1.1. This Data Processing Agreement is incorporated into the Subscriber Agreement between the Parties, and regulates the processing of personal data by ClinicalWill.app Ltd (trading as ClinicalWill.app) (ClinicalWill.app) on behalf of the Practitioner, who is the Controller of such personal data, in relation to the performance of the Subscriber Agreement.
1.2. Capitalised terms used in this Data Processing Agreement are given the same meanings set out in the Subscriber Agreement, save where indicated to the contrary below.
2.1. Purpose: The purpose of the processing under the Subscriber Agreement is the provision of Services by ClinicalWill.app to the Practitioner.
2.2. Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
2.3. Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
2.4. UK GDPR has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
2.5. Personal Data means "any information relating to an identified or identifiable natural person" as defined in UK GDPR, article 4(1)", and which is processed by ClinicalWill.app on behalf of the Practitioner in relation to the performance of the Subscriber Agreement. The categories and types of Personal Data processed by ClinicalWill.app on behalf of the Practitioner are listed in Schedule 1. ClinicalWill.app only performs processing activities that are necessary and relevant to perform the Services. The Parties shall update Schedule 1 whenever changes occur that necessitates an update.
2.6. ClinicalWill.app shall have and maintain a register of processing activities in accordance with the Data Protection Legislation.
3.1. ClinicalWill.app may only act and process the Personal Data in accordance with the documented instructions of the Practitioner (the Instructions), unless required by law to act without such instruction. The Instructions at the time of entering into this Data Processing Agreement are that ClinicalWill.app may only process the Personal Data with the purpose of delivering the Services as described in the Subscriber Agreement. Subject to the terms of this Data Processing Agreement and with mutual agreement of the parties, the Practitioner may issue additional instructions consistent with the terms of this Data Processing Agreement. The Practitioner is responsible for ensuring that all individuals who provide instructions are authorised to do so.
3.2. The Practitioner's instructions for the processing of Personal Data shall comply with Data Protection Legislation. The Practitioner will have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.
3.3. ClinicalWill.app will inform the Practitioner of any instruction that it deems to be in violation of the Data Protection Legislation.
4.1.1. ClinicalWill.app shall treat the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Practitioner has agreed in writing.
4.1.2. ClinicalWill.app's employees and contractors shall be subject to an obligation of confidentiality that ensures that the employees shall treat the Personal Data under this Data Processing Agreement with strict confidentiality.
4.1.3. Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Services and the performance of this Data Processing Agreement.
4.1.4. ClinicalWill.app shall ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
4.2.1. ClinicalWill.app shall implement the appropriate technical and organisational measures as set out in this Data Processing Agreement and in the Data Protection Legislation. The security measures may be subject to technical progress and development. ClinicalWill.app may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
4.2.2. ClinicalWill.app shall provide documentation for ClinicalWill.app's security measures if requested in writing by the Practitioner.
4.3.1. If ClinicalWill.app's assistance is necessary and relevant, ClinicalWill.app shall assist the Practitioner in preparing data protection impact assessments along with any prior consultation in accordance with the Data Protection Legislation.
4.4.1. If the Practitioner receives a request from a data subject for the exercise of the data subject's rights under the Data Protection Legislation and the correct and legitimate reply to such a request necessitates ClinicalWill.app's assistance, ClinicalWill.app shall assist the Practitioner by providing the necessary information and documentation. ClinicalWill.app shall be given reasonable time to assist the Practitioner with such requests in accordance with the Data Protection Legislation.
4.4.2. If ClinicalWill.app receives a request from a data subject for the exercise of the data subject's rights under the Data Protection Legislation and such request is related to the Personal Data of the Practitioner, ClinicalWill.app will immediately forward the request to the Practitioner.
4.5.1. ClinicalWill.app shall give notice within 72 hours to the Practitioner of becoming aware of a breach occurring, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed by ClinicalWill.app on behalf of the Practitioner (the Personal Data Breach).
4.5.2. ClinicalWill.app shall make reasonable efforts to identify the cause of the Personal Data Breach and take those steps as ClinicalWill.app deems necessary to establish the cause, and to prevent the Personal Data Breach from reoccurring.
4.6.1. Upon request by the Practitioner, ClinicalWill.app shall make available to the Practitioner all relevant information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and reasonably cooperate with audits, including inspections by the Practitioner or an auditor mandated by the Practitioner. The Practitioner shall give reasonable notice of any audit or document inspection to be conducted and shall avoid causing damage or disruption to ClinicalWill.app's premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 30 days, and shall not be conducted more than once a year.
4.6.2. The Practitioner may be requested to sign a non-disclosure agreement before being furnished with the right to conduct an audit or document inspection as stipulated herein.
4.7.1. ClinicalWill.app will not transfer any Personal Data to a sub-processor for processing outside the UK unless the prior written consent of the Practitioner has been obtained (which is hereby provided by the Practitioner in respect of those Sub-Processors specified in Schedule 2 to the extent applicable), and the following conditions are fulfilled:
(a) ClinicalWill.app has provided appropriate safeguards in relation to the transfer;
(b) the data subject has enforceable rights and effective legal remedies;
(c) ClinicalWill.app complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred.
