Data Processing Agreement
For TriageHealth Professional Tier Subscribers
Last updated: 17 April 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between TriageMethod Ltd, trading as TriageHealth, (“Processor”) and the subscribing healthcare professional or organisation (“Controller”) using the TriageHealth Professional tier.
1. Definitions
- Client Data:Personal data and health data of the Controller’s clients that is processed through the TriageHealth platform.
- Processing: Any operation performed on Client Data, including collection, storage, analysis, assessment generation, and display.
- Sub-processor: A third party engaged by the Processor to process Client Data.
2. Scope of Processing
The Processor processes Client Data solely for the purpose of:
- Generating health assessment reports requested by the Controller
- Providing biomarker interpretation, nutrient analysis, and cross-domain insights
- Storing Client Data for ongoing assessment tracking and comparison
- Enabling the Controller to view, manage, and export Client Data
3. Duration
This DPA remains in effect for the duration of the Controller’s Professional subscription. Upon termination, the Processor shall delete all Client Data within 30 days, unless retention is required by law.
4. Obligations of the Processor
The Processor shall:
- Process Client Data only on documented instructions from the Controller
- Ensure that persons authorised to process Client Data have committed to confidentiality
- Implement appropriate technical and organisational security measures (as detailed in our Privacy Policy)
- Not engage sub-processors without prior written authorisation of the Controller
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach affecting Client Data
- Delete or return all Client Data upon termination of the subscription
- Make available all information necessary to demonstrate compliance with GDPR obligations
5. Obligations of the Controller
The Controller shall:
- Ensure they have a lawful basis (typically explicit consent under Article 9) for processing client health data through TriageHealth
- Obtain appropriate consent from their clients before entering health data
- Inform their clients about the use of TriageHealth as a processing tool
- Use generated assessments as supplementary tools, not as a replacement for clinical judgement
6. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Customer email, payment details, billing address, transaction records | US | SCCs, PCI DSS Level 1 |
| Resend, Inc. | Email delivery | Email address, name, transactional email content (verification, reports, notifications) | US | SCCs, email address and content only |
| Google Cloud (Vertex AI) | AI processing of health queries | Health context snippets for AI-powered analysis and chat (no direct PII; pseudonymised health data) | EU (Netherlands) | Data Processing Addendum under GDPR; EU data residency (europe-west4); no data retention by provider; prompts and responses not used for model training; ISO 27001, SOC 2 Type II |
| Neon, Inc. | Database hosting | All user data including account data, health data, assessments, and consent records (encrypted at rest) | EU/UK | Encryption at rest (AES-256), encryption in transit (TLS 1.2+), access controls, SOC 2 Type II |
| Vercel, Inc. | Application hosting | All HTTP requests pass through (including request metadata, IP addresses); serverless function execution | US/EU | SCCs, ISO 27001, SOC 2 Type II |
| Functional Software, Inc. (Sentry) | Error monitoring and performance telemetry | Stack traces, request URL/path, anonymised user ID, browser/device metadata. PII filters strip emails, auth tokens and request bodies before transmission. No health data captured. | EU (Frankfurt, de.sentry.io) | SCCs, ISO 27001, SOC 2 Type II, EU residency |
| Upstash, Inc. | Rate-limit counters and short-lived caches | Anonymised request fingerprints (hashed IP + endpoint), counters, ephemeral keys (e.g. CSRF tokens). No health data. | EU (Frankfurt) | SCCs, encryption in transit, EU residency |
| Vercel, Inc. (Vercel Blob) | Object storage for uploaded lab report PDFs/images pending OCR | The uploaded file itself, retained only until OCR completes (then deleted). Encrypted at rest; access scoped to the uploading user’s session. | EU (fra1, Frankfurt) | SCCs, encryption at rest (AES-256), encryption in transit, EU residency |
| Vercel, Inc. (Analytics & Speed Insights) | Real-user performance metrics (Core Web Vitals) and aggregated page-view counts | Aggregated, anonymised page-view + Web Vitals data. No personal identifiers, no health data. | EU | SCCs, no personal identifiers |
| GitHub, Inc. | Optional OAuth sign-in (“Continue with GitHub”) | Email address and public profile fields returned by GitHub at sign-in. Used only to provision/identify the user account; no health data shared with GitHub. | US | SCCs via GitHub’s DPA, ISO 27001, SOC 2 Type II |
The Controller is deemed to have authorised the above sub-processors. The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
7. International Transfers
Where Client Data is transferred outside the UK/EEA, the Processor ensures adequate safeguards through Standard Contractual Clauses (SCCs) as approved by the European Commission and adopted for UK transfers by the ICO.
8. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption at rest and in transit (TLS 1.2+, AES-256)
- Role-based access control — Client Data accessible only by the Controller and their designated clients
- Audit logging of all data access
- Rate limiting and brute-force protection
- Regular security assessments
- Incident response procedures with 48-hour breach notification
9. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject rights requests. The Controller can:
- Export all client data via the Professional dashboard
- Delete individual client data via the client management interface
- Rectify client data via the standard data entry forms
10. Audit Rights
The Controller has the right to audit the Processor’s compliance with this DPA. The Processor shall make available audit logs, security documentation, and compliance certifications upon reasonable request.
11. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.
12. Contact
For DPA-related enquiries: info@triagemethod.com