Legal

Data Processing Agreement

Last updated: March 2026 · Effective: March 2026

How this agreement is formed: By accepting Sanctum's Terms of Service, you (the practitioner) enter into this Data Processing Agreement with [COMPANY NAME] Ltd. No separate signature is required. This agreement is binding as of the date you create your account.

This Data Processing Agreement ("DPA") is between:

[COMPANY NAME] Ltd ("Processor" or "Sanctum"), a company registered in England and Wales
You, the practitioner or practice using the Sanctum platform ("Controller")

It governs how Sanctum processes personal data on your behalf when you use the Service, and sets out the obligations of each party under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Your role and our role

When you use Sanctum to manage patient communications:

You are the Data Controller — you decide what patient data is collected and why.
We are the Data Processor — we process patient data only on your documented instructions, as described in this DPA.

You are responsible for ensuring you have a lawful basis to process your patients' data and for informing them appropriately. We are responsible for processing that data securely and in accordance with your instructions.

2. What data we process on your behalf

Category	Examples
Identity data	Patient names
Contact data	Email addresses, phone numbers
Appointment data	Dates, times, appointment types
Communication data	Email and SMS message content
Health data (special category)	Symptoms, diagnoses, treatment notes, consultation records
Survey data	Patient satisfaction ratings and free-text responses

3. How we process your data

We process patient data only:

To provide the Sanctum platform to you as contracted
On your documented instructions (as set out in these Terms and the Service configuration you control)
As required by applicable law (we will notify you where required before processing)

We will never use your patient data to train, fine-tune, or improve any AI model, including the Claude models used within the Service. This is a contractual commitment, not just a policy statement.

4. Security measures

We maintain the following technical and organisational measures to protect patient data:

Column-level encryption — health notes, consultation records, and credentials encrypted with AES-256
Per-practitioner encryption keys — managed via AWS KMS, so your data is cryptographically isolated from all other accounts
Row-level security (RLS) — enforced at database level; each practitioner's data is inaccessible to other tenants at the query layer
Encryption in transit — TLS 1.2+ for all data movement
Encryption at rest — all database storage encrypted
Audit logging — append-only log of all access and modifications to patient data
Short-lived authentication — JWT access tokens expire every 24 hours; refresh tokens rotate every 30 days

5. AI processing and anonymisation

The Service uses Claude (operated by Anthropic, PBC) to classify messages and generate draft responses. Before transmitting any content to Anthropic's API, we apply a technical anonymisation layer that removes patient names and contact details from the content.

We have a Data Processing Agreement with Anthropic that covers this processing, including the UK IDTA (International Data Transfer Agreement) for the international transfer to the United States. See clause 6 below.

6. International transfers

Some of our sub-processors are based in the United States. The United States does not have a blanket adequacy decision from the UK — meaning UK law does not automatically recognise US data protection as equivalent.

How we make these transfers lawful: the UK IDTA

For each US-based sub-processor (Anthropic, Twilio, Stripe), we use the UK International Data Transfer Agreement (IDTA) — a standard contract approved by the Information Commissioner's Office (ICO) under Section 119A of the Data Protection Act 2018.

The IDTA requires the US recipient to commit to treating UK personal data to the same standards as UK GDPR, regardless of US law. It is the UK equivalent of the EU's Standard Contractual Clauses. By signing the IDTA with each US sub-processor, we create a legally enforceable obligation on them to protect your patients' data.

In plain terms: even though Anthropic is a US company, it is contractually required to handle any data it receives from us as if UK GDPR applied directly to it.

7. Sub-processors

We currently use the following sub-processors to provide the Service:

Sub-processor	Purpose	Location	Transfer mechanism
Supabase	Database hosting	EU	EU SCCs (adequacy basis)
Amazon Web Services	Encryption key management	UK / EU	No transfer (UK region)
Anthropic, PBC	AI processing (Claude)	United States	UK IDTA
Twilio Inc.	SMS delivery	United States	UK IDTA
Stripe, Inc.	Payment processing	United States	UK IDTA / SCCs

We will give you at least 30 days' written notice (by email to your registered address) before adding or replacing any sub-processor. You may object to the change within 14 days; if we cannot resolve the objection, you may cancel your subscription without penalty. The current sub-processor list is always available at sanctum.support/sub-processors.

8. Data subject rights

If one of your patients contacts you to exercise their rights under UK GDPR (access, erasure, portability, rectification, restriction), we will support you by:

Providing a data export of all data held for that patient via the patient profile page
Processing a hard deletion of all patient data (records, messages, survey responses) via the delete button on the patient profile
Providing assistance with Subject Access Requests on request — email privacy@sanctum.support

All patient deletions are logged in our audit trail so you can demonstrate compliance.

9. Data breach notification

If we become aware of a Data Breach that affects your patients' data, we will notify you within 24 hours of becoming aware, to allow you to meet your ICO notification obligation (72 hours from discovery under UK GDPR Art. 33).

Our notification will include: the nature of the breach, categories of data affected, approximate number of individuals affected, measures taken to address it, and our contact details.

10. Data retention and deletion

We retain patient data for the following periods by default:

Data type	Retention period
Patient identity and clinical records	8 years from last contact (UK health records minimum)
Message and conversation history	3 years from last message
Survey responses	3 years

On termination of your subscription, we will provide a complete data export or confirm deletion within 30 days, at your election.

11. Audit rights

You may request information to verify our compliance with this DPA. We will respond to reasonable information requests within 30 days. Where an on-site audit is required (which we expect to be rare), we may charge for reasonable time and costs, and will require 14 days' notice and a confidentiality commitment.

12. Your responsibilities as Controller

By accepting this DPA, you confirm that:

You have a lawful basis under UK GDPR for processing your patients' health data — typically Article 9(2)(h) (healthcare provision) or explicit patient consent
Your patients have been informed about how their data is processed, including the use of AI-assisted tools
Your use of the Service complies with all applicable data protection laws and professional regulations
You hold your own ICO registration (or are registered under a practice-level registration) as a Data Controller for patient data

13. Governing law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Data protection queries

For DPA queries, data subject requests, or breach reporting, contact privacy@sanctum.support. We aim to respond within 5 business days.