4.7.2. The Practitioner authorises ClinicalWill.app to:
(a) use any contact information relating to Authorised Users which the Practitioner provides to ClinicalWill.app (whether such Authorised Users are resident within or outside the UK) for purposes of communication with such Authorised Users; and
(b) to share Personal Data relating to the categories of Data Subjects identified in Schedule 1 with such Authorised Users;
in each case, as required for the provision of the Services. The Practitioner is responsible for ensuring that it has provided all required privacy notices to relevant individuals to ensure that such communication by ClinicalWill.app, and the transfer of Personal Data in respect of such Data Subject, is compliant with Data Protection Legislation.
5.1. ClinicalWill.app is given general authorisation to engage third-parties (the Sub-Processors) to process the Personal Data without obtaining any further written, specific authorisation from the Practitioner, provided that ClinicalWill.app notifies the Practitioner in writing about the identity of a Sub-Processor (and its Sub-Processors, if any). If the Practitioner wishes to object to the relevant Sub-Processor, the Practitioner shall give notice thereof in writing within 10 business days from receiving the notification from ClinicalWill.app. Absence of any objections from the Practitioner shall be deemed a consent to the relevant Sub-Processor.
5.2. In the event the Practitioner objects to a new Sub-Processor and ClinicalWill.app cannot accommodate the Practitioner's objection, the Practitioner may terminate the Subscriber Agreement by providing written notice to ClinicalWill.app.
5.3. ClinicalWill.app is at the time of entering into this Data Processing Agreement using the Sub-Processors listed in Schedule 2. If ClinicalWill.app initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Schedule 2 of this Data Processing Agreement.
The Practitioner shall remunerate ClinicalWill.app based on time spent to perform the obligations under clauses 4.3 to 4.6 of this Data Processing Agreement based on ClinicalWill.app's hourly rates.
1.1. In connection with its delivery of the Services ClinicalWill.app processes Personal Data about the following categories of data subjects on behalf of the Practitioner:
1.1.1. individuals identified as Next of Kin;
1.1.2. Clinical Trustees;
1.1.3. clients of the Practitioner;
1.1.4. supervisors, supervisees, and other third parties whose information is inputted to the Platform by the Practitioner.
1.2. In processing any such Personal Data that the Practitioner provides to ClinicalWill.app, ClinicalWill.app acts as a processor on behalf of the Practitioner.
1.3. Individuals identified as Next of Kin and Clinical Trustees may also be independent users of the platform operated by ClinicalWill.app, when they access the platform for reasons connected with the provision of the Services (as described in the Subscriber Agreement) for the benefit of the Practitioner. When such individuals provide Personal Data to ClinicalWill.app in connection with their access to and use of the platform, they do so under the terms of the ClinicalWill.app Privacy Notice, and ClinicalWill.app acts as a controller in respect of such personal data in accordance with the provisions of the Privacy Notice.
2.1. In connection with its delivery of the Services ClinicalWill.app processes the following types of Personal Data in respect of the data subjects identified above in connection with its delivery of the Services:
2.1.1. name;
2.1.2. telephone number;
2.1.3. email address;
2.1.4. business or trading name, and territory in which the business is based (which will be personal data in respect of a sole trader);
2.1.5. other information in respect of clients of the Practitioner, including special category data, relevant to the use of the Services in respect of the Practitioner's clinical will.
The following Sub-Processors shall be considered approved by the Practitioner at the time of entering into this Agreement:
| Sub-Processor | Location | Purpose |
|---|---|---|
| Amazon Web Services | Ireland - see AWS - Data Processing Addendum | Provision of hosting services required for provision of the Services. |
| Salesforce (Heroku) | Primarily UK and EEA, but international transfer of Personal Data may take place - see Salesforce - Data Processing Addendum | Provision of hosting services required for provision of the Services. |
| Stripe | Primarily UK and EEA, but international transfer of Personal Data may take place - see Stripe - Data Processing Agreement | Provision of payment processing services. |
| Google - Workspace | Primarily UK and EEA, but international transfer of Personal Data may take place - see Google Workspace - Data Processing Agreement | Communication with Authorised Users as required for performance of the Services. |
| Google - Analytics | Primarily UK and EEA, but international transfer of Personal Data may take place - see Google Analytics - Data Processing Terms | Provision of website analytics services. |
| Sinch - Mailgun | Primarily UK and EEA, but international transfer of Personal Data may take place - see Sinch - Data Processing Agreement | Provision of email services required for provision of the Services. |
| Linkedln - Campaign Manager | Primarily UK and EEA, but international transfer of Personal Data may take place - see LinkedIn Data - Processing Agreement | Provision of advertising and social media integration services. |
| Github | United States, but international transfer of Personal Data may take place - see GitHub - General Privacy Statement | Provision of source code hosting, version control, collaboration, and related development services required for development, maintenance, and security of the Services |
| Sentry | United States, but international transfer of Personal Data may take place - see Sentry - Data Processing Addendum | Provision of application monitoring, error tracking, and performance analysis services for the purpose of identifying, diagnosing, and resolving technical issues affecting the Services. |
| Google - reCaptcha | Primarily United States, but international transfer of Personal Data may take place - see Google Cloud - Data Processing Addendum | Provision of website security and bot protection services. |
ClinicalWill.app reviews its sub-processors regularly and will update this list if it adds or changes providers.
These Terms were last updated on 25th February 2026.
If you have any questions, please email support@clinicalwill.app.