and
ResFlow (Data Processor)In connection with the provision of the ResFlow Clinical Trial Site Management Platform.
1. Purpose
This DPA governs the processing of Personal Data by ResFlow on behalf of the Customer in accordance with:
- UK GDPR
- EU GDPR (where applicable)
- Data Protection Act 2018
- Applicable data protection legislation
This DPA applies whenever Customer uploads, stores, accesses, or processes Personal Data through ResFlow.
2. Definitions
Controller
The organisation determining the purposes and means of processing Personal Data.
For purposes of this DPA: the Customer acts as the Controller.
Processor
The organisation processing Personal Data on behalf of the Controller.
For purposes of this DPA: ResFlow acts as the Processor.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on Personal Data including collection, storage, access, modification, deletion, transfer, or disclosure.
3. Nature and Purpose of Processing
ResFlow provides software designed to support:
- Participant tracking
- Study administration
- Visit scheduling
- Visit window management
- Operational logging
- Research site workflow management
- Site administration activities
Processing occurs solely for the purpose of delivering these services.
ResFlow shall process Personal Data only on documented instructions from the Customer.
4. Categories of Data Subjects
Data subjects may include:
Research Participants
Individuals participating in research studies managed by the Customer.
Site Personnel
Including:
- Principal Investigators
- Study Coordinators
- Research Nurses
- Site Administrators
- Site Staff
Website Users
Individuals submitting enquiries, demo requests, or support requests.
5. Categories of Personal Data
Depending on Customer usage, Personal Data may include:
Participant Data
- Participant identifiers
- Participant initials
- Contact information
- Date of birth
- Demographic information
- Study status information
- Visit scheduling information
- Operational tracking records
Site Staff Data
- Names
- Email addresses
- User account information
- Login records
Website Contact Data
- Names
- Email addresses
- Contact details
- Enquiry information
ResFlow is not intended to serve as an Electronic Health Record system.
Customers should avoid storing unnecessary clinical records within the Platform.
6. Customer Obligations
The Customer shall:
- Ensure lawful collection of Personal Data.
- Obtain required consents and permissions.
- Provide lawful instructions to ResFlow.
- Ensure information entered into ResFlow is accurate and appropriate.
- Comply with applicable privacy and research regulations.
The Customer remains solely responsible for determining the lawful basis for processing participant information.
7. ResFlow Obligations
ResFlow shall:
- Process Personal Data only as instructed by the Customer.
- Maintain confidentiality.
- Implement appropriate technical and organisational measures.
- Restrict access to authorised personnel.
- Assist the Customer with data protection obligations where reasonably possible.
- Notify the Customer of confirmed Personal Data breaches without undue delay.
8. Security Measures
ResFlow maintains security measures including:
- Encrypted connections (TLS/HTTPS)
- Secure authentication
- Role-based permissions
- Organisation-level data segregation
- Audit logging
- Cloud-hosted infrastructure
- Access controls
Security measures may be updated from time to time to improve protection.
9. Subprocessors
Customer authorises ResFlow to use trusted subprocessors necessary for delivery of the Platform.
Current subprocessors may include:
| Provider | Purpose |
|---|---|
| Supabase | Database and Authentication |
| Vercel | Application Hosting |
| Resend | Transactional Email Delivery |
ResFlow may engage additional subprocessors where reasonably necessary.
ResFlow shall ensure subprocessors are subject to appropriate data protection obligations.
10. International Transfers
Where Personal Data is transferred outside the United Kingdom or European Economic Area, ResFlow shall implement appropriate safeguards required by applicable law.
These safeguards may include:
- Standard Contractual Clauses
- Adequacy decisions
- Other approved transfer mechanisms
11. Data Subject Rights
Where Customer receives requests relating to:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection
ResFlow shall provide reasonable assistance to enable Customer to respond.
ResFlow shall not directly respond to such requests unless legally required.
12. Personal Data Breaches
In the event of a confirmed Personal Data breach affecting Customer data, ResFlow shall:
- Notify Customer without undue delay.
- Provide available information regarding the incident.
- Cooperate in remediation efforts.
- Take reasonable steps to mitigate risk.
13. Audits and Information Requests
Upon reasonable written request, ResFlow shall provide information necessary to demonstrate compliance with this DPA.
Such requests must:
- Be reasonable in scope.
- Avoid compromising security of other customers.
- Respect confidentiality obligations.
14. Data Retention and Deletion
Upon termination of services and written request by Customer, ResFlow shall:
- Provide available data export functionality.
- Delete Customer Personal Data where appropriate and legally permissible.
ResFlow may retain information where required for:
- Security purposes
- Legal obligations
- Backup procedures
- Dispute resolution
15. Confidentiality
ResFlow shall ensure all personnel authorised to process Personal Data are subject to confidentiality obligations.
16. Liability
Liability relating to Personal Data processing shall be governed by the underlying service agreement and applicable law.
Nothing in this DPA excludes liability that cannot legally be excluded.
17. Term
This DPA remains effective for as long as ResFlow processes Personal Data on behalf of the Customer.
18. Contact
For privacy, security, or data protection matters: