Download DPA

Data Processing Agreement

 

Last updated: May 2026

 

This Data Processing Agreement (“DPA”) forms part of the agreement between Tamir Spiegel Ltd trading as VetFlash (“VetFlash”, “we”, “us”, “our”) and the customer or user agreeing to the VetFlash terms (“Customer”, “you”, “your”) for the use of the VetFlash platform and related services (the “Services”).

 

This DPA is intended to satisfy the requirements of Article 28 UK GDPR and equivalent provisions under applicable data protection laws.

 

  1. Definitions

 

In this DPA:

 

“Applicable Data Protection Laws” means all laws and regulations relating to data protection, privacy, and electronic communications that apply to the processing of personal data under this DPA, including where applicable the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and the EU GDPR.

– “Customer Personal Data” means personal data processed by VetFlash on behalf of Customer through the Services.

 

“Controller”, “processor”, “data subject”, “personal data”, “processing”, “personal data breach”, and “special category data” have the meanings given in Applicable Data Protection Laws.

 

“UK GDPR” means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

 

“Sub-processor” means another processor engaged by VetFlash to process Customer Personal Data.

 

  1. Roles of the Parties

 

For Customer Personal Data submitted to the Services by or on behalf of Customer, Customer is the controller and VetFlash is the processor, unless the parties agree otherwise in writing.

 

Customer is responsible for ensuring that it has a lawful basis and any required notices, permissions, authorisations, or consents for Customer Personal Data submitted to the Services.

 

VetFlash may act as an independent controller for account administration, billing, fraud prevention, legal compliance, security, service communications and business records relating to Customer and its authorised users. Those activities are described in VetFlash’s Privacy Notice.

 

  1. Processing Details

 

The subject matter, duration, nature, purpose, categories of data and categories of data subjects are set out below.

 

Item Description
Subject matter Provision, operation, support, security, maintenance and improvement of the VetFlash Services.
Duration For the term of Customer’s use of the Services, plus any retention period required by law, contract, backup cycles, dispute handling, or legitimate business recordkeeping.
Nature of processing Hosting, storage, retrieval, transmission, generation of AI-assisted outputs, account administration, support, security monitoring, logging, backup, deletion and return/export where available.
Purpose To provide AI-assisted veterinary information services and related platform functionality to Customer and authorised users.
Data subjects Authorised users, veterinary professionals, practice staff, support contacts and any third-party individuals whose personal data Customer submits to the Services.
Data categories Account data, contact data, professional details, usage data, AI prompts, uploaded content, AI outputs, feedback, support communications, technical logs and metadata.
Special category data Not required for normal use. Customer must not submit special category data unless it has a lawful basis, an Article 9 UK GDPR condition, any required Data Protection Act 2018 Schedule 1 condition, and the submission is necessary for the permitted use of the Services.
  1. Customer Instructions

 

VetFlash will process Customer Personal Data only on documented instructions from Customer, including this DPA, the Terms and Conditions, an applicable order or subscription and Customer’s use and configuration of the Services.

 

VetFlash will inform Customer if, in VetFlash’s opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law from doing so.

 

Customer instructs VetFlash to process Customer Personal Data as necessary to provide, secure, support, maintain and improve the Services, including through authorised Sub-processors.

 

  1. Customer Obligations

 

Customer must:

 

– comply with Applicable Data Protection Laws;

– provide all required privacy notices to data subjects;

– ensure that Customer Personal Data is accurate, relevant and limited to what is necessary;

– avoid submitting client-identifiable or other third-party personal data unless necessary and lawful;

– anonymise or pseudonymise data before submission where possible;

– maintain appropriate local security controls over user accounts, devices, networks and credentials;

– ensure authorised users comply with Customer’s obligations under this DPA;

– not submit unlawful content, unnecessary special category data, payment card data, passwords, or other highly sensitive information to AI prompts, uploads, feedback, or support channels.

 

  1. VetFlash Processor Obligations

 

VetFlash will:

 

– process Customer Personal Data only in accordance with Customer’s documented instructions;

– ensure persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;

– implement appropriate technical and organisational measures as described in the Security Annex (vet-flash.com/security);

– assist Customer, taking into account the nature of processing, with data subject rights requests where Customer cannot fulfil them independently;

– assist Customer with security, breach notification, DPIAs and prior consultation obligations where required by Applicable Data Protection Laws;

– notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data;

– delete or return Customer Personal Data at the end of the Services, unless retention is required by law or permitted under this DPA;

make available information reasonably necessary to demonstrate compliance with Article 28 UK GDPR and equivalent controller-processor obligations under applicable data protection laws.

– permit and contribute to audits as described in this DPA.

 

  1. Confidentiality

 

VetFlash will ensure that personnel who access Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

 

  1. Security Measures

 

VetFlash will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

 

The current security measures are described in Security Annex (vet-flash.com/security). Customer acknowledges that security measures may be updated from time to time, provided that VetFlash does not materially reduce the overall level of protection for Customer Personal Data.

 

  1. Sub-processors

 

Customer authorises VetFlash to engage Sub-processors to provide the Services.

 

VetFlash will maintain a list of Sub-processors and make it available to Customer. The current page is set out in vet-flash.com/subprocessors.

 

VetFlash will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA in all material respects.

 

VetFlash remains responsible to Customer for the performance of Sub-processor obligations where required by Applicable Data Protection Laws.

 

VetFlash will provide notice of material new Sub-processors where commercially reasonable. Customer may object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected Services and terminate the affected subscription in accordance with the Terms.

 

  1. International Transfers

 

Customer authorises VetFlash and its Sub-processors to transfer Customer Personal Data outside the United Kingdom where necessary to provide, secure, support, maintain, or improve the Services, provided that a valid transfer mechanism is in place.

 

Where Customer Personal Data is transferred from the United Kingdom to a country or recipient that is not subject to UK adequacy regulations, VetFlash will use an appropriate safeguard under Chapter V of the UK GDPR, such as:

 

the UK International Data Transfer Agreement (vet-flash.com/idta);

– the UK Addendum to the EU Standard Contractual Clauses;

– an applicable UK adequacy regulation;

– the UK Extension to the EU-US Data Privacy Framework, where valid and applicable;

– another transfer mechanism permitted by Applicable Data Protection Laws.

 

Where required, VetFlash will carry out or rely on transfer risk assessments and implement supplementary measures where appropriate, taking account of the nature of the data, destination, recipient, processing activity, contractual protections, technical safeguards and applicable law.

 

Customer acknowledges that some providers may operate internationally, including cloud hosting, AI service providers, payment processors, analytics providers, email providers, security providers and support providers. VetFlash will identify relevant international processing locations and safeguards in its Sub-processor and international transfers annex.

 

  1. AI Processing

 

The Services may process Customer Personal Data through third-party AI providers to generate AI-assisted outputs.

 

VetFlash will configure AI providers, where available, to limit use of Customer Personal Data to providing the requested service and to restrict use for provider model training unless Customer has been clearly informed and a lawful basis exists.

 

Customer must not include client-identifiable data in AI prompts, uploads, feedback, or support requests unless the information is necessary, lawful and appropriately minimised.

 

AI outputs are generated for professional support only and do not replace Customer’s professional judgement, legal obligations or clinical responsibility.

 

  1. Data Subject Rights

 

VetFlash will, taking into account the nature of the processing, provide reasonable assistance to Customer to respond to requests from data subjects exercising rights under Applicable Data Protection Laws.

 

If VetFlash receives a request directly from a data subject relating to Customer Personal Data for which Customer is controller, VetFlash will, where legally permitted, either direct the data subject to Customer or notify Customer.

 

Customer is responsible for responding to data subject requests where Customer is controller.

 

  1. Personal Data Breaches

 

VetFlash will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

 

The notification will include information reasonably available to VetFlash, such as:

 

– the nature of the breach;

– affected data categories and data subjects, where known;

– likely consequences, where known;

– measures taken or proposed to address the breach;

– contact details for follow-up.

 

VetFlash’s notification is not an admission of fault or liability. Customer is responsible for determining whether it must notify the ICO or affected data subjects, unless VetFlash is the controller for the affected processing.

 

  1. Deletion and Return

 

On termination of the Services, Customer may request return or deletion of Customer Personal Data where technically available and legally permissible.

 

VetFlash may retain Customer Personal Data where required or permitted by law, including for tax, accounting, fraud prevention, dispute resolution, security, backup and legal compliance purposes.

 

Deleted data may persist in backups for a limited period until overwritten or deleted in accordance with backup retention cycles, provided it is protected from routine access.

 

  1. Audits

 

VetFlash will make available information reasonably necessary to demonstrate compliance with this DPA.

 

Customer may request an audit no more than once in any 12-month period, unless required by a regulator or following a confirmed personal data breach affecting Customer Personal Data.

 

Audits must be conducted during normal business hours, on reasonable written notice, without disrupting VetFlash’s operations and subject to confidentiality and security restrictions.

 

VetFlash may satisfy audit requests by providing relevant documentation, policies, summaries, third-party certifications, security assessments (where available), security questionnaires, or other appropriate assurance materials.

 

  1. Liability and Order of Precedence

 

Liability under this DPA is subject to the liability provisions set out in the Terms, to the extent permitted by Applicable Data Protection Laws.

 

If there is any conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA shall prevail to the extent of such conflict. If there is any conflict between this DPA and the Security Annex, this DPA shall prevail in relation to legal and data protection obligations and the Security Annex shall prevail in relation to specific technical and organisational security measures.

 

  1. Changes

 

VetFlash may update this DPA where necessary to reflect changes in law, regulatory guidance, security practices, Sub-processors, international transfer mechanisms, or the Services. Material changes will be notified where required by the Terms or Applicable Data Protection Laws.

  1. Signing This DPA

This DPA takes effect automatically upon acceptance of the Terms and Conditions. No separate signature is required for standard use of the Service.

 

Enterprise and whitelabel customers requiring a countersigned DPA for their own compliance purposes may request a signed copy by contacting: info@vetflash.io

We will provide a signed PDF copy within 5 business days.