Nightingale Software Group logo
Nightingale
Software Group
Legal

Data Processing Agreement

Last updated June 19, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Nightingale Software Group ("Nightingale", "Processor") and the customer ("Customer", "Controller") for the provision of the Services, and reflects the parties' agreement with regard to the Processing of Personal Data under UK GDPR Article 28.

This is a draft template. Final, signable copies are issued on request — contact team@nightingalesoftware.co.uk.

1. Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR and the Data Protection Act 2018.

2. Roles of the parties

Customer is the Controller of Personal Data submitted to the Services. Nightingale is the Processor and will Process Personal Data only on documented instructions from the Customer.

3. Subject matter and duration

Processing is for the duration of the agreement and for the purpose of providing the Services. Subject matter is the Personal Data Customer submits to the Services.

4. Nature and purpose of processing

Hosting, storage, transmission, analysis, support and other processing necessary to provide the Services and meet our obligations under the agreement.

5. Sub-processors

Customer authorises Nightingale to engage sub-processors for hosting, email delivery, payments and similar services. A current list is available on request. We give reasonable notice of changes.

6. Security

Nightingale maintains technical and organisational measures appropriate to the risk, including encryption in transit, role-based access controls, customer-isolated data, and audit logging of privileged actions.

7. Personal data breach

Nightingale will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer data.

8. Data subject rights

Nightingale will assist Customer with responding to data subject requests through appropriate technical and organisational measures, taking into account the nature of the Processing.

9. International transfers

Where Personal Data is transferred outside the UK, Nightingale relies on appropriate safeguards such as the UK International Data Transfer Agreement or Standard Contractual Clauses.

10. Return and deletion

On termination, Nightingale will, at Customer's choice, delete or return Personal Data, subject to legal retention obligations.

11. Audits

Nightingale will make available information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits as reasonably required.

12. Contact

For DPA enquiries or to request a signable copy, email team@nightingalesoftware.co.uk.