Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between the care agency customer (the "Customer" or "Controller") and TradeAlgoSuite Technologies Ltd ("Carionex", "we", "our", or the "Processor"), registered in England and Wales (Company No: 17162783), for the provision of the Carionex platform (the "Services").

This DPA reflects the parties' agreement on the processing of personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where there is any conflict between this DPA and the main service terms, this DPA prevails in respect of data protection matters.

2. Roles of the Parties

The Customer is the Controller of the personal data it uploads to or processes through the platform (including staff, client, and family data). Carionex acts as the Processor, processing that personal data only on the documented instructions of the Customer, which include the instructions set out in this DPA and the use of the Services.

Where Carionex determines the purposes and means of processing for its own business operations (for example, account administration and platform security), it acts as a Controller and that processing is governed by our Privacy Policy.

3. Subject Matter & Duration

The subject matter of the processing is the provision of the Carionex care management platform. Processing continues for the duration of the Customer's subscription and for any retention period required to comply with legal obligations (see Section 9).

4. Nature & Purpose of Processing

Carionex processes personal data to deliver the Services, including:

• Staff scheduling, time tracking, and payroll preparation
• Client care planning, risk assessments, and medication records
• Visit logging, incident reporting, and CQC-aligned record keeping
• Invoicing, finance, and reporting
• Family portal access and secure messaging
• Hosting, backup, security, and support of the platform

5. Categories of Data Subjects & Personal Data

Data subjects may include:

• Care agency staff and administrators
• Clients receiving care and their nominated family members or representatives

Personal data may include:

• Identity and contact details (name, address, email, phone)
• Employment and qualification details
• Location data captured during clock-in/out
• Special category data, including health and care information necessary for the delivery of care services

6. Processor Obligations

Carionex will:

• Process personal data only on the Customer's documented instructions
• Ensure persons authorised to process the data are bound by appropriate confidentiality obligations
• Implement the technical and organisational security measures set out in Section 7
• Assist the Customer, taking into account the nature of processing, in responding to data subject rights requests
• Assist the Customer with data protection impact assessments and consultation with the ICO where required
• Make available information necessary to demonstrate compliance and allow for reasonable audits

7. Security Measures

Carionex implements appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS) and at rest, row-level data isolation between agencies, role-based access controls, audit logging, secure authentication, private file storage, and automated backups on managed, AWS-backed infrastructure. Further detail is available in our security documentation.

8. Sub-processors

The Customer provides general authorisation for Carionex to engage sub-processors to support the delivery of the Services. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Current sub-processors include providers of:

• Cloud hosting and database infrastructure (AWS-backed)
• Application hosting and content delivery
• Payment and direct debit processing
• Transactional email delivery

We will inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object.

9. Data Retention & Deletion

Personal data is retained for the duration of the subscription and any period required by law. Care records are retained for a minimum of 8 years in line with CQC requirements. On termination, and subject to legal retention obligations, Carionex will delete or return personal data at the Customer's choice.

10. International Transfers

Personal data is primarily processed and stored within the UK and/or European Economic Area. Where any transfer outside the UK occurs, it will be subject to appropriate safeguards as required by UK GDPR, such as an adequacy decision or the International Data Transfer Agreement.

11. Personal Data Breaches

Carionex will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide reasonable information and assistance to support the Customer's own notification obligations to the ICO and affected data subjects.

12. Contact

For any questions about this DPA or to exercise rights under it, please contact: