Legal

Data processing

For clinics that use Aesta to store patient records, here is how we handle patient data and what your Data Processing Agreement will cover.

Pre-launch draft

This is a pre-launch draft and will be reviewed before Aesta goes live. The full Data Processing Agreement (DPA) will be a separate, legally reviewed document provided to every subscribing clinic before they begin using the product. If you would like a draft DPA ahead of launch, please get in touch via the early-access form.

Under UK data protection law, anyone who stores or processes personal data has a specific legal role. Understanding those roles matters if you run a clinic and are considering software to manage patient records.

Who is the controller and who is the processor?

When your clinic uses Aesta:

  • Your clinic is the data controller. You decide which patient records to store, for what purpose, and for how long. Your patients have a relationship with your clinic, not with Aesta.
  • Aesta is the data processor. We store and process patient data only on your instructions, to provide the software service you have subscribed to. We do not use patient data for our own purposes.

This distinction is set out in Article 4 of the UK General Data Protection Regulation (UK GDPR) and it creates specific obligations on both sides.

What a Data Processing Agreement covers

UK GDPR requires that any arrangement between a controller and a processor is set out in a written agreement. The DPA we will provide to subscribing clinics will cover, at a minimum:

  • The subject matter, duration, nature, and purpose of the processing.
  • The types of personal data processed (for example, contact details, clinical notes, consent records).
  • The categories of data subjects (your patients and staff).
  • Our obligations and your rights as controller.
  • Security measures in place to protect patient data.
  • Our process for handling data subject access requests or breach notifications.
  • Sub-processors we use (for example, our hosting provider) and how they are managed.
  • Data deletion or return at the end of your subscription.

Sub-processors

Aesta uses a small number of trusted infrastructure providers to run the platform (for example, cloud hosting and database services). A full list of sub-processors will be published before launch and kept up to date. We will notify subscribing clinics of any significant changes to our sub-processor list.

Data location

Patient data is stored within the United Kingdom or European Economic Area. We will not transfer patient data outside those territories without appropriate safeguards in place. Full details will be confirmed in the DPA before launch.

Security of patient data

Patient records within Aesta are encrypted at the application level before being written to the database. This means the stored data is ciphertext that cannot be read by inspecting the database directly. More information is on our security and privacy page.

Breach notification

In the event of a personal data breach affecting your patient records, we will notify you without undue delay and in any case within 72 hours of becoming aware of it, so that you can meet your own reporting obligations to the Information Commissioner's Office (ICO) if required.

Your responsibilities as controller

As the data controller, your clinic remains responsible for:

  • Having a lawful basis for collecting and storing patient data.
  • Providing patients with appropriate privacy information.
  • Responding to data subject access requests from your patients.
  • Maintaining your own records of processing activities.

Aesta will support you in meeting these obligations wherever the software can help, for example by making it straightforward to export or delete a patient record on request.

Requesting the full DPA

The full, legally reviewed Data Processing Agreement will be provided automatically to every subscribing clinic before they begin using Aesta. If you are evaluating Aesta for procurement purposes and need a draft DPA ahead of launch, please contact us via the early-access form and we will share what we have.

Last reviewed: July 2026 (draft). Full DPA to be published before product launch.

Need the DPA for procurement?

Get in touch via the early-access form. We can share a draft and answer any compliance questions you have.

Contact us