This Data Processing Agreement forms part of and is incorporated into the Master Services Agreement between Altra Health Limited trading as Altra and the Customer. It governs the processing of Personal Data by Altra on behalf of the Customer in connection with the Services.

1. Interpretation

In this Agreement:

Terms such as controller, processor and data subject shall have the meanings given to them in the GDPR.

2. Roles of the Parties

The parties acknowledge that the Customer acts as Data Controller and Altra acts as Data Processor. Altra shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.

The Master Services Agreement and this Agreement together constitute the Customer’s complete instructions. Altra shall inform the Customer if, in its opinion, any instruction infringes Data Protection Law.

3. Scope of Processing

The nature, purpose, categories of Personal Data and categories of data subjects are described in Schedule 1. Altra shall process only the Personal Data necessary to provide the Services.

4. Processor Obligations

Altra shall process Personal Data only in accordance with this Agreement and Data Protection Law. Access to Personal Data shall be limited to personnel who require access to perform the Services and who are subject to appropriate confidentiality obligations.

Altra shall ensure that its personnel are trained in data protection and understand their obligations when handling Personal Data. Altra shall not sell Personal Data and shall not use Personal Data for any purpose other than providing and improving the Services in accordance with the Master Services Agreement.

5. Security

Altra shall implement Appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk. These measures shall include, as appropriate, encryption of data in transit and at rest, access controls, authentication mechanisms, logging and monitoring, and measures to ensure the ongoing confidentiality, integrity and availability of systems and services.

Altra shall regularly review and update its security measures in line with industry standards.

6. Subprocessors

The Customer provides general authorisation for Altra to appoint Subprocessors to support the provision of the Services. Altra shall ensure that any Subprocessor is bound by written terms that provide at least the same level of data protection as set out in this Agreement.

Altra shall maintain an up to date list of Subprocessors, listed in schedule 2. Where Altra intends to add or replace a Subprocessor, it shall provide reasonable notice. The Customer may object on reasonable data protection grounds.

7. International Transfers

Altra may transfer Personal Data outside the European Economic Area where necessary to provide the Services. Any such transfer shall be carried out in accordance with Data Protection Law and shall be subject to appropriate safeguards, including standard contractual clauses or reliance on adequacy decisions.

8. Data Subject Rights

Taking into account the nature of the processing, Altra shall provide reasonable assistance to the Customer to enable the Customer to fulfil its obligations to respond to requests from data subjects exercising their rights under Data Protection Law.

If Altra receives a request directly from a data subject, it shall promptly notify the

Customer and shall not respond to the request except on the Customer’s instructions unless required by law.

9. Data Protection Impact Assessments

Altra shall provide reasonable assistance to the Customer, taking into account the nature of the processing and information available, to support data protection impact assessments and any prior consultation with supervisory authorities where required.

10. Personal Data Breach

Altra shall notify the Customer without undue delay, and in any event within a reasonable timeframe, after becoming aware of a Personal Data breach affecting Customer Data.

Altra shall provide information reasonably required to enable the Customer to meet its obligations under Data Protection Law and shall take appropriate steps to investigate, mitigate and remediate the breach.

11. Audit and Compliance

Altra shall make available to the Customer information reasonably necessary to demonstrate compliance with this Agreement and Data Protection Law.

Any audit rights shall be exercised on reasonable notice, during normal business hours and in a manner that does not disrupt Altra’s business operations. Altra may satisfy audit requirements through the provision of independent security certifications, audit reports or other relevant documentation.

12. Data Retention and Deletion

Altra shall retain Personal Data only for as long as necessary to provide the Services and in accordance with the Master Services Agreement.

Upon termination of the Services, the Customer may request access to and export of Personal Data for a limited period. Following this period, Altra shall delete or securely anonymise Personal Data unless retention is required by law. Backup copies may be retained for a limited period in accordance with standard backup practices.

13. Mandatory Disclosure

If Altra is required by law to disclose Personal Data, it shall, where legally permitted, inform the Customer before making such disclosure and limit the disclosure to what is legally required.

14. Records of Processing

Altra shall maintain records of processing activities as required under Article 30 of the GDPR.

15. Liability

Liability arising under this Agreement shall be subject to the limitations and exclusions of liability set out in the Master Services Agreement.

16. General

This Agreement shall remain in effect for as long as Altra processes Personal Data on behalf of the Customer. In the event of any conflict between this Agreement and the Master Services Agreement, this Agreement shall prevail in respect of data protection matters.

Schedule 1

Details of Processing

Nature and Purpose of Processing

Processing of Personal Data for the purpose of providing, maintaining, supporting and improving the Altra platform, including communication tools, content delivery, user management, analytics and system administration.

Categories of Personal Data

Resident data, family member data, staff data, communications, images, videos and other content uploaded to the platform, and system usage data.

Categories of Data Subjects

Residents, family members, staff and other authorised users of the platform.

Duration of Processing

For the duration of the Services and any applicable retention period as set out in the Master Services Agreement.

Schedule 2

Subprocessors

Altra uses the following Subprocessors to deliver the Services. Where Personal Data is transferred outside the European Economic Area, such transfers are carried out in accordance with Data Protection Law and subject to appropriate safeguards, including standard contractual clauses.

Altra maintains and updates this list from time to time in accordance with Clause 6.