Terms of Service

Data Processing Agreement

Between Offload Technologies Ltd (“Offload”, “Processor”) and the Therapist (“Controller”)

This DPA was last updated on 15/12/2025

1. Parties and Roles

This Data Processing Agreement (“DPA”) applies when a therapist (“Controller”) uses Offload’s platform to process personal data of their clients. For the purposes of this DPA:

  • The Therapist is the Data Controller

  • Offload Technologies Ltd is the Data Processor

Offload processes client personal data solely on the Controller’s documented instructions.

Offload is the Controller only for data relating to therapists' own accounts (e.g., login, subscription, analytics), not for client therapy data.

2. Subject Matter and Duration

The subject matter of this DPA is Offload’s processing of personal data for the purpose of providing digital therapy tools, journaling, assessments, messaging, and related platform functionality.

The duration of processing corresponds to the therapist’s active use of Offload plus the defined retention period.

3. Nature and Purpose of Processing

Offload processes client personal data in order to:

  • Store and display therapy content and client responses

  • Enable messaging between therapist and client

  • Provide assessments, journaling, mood tracking

  • Deliver notifications and insights

  • Maintain platform security, backups, and performance

Offload does not decide the purpose or means of client treatment.

4. Categories of Personal Data

  • Client identity data (name, email)

  • Therapy and assessment responses

  • Journaling and mood entries

  • Messaging metadata

  • Technical usage data (IP, browser, device, timestamps)

  • Therapist identity and professional details (for account management)

5. Obligations of the Controller (Therapist)

The Controller agrees to:

  1. Ensure a lawful basis (e.g., consent) for processing client data

  2. Provide clients with appropriate privacy notices

  3. Ensure client data entered into Offload is accurate

  4. Not enter unlawful, harmful, or inappropriate content

  5. Comply with all data protection laws relevant to their practice

  6. Respond to client data subject requests (access, deletion, etc.)

  7. Notify Offload immediately of any suspected or actual breach involving Offload’s systems that comes to their attention

6. Obligations of Offload (Processor)

Offload shall:

  1. Process personal data only on documented instructions from the Controller

  2. Implement appropriate technical and organisational measures (encryption, RBAC, access control, logging, backups)

  3. Ensure authorised personnel are bound by confidentiality

  4. Not engage additional sub-processors without notifying the Controller (Offload lists categories of sub-processors in its Privacy Policy)

  5. Assist the Controller in responding to data subject requests

  6. Assist with security, breach mitigation, and DPIAs

  7. Notify the Controller without undue delay and no later than 24 hours after becoming aware of a personal data breach

  8. Delete or return personal data at the end of the contract (see Section 10)

7. Sub-Processing

Therapists may not appoint additional processors for Offload data.

Offload may use third-party infrastructure and service providers (“sub-processors”) for hosting, messaging, email delivery, analytics, and customer communications.

All sub-processors are subject to written contracts and equivalent data protection requirements.

A generic description of Offload’s sub-processors is provided in Offload’s Privacy Policy.

8. International Transfers

Where personal data is transferred outside the UK/EU, Offload ensures appropriate safeguards, such as Standard Contractual Clauses or equivalent protections.

9. Security Measures

Offload implements appropriate measures including:

  • Encryption in transit and at rest

  • Access control & RBAC

  • Automatic session timeout

  • Audit logging for PHI access

  • Encrypted backups & redundancy

  • Secure development practices

  • Strict internal access restriction (IAM/MFA)

10. Data Retention, Return, and Deletion

Upon termination of a therapist account or upon written request:

  • Offload will make reasonable efforts to return data to the Controller

  • Offload will delete personal data within its retention schedule unless law requires otherwise

  • Client data is retained for up to 24 months of inactivity, then deleted or anonymised

Therapists lose access to data immediately upon non-payment or account downgrade.

11. Breach Notification

If Offload becomes aware of a personal data breach affecting the Controller's data, Offload will notify the Controller:

  • Without undue delay, and no later than 72 hours

The notification will include the nature of the breach, affected data, likely consequences, and mitigation steps.

12. Audit Rights

The Controller may audit Offload’s compliance with this DPA:

  • Once per year, except in the event of a security incident or regulatory request

  • Offload will provide necessary documentation to demonstrate compliance

13. Liability and Indemnity

  • Offload’s liability arising from this DPA is limited to the subscription fees paid by the therapist in the previous 12 months.

  • The therapist agrees to indemnify Offload for losses caused by unlawful processing, misuse of client data, or violation of this DPA by the therapist.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of England & Wales.
Any disputes shall be resolved in the courts of England & Wales.

15. Entire Agreement

This DPA forms part of the Offload Terms of Service and prevails in case of conflict regarding data protection obligations.