Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Master SaaS Service Agreement between FosterCore ("Processor") and the Independent Fostering Agency ("Controller"). This DPA governs the Processor's processing of personal data, including Special Category Data, on behalf of the Controller in accordance with UK GDPR and the Data Protection Act 2018.

2. Roles and Responsibilities

The Controller determines the purposes and means of processing personal data. The Processor processes personal data only on documented instructions from the Controller, except where required by law. The Processor shall:

• Process data only on documented instructions from the Controller.
• Ensure persons authorised to process data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures.
• Assist the Controller in responding to data subject requests within statutory timeframes.
• Delete or return all personal data upon termination of the service agreement.

3. Data Residency Guarantee

FosterCore guarantees that 100% of the Controller's data is stored and processed within the United Kingdom. The primary database (Supabase PostgreSQL) is locked to the eu-west-2 (London) AWS region. Serverless execution environments (Vercel Edge) are bound to the lhr1 (London) zone. No personal data shall be transferred outside the UK/EEA without the Controller's explicit prior written consent. In the event of a sub-processor change that would affect data residency, the Controller shall be notified 30 days in advance with the right to object.

4. Security Measures

The Processor shall implement and maintain the following security measures:

• Encryption at rest: AES-256 for all stored data and backups.
• Encryption in transit: TLS 1.3 for all connections; HSTS enforced.
• Access control: Role-based access (RBAC) with four permission levels. Multi-factor authentication available for all users.
• Audit logging: Immutable, SHA-256 hashed logs of all data access events.
• Penetration testing: Annual third-party testing with remediation tracking.
• Vulnerability management: Continuous automated scanning with prompt patching.

5. Statutory Retention

FosterCore is purpose-built for the Fostering Services (England) Regulations 2011. Data retention periods are configured to comply with statutory requirements:

• Deregistered carer records: 10 years post-deregistration (Regulation 30).
• Looked-after children records (Schedule 3): 75 years from the child's date of birth, or 15 years from the date of death.
• Audit logs: Minimum 7 years.

The Processor provides a 75-Year Archival Vault: upon closure of a child's record, the Controller may elect to cryptographically lock the record in UK-based cold storage (AWS S3 Glacier) for the full statutory retention period.

6. Sub-Processors

The Controller authorises the following sub-processors:

• Supabase: Database (eu-west-2). SOC 2 Type II.
• Vercel: Hosting and edge execution (lhr1). SOC 2 Type II.
• Clerk: Authentication and IAM. SOC 2 Type II.
• Google (Gemini AI): AI features. Data not used for training. UK processing.

The Processor shall notify the Controller 30 days before engaging a new sub-processor, providing the sub-processor's name, location, and services. The Controller may object in writing within 14 days. If the objection is not resolved, the Controller may terminate the Agreement without penalty.

7. Audit Trails and LADO Investigations

The Processor maintains immutable, SHA-256 hashed audit logs of all database transactions. These logs record: the acting user, timestamp, IP address, action performed, and affected record. Audit logs cannot be modified or deleted by any user, including administrators. The Processor shall assist the Controller in generating definitive access logs for Local Authority Designated Officer (LADO) investigations, Regulation 44 visits, and Ofsted inspections.

8. Breach Notification

In the event of a confirmed personal data breach affecting the Controller's data, the Processor shall:

• Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.
• Provide a detailed incident report including: nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken or proposed.
• Cooperate fully with the Controller in meeting the ICO's 72-hour notification requirement.
• Conduct a post-incident review and share findings with the Controller within 14 days.

9. Data Subject Requests

The Processor shall promptly notify the Controller of any data subject request received directly, and shall not respond to such requests except on the Controller's documented instructions. The Processor shall assist the Controller in fulfilling Subject Access Requests (SARs), rectification requests, erasure requests (subject to statutory retention), and portability requests by providing structured data exports and access logs within 10 working days.

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable prior notice (minimum 30 days). The Processor shall make available all information necessary to demonstrate compliance and shall allow and contribute to audits conducted by the Controller or an independent auditor appointed by the Controller. Enterprise tier customers may request an annual compliance review at no additional cost.

11. Termination and Data Return

Upon termination of the service agreement, the Processor shall, at the Controller's election: (a) return all personal data in a structured, machine-readable format (SQL/CSV) within 10 working days; or (b) securely delete all personal data from live systems within 14 days and from backup systems within 90 days. A certificate of deletion shall be provided upon request. This obligation does not apply to data held in the 75-Year Archival Vault, which shall be retained for the full statutory period.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. In the event of conflict between this DPA and the Master SaaS Service Agreement, this DPA shall prevail with respect to data protection matters.