Data Processing Addendum

DATA PROCESSING ADDENDUM (DPA)

Version 1.1 – Updated 1 January 2026

1. PURPOSE AND SCOPE

This DPA governs the Processing of Personal Data by Tangent 90 on behalf of the Controller in connection with the provision of hosted software platforms, including but not limited to:

  • Resource Centre
  • TrustTrack
  • SalesPro
  • Associated hosting, support, analytics, and content distribution services

This DPA is designed to comply with:

  • UK General Data Protection Regulation (“UK GDPR”)
  • EU General Data Protection Regulation (“EU GDPR”)
  • Data Protection Act 2018
  • Applicable global privacy and data protection laws where services are delivered

2. DEFINITIONS

Applicable Data Protection Law means all laws and regulations governing the Processing of Personal Data applicable to the Parties, including:

  • UK GDPR
  • EU GDPR
  • Data Protection Act 2018
  • Any national implementing legislation
  • Any successor legislation

Special Category Data means Personal Data revealing:

  • Health information
  • Medical conditions
  • Clinical data
  • Patient information
  • Biometric or genetic data
  • Or any equivalent sensitive data under Applicable Data Protection Law

Processing means any operation performed on Personal Data, including:

  • Collection
  • Storage
  • Hosting
  • Transmission
  • Retrieval
  • Deletion

3. ROLES OF THE PARTIES

The Controller:

  • Determines the purpose and lawful basis of Processing
  • Is responsible for compliance with data protection law
  • Provides instructions to the Processor

The Processor:

  • Processes Personal Data only on documented instructions
  • Implements appropriate safeguards
  • Does not determine the purpose of Processing

4. SUBJECT MATTER OF PROCESSING

The Processor provides secure SaaS platforms used for:

  • Storage and distribution of licensed scientific and medical content
  • Digital communication with healthcare professionals
  • Event and congress content distribution
  • Regulatory and medical information support
  • Analytics and usage reporting
  • Content access and engagement tracking

5. TYPES OF PERSONAL DATA

Processing may involve:

  • Names
  • Professional contact details
  • Email addresses
  • Job titles
  • Organisation names
  • Professional identifiers
  • System login credentials
  • Usage logs
  • Uploaded files
  • Embedded metadata
  • Images or video content
  • Healthcare professional interaction records

6. CATEGORIES OF DATA SUBJECTS

Examples include:

  • Healthcare professionals
  • Medical staff
  • Researchers
  • Clinical personnel
  • Conference delegates
  • Healthcare administrators
  • Employees of the Controller
  • Patients (where data is supplied by the Controller)

7. DURATION OF PROCESSING

Processing shall continue:

  • For the duration of the service agreement
  • Until deletion or return of data following termination

8. PROCESSOR OBLIGATIONS

The Processor shall process Personal Data only on documented instructions. The Parties agree that the Service Agreement, this DPA, and the Controller’s use of the SaaS platform features constitute the Controller’s complete and final documented instructions for Processing.

The Processor shall ensure that personnel:

  • Are authorised to access data
  • Receive data protection training
  • Are bound by confidentiality obligations

9. SECURITY MEASURES

The Processor shall implement appropriate security controls including:

  • Access Control
  • Role-based permissions
  • Authentication controls
  • Encryption in transit
  • Secure hosting environments
  • Logging and monitoring
  • Backup and recovery procedures
  • Secure deletion procedures
  • System patching and maintenance
  • Incident response procedures
  • Personnel confidentiality obligations

10. FILE AND METADATA HANDLING

The Processor may implement automated safeguards to reduce the risk of unintended disclosure. Such safeguards may include:

  • Inspection of uploaded files
  • Detection of metadata
  • Removal or permanent sanitisation of metadata
  • Quarantine of flagged files
  • Secure deletion of affected files

The Controller remains responsible for ensuring:

  • Lawful data collection
  • Lawful disclosure
  • Lawful transfer to the Processor

11. CONFIDENTIALITY

The Processor shall ensure that all personnel:

  • Are subject to confidentiality obligations
  • Receive appropriate training
  • Access data only where required

12. PERSONAL DATA BREACH NOTIFICATION

The Processor shall notify the Controller of any Personal Data Breach without undue delay, and in any event within two working days of becoming aware of the breach. Notification shall include:

  • Nature of the breach
  • Categories of data affected
  • Likely consequences
  • Remediation actions taken

13. DATA SUBJECT RIGHTS

The Processor shall assist the Controller in responding to requests relating to:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Portability
  • Objection

The Processor shall not respond directly to Data Subjects unless instructed.

14. DATA RETENTION AND DELETION

Upon termination or expiry of the Service Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data within 30 days. Backup data shall be deleted in accordance with the Processor’s standard 60-day retention schedule.

15. SUB-PROCESSORS

The Processor shall provide the Controller with at least 30 days’ prior notice of any intended changes concerning the addition or replacement of sub-processors. Potential sub-processors include:

  • Hosting providers
  • Infrastructure providers
  • Support service providers

16. INTERNATIONAL DATA TRANSFERS

Personal Data shall be processed:

  • Within the United Kingdom
  • Within jurisdictions providing adequate data protection safeguards

Where transfers occur outside these jurisdictions, the Processor shall implement Standard Contractual Clauses or equivalent lawful transfer mechanisms.

17. AUDIT AND COMPLIANCE

The Controller may request evidence of compliance. Any audit shall be conducted at the Controller’s sole expense unless the audit reveals a material breach of this DPA, in which case the Processor shall reimburse reasonable audit costs.

18. THIRD-PARTY LICENSED CONTENT AND COPYRIGHT MATERIAL

The Processor may host and distribute licensed third-party content, including:

  • Scientific publications
  • Medical journal articles
  • Clinical study materials
  • Conference presentations
  • Regulatory documentation
  • Educational materials

The Controller remains responsible for:

  • Licensing rights
  • Copyright compliance
  • Data protection compliance
  • Lawful data use

19. LIABILITY

Liability under this DPA shall be governed by the main services agreement. Nothing in this DPA:

  • Limits liability where prohibited by law
  • Transfers Controller responsibilities to the Processor

20. GOVERNING LAW

This DPA shall be governed by:

  • English law

21. ORDER OF PRECEDENCE

In the event of conflict:

  • This DPA prevails over data protection provisions in the terms and conditions

22. CONTACT DETAILS

Processor Data Protection Contact:
Tangent 90 Limited
95 Mortimer Street
London
W1W 7GB
Email: [email protected]

Scroll to Top

We use cookies to improve your experience on our website. By browsing this website, you agree to our use of cookies.

Accept Cookies
Privacy Policy