Data Processing Addendum

1. Roles and scope

This DPA forms part of the agreement between the customer (the “Controller”) and Vetch Health Ltd. (the “Processor”) under which Vetch provides the platform. It applies whenever Vetch processes personal data on the controller’s behalf.

2. Subject matter and duration

Subject matter: the personal data processed by Vetch to provide the services described in the order form. Duration: for as long as Vetch hosts the customer’s data, plus a 60-day export window after termination.

3. Categories of data subjects and personal data

Data subjects: clinic staff, clinic clients (pet owners), referring veterinarians, and the individuals named in their messages or records.
Categories of personal data: contact details, account credentials, billing information, communications content, clinic operational records, and (for the AI scribe) audio captured during visits.
Special categories: health-related information about pet owners or their households if it appears in clinic records or messages. We treat this as 'special category' personal data under Article 9 of the UK GDPR.

4. Vetch obligations

Process personal data only on documented instructions from the controller.
Ensure personnel authorised to process personal data are bound by confidentiality.
Implement appropriate technical and organisational measures (Annex II below).
Assist the controller with data subject requests, security incidents, DPIAs, and consultations with regulators.
Notify the controller without undue delay (and in any case within 72 hours) of becoming aware of a personal data breach.
Make available all information necessary to demonstrate compliance, and allow audits subject to reasonable confidentiality and frequency safeguards.

5. International transfers

Where personal data is transferred outside the UK to a country without UK adequacy regulations, the parties rely on the UK International Data Transfer Addendum (IDTA), together with the EU Standard Contractual Clauses where relevant, and a transfer impact assessment on file. Regional data residency (UK, EU, US) is available on Group plans.

6. Sub-processors

The controller authorises Vetch to engage the sub-processors listed below, each bound by contract to data protection terms equivalent to this DPA. We’ll give 30 days’ notice before adding or replacing a sub-processor; controllers may object on reasonable data-protection grounds.

Cloud hostingAmazon Web Services (eu-west-2 London, eu-west-1 Ireland)

Database & searchVetch-managed Postgres on AWS

Email deliveryPostmark (transactional), Customer.io (lifecycle)

SMS / voiceTwilio

AI inferenceAnthropic, OpenAI (zero-retention enterprise tiers)

Speech-to-textAssemblyAI (EU region)

Error monitoringSentry (PII-scrubbed)

AnalyticsPostHog (self-hosted EU instance for EU/UK customers)

PaymentsStripe

Customer supportPlain (self-hosted on AWS)

7. Supervisory authority

For UK customers, the lead supervisory authority is the Information Commissioner’s Office (ICO). For EU customers, the lead authority is determined by the customer’s establishment under the EU GDPR’s one-stop-shop rules. Vetch cooperates fully with either.

8. Annex I — processing details

Purpose: providing the Vetch platform and contracted services.
Nature: hosting, processing, transmitting, storing, and analysing personal data.
Frequency: continuous during the subscription term.

9. Annex II — security measures

Encryption: TLS 1.2+ in transit, AES-256 at rest.
Access controls: SSO + MFA for staff, role-based access, least privilege, quarterly access reviews.
Network: private VPCs, segmented environments, Web Application Firewall, DDoS mitigation.
Monitoring: centralised logging, anomaly detection, on-call rotation 24/7.
Vulnerability management: continuous dependency scanning, quarterly penetration tests, annual third-party audit.
Backups: encrypted, multi-region, restore tested quarterly.
Personnel: background checks, security training on hire and annually, NDAs for all staff.

10. Contact

Data Protection Officer: dpo@vetch.vet. Our UK supervisory authority is the ICO (ico.org.uk).