1. Background
This Data Processing Agreement ("DPA") is between David Waterman, trading as CDRA (Clinical Depth Reflection Assistant) ("Data Processor") and the registered practitioner holding a CDRA account ("Data Controller").
When you enter clinical material into CDRA, personal data relating to your clients may be processed by CDRA on your behalf. This agreement governs how that processing takes place, as required by Article 28 of UK GDPR.
This agreement is incorporated into and forms part of the CDRA Terms of Use. By creating a CDRA account and accepting the Terms of Use, you accept this DPA.
2. Definitions
- Personal data — any information relating to an identified or identifiable living individual, as defined in UK GDPR
- Special category data — personal data relating to health or therapy, as defined in Article 9 UK GDPR
- Processing — any operation performed on personal data, including storage, analysis, and transmission
- Sub-processor — a third party engaged by CDRA to assist in processing personal data
3. Subject matter and nature of processing
CDRA processes session notes and clinical material entered by the Data Controller for the purpose of generating AI-assisted clinical reflections. Processing involves:
- Transmission of session notes to an AI-powered de-identification layer
- Transmission of de-identified content to an AI clinical analysis engine
- Encrypted storage of notes and reflections in the Data Controller's CDRA account
4. Duration
This agreement remains in force for as long as the Data Controller holds an active CDRA account, and for any period thereafter during which CDRA retains data on their behalf.
5. CDRA's obligations as Data Processor
CDRA shall:
- Process personal data only on documented instructions from the Data Controller — being their use of the CDRA platform — and for no other purpose
- Ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organisational security measures, including AES-256-GCM encryption of stored content
- Not engage new sub-processors without informing the Data Controller, and ensure any sub-processor is bound by equivalent data protection obligations
- Assist the Data Controller in responding to data subject rights requests to the extent reasonably possible given the nature of processing. Note: because clinical content is encrypted and only accessible to the account holder, CDRA's ability to assist with access or deletion requests for that content is limited by design
- Delete all personal data on account closure, within 30 days of the account being terminated
- Make available to the Data Controller all information reasonably necessary to demonstrate compliance with this agreement
6. Sub-processors
CDRA currently uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguard |
|---|
| Anthropic PBC | AI de-identification and clinical reflection processing | USA | Anthropic's DPA and Standard Contractual Clauses, incorporated into their Commercial Terms of Service |
| Supabase | Encrypted data storage | EU | SOC 2 Type II certified; EU data residency |
CDRA will notify Data Controllers of any intended changes to sub-processors with reasonable notice. You may object to a new sub-processor on reasonable grounds relating to data protection.
7. Security measures
CDRA implements the following technical measures:
- Encryption: All stored clinical content is encrypted using AES-256-GCM before being written to the database
- AI-powered de-identification: Session notes are scanned by an AI layer that identifies and replaces names and identifying details with neutral placeholders before content is passed to the clinical analysis engine. This is a best-effort automated process — it significantly reduces the risk of identifying information being processed, but cannot guarantee every contextual detail will be identified. It is designed to supplement the Data Controller's own professional practice of keeping notes in a way that minimises identifying information
- Access controls: Clinical content is accessible only to the account holder
8. Data Controller's obligations
By using CDRA, the Data Controller confirms that:
- They are the data controller for their clients' personal data and hold all necessary lawful bases for processing, including appropriate client consent or legitimate interests for AI-assisted clinical reflection
- They have informed their clients that AI-assisted tools are used as part of their reflective practice
- They use pseudonyms or initials — not real names — when entering client material into CDRA
- Their use of CDRA is consistent with their professional body's guidance and their duty of confidentiality to their clients
9. Data breach notification
CDRA will notify the Data Controller without undue delay — and within 72 hours where feasible — upon becoming aware of a personal data breach affecting their data. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and measures taken or proposed to address it.
10. Audit rights
The Data Controller may request reasonable information from CDRA to verify compliance with this agreement. CDRA may satisfy this obligation by providing relevant certifications, security documentation, or written responses to audit questionnaires.
11. Governing law
This agreement is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Acceptance
This agreement is accepted by the Data Controller upon creating a CDRA account and agreeing to the Terms of Use, which incorporate this agreement by reference. No separate signature is required.
CDRA is operated by David Waterman, a registered psychotherapist based in the UK. ICO registration number: ZC138142.
Questions about this agreement: d@davidwatermanpsychotherapist.co.uk