data Processing Agreement;

  • 6.14.3 an assessment of the risks to the rights and freedoms of Data Subjects; and

  • 6.14.4 describing the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.

Audit

6.15 Coherent must permit the Customer and its third-party representatives to audit Coherent's compliance with its Data Processing Agreement obligations, on at least 30 days' notice. Coherent will give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:

  • 6.15.1 physical access (to the extent possible) to, remote electronic access to, and copies of the records and any other information held at Coherent's premises or on systems storing the Personal Data;

  • 6.15.2 access to and meetings with any of Coherent's personnel reasonably necessary to provide all explanations and perform the audit effectively; and

  • 6.15.3 inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

6.16 The notice requirements in clause 6.15 will not apply if the Customer reasonably believes that a Personal Data breach occurred or is occurring, or Coherent is in breach of any of its obligations under this Data Processing Agreement or any Data Protection Legislation.

Security breaches

6.17 Coherent must within 48 hours and in any event without undue delay notify the Customer if it becomes aware of:

  • 6.17.1 the loss, unintended destruction or damage, corruption, or un-usability of part or all of the Personal Data. Coherent will use its reasonable endeavours to restore such Personal Data at its own expense as soon as possible;

  • 6.17.2 any accidental, unauthorised, or unlawful processing of the Personal Data; or

  • 6.17.3 any Personal Data breach.

6.18 Where the Provider becomes aware of any event within clauses 6.19.1 – 6.19.3 above it shall, without undue delay, also use its reasonable endeavours to provide the Customer with the following information:

  • 6.18.1 description of the nature of the event, including the categories of in-scope Personal Data and approximate number of Data Subjects and the Personal Data records concerned;

  • 6.18.2 the likely consequences; and

  • 6.18.3 a description of the measures taken or proposed to be taken to address the incident, including measures to mitigate its possible adverse effects.

6.19 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, the parties will coordinate with each other to investigate the matter. Further, Coherent will reasonably cooperate with the Customer in the Customer's handling of the matter, including but not limited to:

  • 6.19.1 assisting with any investigation;

  • 6.19.2 providing the Customer with physical access (to the extent possible) to any facilities and operations affected;

  • 6.19.3 facilitating interviews with Coherent's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;

  • 6.19.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

  • 6.19.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data breach or accidental, unauthorised or unlawful Personal Data processing.

6.20 Coherent will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data breach without first obtaining the Customer's written consent, except when required to do so by domestic law.

6.21 Coherent agrees that the Customer has the sole right to determine:

  • 6.21.1 whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data breach to any Data Subjects, the Information Commissioner's Office, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice. Save that nothing in this clause shall prevent Coherent from making any notifications required to maintain any insurance cover, regulatory authorisations, or avoid being in contractual breach of any other agreement it has entered into; and

  • 6.21.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

Coherent personnel

6.22 Coherent must ensure that Coherent personnel processing the data on Coherent's behalf are subject to a duty of confidentiality ensuring in each case that access is strictly limited to those employees who need to access the relevant Personal Data, as strictly necessary to perform the Services in the context of that employee's duties to Coherent, ensuring that all such employees:

  • 6.22.1 are aware of and comply with Coherent's duties under this Data Processing Agreement;

  • 6.22.2 are informed of the confidential nature of the Personal Data and do not publish, disclose, or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Data Processing Agreement;

  • 6.22.3 are subject to user authentication and log on processes when accessing the Personal Data; and

  • 6.22.4 have undertaken appropriate training in relation to Data Protection Legislation and in the use, care, protection and handling of the Personal Data.

7. Use of Sub-Processors

7.1 The Customer gives Coherent a general written authorisation for the engagement of third-party sub-processors for the processing of Personal Data, subject to the terms of this Data Processing Agreement, Art. 32 of the UK GDPR, and the rules on transfers to third countries. The sub-processors currently used by Coherent are set out at Annex A of this agreement.

7.2 Coherent shall carry out due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Agreement. Coherent will include terms in the contract between Coherent and the sub-processor substantially similar to those set out in this Data Processing Agreement, and which are at a minimum compliant with the requirements of the Data Protection Legislation.

7.3 Coherent will not change any sub-processor processing Personal Data under this Data Processing Agreement without first informing the Customer of any intended change concerning the addition or replacement of other processors by updating Annex, thereby giving the Customer the opportunity to object to such changes. The Customer acknowledges that it is their responsibility to check regularly for any updates to the Annex.

7.4 The Customer approves the engagement of the entities listed at Annex A as sub-processors of Coherent for the processing of Personal Data. Coherent shall update the list of sub-processors at least 10 days in advance of when a new sub-processors for the processing of Personal Data is engaged.

7.5  Where the sub-processor fails to fulfil its obligations under the written agreement with Coherent which contains terms substantially the same as those set out in this Data Processing Agreement, Coherent remains fully liable to the Customer for the sub-processor's performance of its agreement obligations.

International Transfers

7.6 The Customer consents for Coherent to process Personal Data outside the UK and/or the EEA provided that:

  • 7.6.1 Coherent is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. 

  • 7.6.2 Coherent participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Coherent (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR.

  • 7.6.3 the transfer otherwise complies with the Data Protection Legislation.

8. Liability

8.1 Nothing in this Data Processing Agreement limits any liability which cannot legally be limited, including but not limited to liability for:

  • 8.1.1 death or personal injury caused by negligence; and

  • 8.1.2 fraud or fraudulent misrepresentation.

8.2 Subject to clause 8.1, Coherent’s total liability to the Customer under this Data Processing Agreement shall not exceed £1,000 (one thousand pounds).

Schedule  - Processing, Personal Data and Data Subjects

Subject matter of the processing: To provide the Services as required by the Customer

Duration of the processing: The duration of this Data Processing Agreement

Purposes and nature of processing:

The purposes and nature of the processing includes:

  • Know Your Client (KYC) checks: Coherent verifies the identity of the Customer as required by financial regulation. 

  • Payment Facilitation: Coherent processes payments on behalf of the Customer, and processes the personal data of the Data Subjects as requested by the Customer in order to send payment links and aid payment reconciliation.

Types of personal data

  • Name

  • Email Address

  • Phone Number

  • Personal Address

  • Bank Account Numbers

  • Credit Card Numbers

Special Category Data

  • Notes regarding clinical services or goods purchased which in some cases may contain health data 

Annex A: Sub-Processor List

Adyen NV

Reason: Adyen facilitates payment services for our clients

Data transferred: Name, credit card information, and bank account information, to allow the Customer to accept payments from their clients.

Country: The Netherlands (EU)

Transfer Mechanism

Amazon Web Services (AWS)

Reason: Cloud Hosting Provider - AWS hosts Coherent’s cloud infrastructure, including the servers that receive and store personal data. This is required in order to allow Customers to access the service.

Data transferred: All data categories listed in the Schedule.

Country: United Kingdom

Twilio

Reason: Communications Provider - Twilio provides text and email communications services, which are used to send payment links and receipts to the Customer’s clients.

Data Transferred: Name, phone number and email address.

Country: United Kingdom

Last updated 18th February 2025.