Data Processing Agreement

Version 1.0 · Last updated: 10 July 2026

This Data Processing Agreement (DPA) applies where you use Therasize as a controller of personal data — for example, as a practitioner or organisation using the platform to deliver care to your own clients — and Therasize acts as your processor. It forms part of, and is incorporated into, the Terms and Conditions. By accepting the Terms, or by using the Service to process personal data as a controller, you agree to this DPA. Individuals who use the Service as clients or data subjects are not parties to this DPA.

1. Parties and roles

This DPA is between the customer acting as controller (the “Controller”) and Therasize Limited, registered in England and Wales (no. 14110293), registered office Soho Works, 180 Strand, London WC2R 1EA (the “Processor”). The Controller determines the purposes and means of processing the personal data; Therasize processes it on the Controller’s documented instructions.

2. Key terms

  • Term: commences on acceptance and continues for the duration of the main agreement (the Terms and Conditions or a separate signed agreement).
  • Breach notification period: without undue delay after Therasize becomes aware of a personal data breach.
  • Sub-processor notification period: 14 days before a new sub-processor is granted access to personal data.
  • Governing law and jurisdiction: England and Wales.
  • Data protection laws: the UK GDPR, the Data Protection Act 2018, and all applicable laws, each as amended from time to time.
  • Liability: each party’s aggregate liability under this DPA is subject to the liability caps in the main agreement.

3. Subject matter and purpose of processing

Therasize provides a web-based platform that enables the Controller’s practitioners to deliver structured psychological therapy (principally CBT) to their clients, including sharing therapeutic resources, setting and reviewing homework and tasks, administering psychometric assessments, secure messaging, and video sessions.

Therasize processes personal data solely to provide and support the platform on the Controller’s documented instructions. Processing includes hosting and storage of account and care data, transmission of secure messages and (unrecorded) video sessions, delivery of assessments and homework, and operation of the practitioner–client relationship. Data is stored on managed EEA cloud infrastructure, minimised by design (clients identified by email address only; sessions not recorded), and is not used for any purpose other than delivering the Service. AI features are disabled, and no profiling, automated decision-making with legal or similarly significant effect, or secondary use of care data takes place. Processing continues for the term of the main agreement.

4. Personal data and data subjects

Categories of personal data: email address; display name and, where a practitioner chooses to provide it, client name; practitioner name, professional/account details and contact email; account identifiers and authentication data; appointment/session metadata; and usage/technical data (e.g. IP address for security).

Special category data (health): psychometric assessment responses and scores (e.g. anxiety/depression measures); homework, worksheet and free-text content created during therapy; the content of messages exchanged between practitioner and client; and the fact that an individual is receiving psychological therapy.

Data subjects: clients (individuals receiving or being assessed for therapy) and practitioners (therapists, clinicians and other authorised staff of the Controller who use the platform).

5. Controller obligations

The Controller instructs Therasize to process personal data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases (including any Article 9 condition for health data) required to allow Therasize to process the personal data.

6. Processor obligations

Therasize will:

  • only process personal data in accordance with this DPA and the Controller’s documented instructions, unless legally required to do otherwise;
  • not sell, retain or use personal data for any purpose other than as permitted by this DPA and the main agreement;
  • inform the Controller if, in its opinion, an instruction infringes data protection laws;
  • apply the technical and organisational measures described in Annex 1 to ensure a level of security appropriate to the risk;
  • notify the Controller of a personal data breach within the breach notification period and assist in responding to it;
  • ensure that anyone authorised to process personal data is bound by confidentiality obligations;
  • provide reasonable assistance, without undue delay, with data protection impact assessments, data subject rights requests, and engagement with supervisory authorities;
  • make available information necessary to demonstrate compliance, and allow for audits at the Controller’s reasonable request (limited to once a year and during business hours, except following a personal data breach); and
  • return or delete personal data at the end of the term or on the Controller’s written request, unless retention is legally required.

7. Sub-processing

The Controller authorises Therasize to engage the sub-processors listed in Annex 2. Therasize will impose data protection terms on each sub-processor equivalent to those in this DPA, ensure appropriate safeguards are in place before any international transfer, and remain liable for the acts and omissions of its sub-processors. Therasize will notify the Controller before appointing a new sub-processor, in accordance with the sub-processor notification period, and the Controller may reasonably object.

8. International transfers

Core personal data is stored within the UK/EEA. Where a sub-processor is located outside the UK, the EEA or an adequate country, transfers are protected by an appropriate safeguard — the UK Extension to the EU-US Data Privacy Framework where the provider is certified, and/or the UK International Data Transfer Agreement or Standard Contractual Clauses. Where required, supplementary measures are applied so that personal data receives a standard of protection essentially equivalent to that under UK data protection law.

Annex 1 — Security measures

  • Hosting and residency: core personal data is hosted on managed EEA cloud infrastructure (Google Cloud / Firebase; Firestore, Cloud Storage and Cloud Functions in EU regions).
  • Encryption: personal data is encrypted in transit (TLS) and at rest (AES-256).
  • Access control: data is segregated by server-side security rules enforcing role-, relationship- and field-level least-privilege access. Administrative access is restricted to authorised personnel, protected by a hardware security key (YubiKey), and all personnel accounts require multi-factor authentication.
  • Authentication and abuse prevention: Firebase Authentication with MFA support; bot/abuse protection (Cloudflare Turnstile) and app-integrity checks (Firebase App Check); minimum 12-character passwords.
  • Data minimisation: clients are identified by email address only; video sessions are not recorded; chat is self-hosted in EEA infrastructure.
  • Resilience and backup: point-in-time recovery (7 days) and weekly scheduled backups retained for 98 days.
  • Secure development and secrets: secrets held in managed secret storage (not in source code); least-privilege service credentials; version-controlled private codebase; code review and type-checking before release.
  • Confidentiality: all personnel are bound by confidentiality obligations.
  • Governance: sub-processor due diligence and DPAs; documented incident-response process; alignment to Cyber Essentials.

Annex 2 — Sub-processors

  • Google (Google Cloud / Firebase)

    Location: Data stored in EEA; Google LLC (US) parent

    Role: Cloud hosting, database, file storage, authentication and serverless functions

    Transfer mechanism: UK adequacy (EEA storage) + EU-US Data Privacy Framework (UK Extension) / SCCs

  • Vercel Inc.

    Location: United States (compute region pinned to EU – Frankfurt)

    Role: Application hosting / serverless compute

    Transfer mechanism: EU-US Data Privacy Framework (UK Extension) / SCCs

  • Stream (Stream.io Inc.)

    Location: United States (EU data residency configured)

    Role: Video sessions (unrecorded) and messaging infrastructure

    Transfer mechanism: EU-US Data Privacy Framework (UK Extension) / SCCs

  • Cloudflare Inc.

    Location: United States (global edge network)

    Role: Bot / abuse protection (Turnstile)

    Transfer mechanism: EU-US Data Privacy Framework (UK Extension) / SCCs

  • Brevo (Sendinblue SAS)

    Location: France (EEA)

    Role: Transactional and opt-in marketing email

    Transfer mechanism: Adequacy (EEA)

  • Stripe

    Location: United States / EEA

    Role: Payment and billing processing (acts as independent controller for card data)

    Transfer mechanism: EU-US Data Privacy Framework (UK Extension) / SCCs

9. Signed agreements and contact

If your organisation requires a separately executed data processing agreement, or has questions about this DPA, contact us at contact@therasize.com, or write to Therasize Limited, Soho Works, 180 Strand, London WC2R 1EA. In the event of a conflict between this DPA and the main agreement, this DPA prevails in respect of data protection matters.