Data Processing Agreement

Last updated: 24 May 2026 • Version 1.0 • UK GDPR Article 28 compliant

This DPA forms part of the KingCare Terms of Service. It sets out how KingCare processes personal data on your behalf as your Data Processor. It is binding on both parties from the moment you create a KingCare account.

Important for registered providers: As a children's home operator you are the Data Controller for all children's personal data. This DPA documents the lawful basis and safeguards for KingCare's processing of that data on your behalf, as required by UK GDPR Article 28.

1. Definitions

"Controller" means you, the Customer — the registered provider of a children's home, who determines the purposes and means of processing children's personal data.

"Processor" means KingCare (Mandy Support Ltd), which processes personal data on your behalf and according to your instructions.

"Personal Data" has the meaning given in the UK GDPR.

"Special Category Data" means personal data revealing health information, including physical and mental health, wellbeing and medical records relating to children in your care.

"Children's Data" means any personal data about children in your care that is entered into the KingCare platform by you or your staff.

"Services" means the KingCare software platform as described in the Terms of Service.

"Sub-processor" means any third party engaged by KingCare to process personal data as part of the Services.

2. Scope of processing

Item	Detail
Subject matter	Provision of children's residential care records management software
Duration	For the term of the subscription agreement
Nature of processing	Collection, storage, retrieval, display, export and deletion of records
Purpose	Enabling compliance with Children's Homes (England) Regulations 2015; Ofsted inspection readiness; care quality documentation
Types of personal data	Children's names, dates of birth, incident records, daily logs, health/wellbeing entries, placement information, Annex A responses, staff observations
Special category data	Health and wellbeing information relating to children (UK GDPR Art. 9)
Data subjects	Children in your registered children's home(s); staff members of your organisation

3. Processor obligations

KingCare shall, as Data Processor:

Process Children's Data only on your documented instructions, unless required by applicable law
Ensure that persons authorised to process Children's Data are bound by confidentiality obligations
Implement and maintain appropriate technical and organisational measures (see Section 5)
Not engage sub-processors without prior general or specific written authorisation from you (Section 6 constitutes general authorisation for listed sub-processors)
Assist you in responding to data subject rights requests within the timeframes required by UK GDPR
Assist you in meeting your obligations under UK GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation)
Delete or return all Children's Data at the end of the service relationship, at your choice
Make available all information necessary to demonstrate compliance with this DPA
Notify you without undue delay (and within 72 hours where possible) of any personal data breach affecting Children's Data

4. Controller obligations

You, as Data Controller, shall:

Ensure you have a lawful basis for collecting and entering Children's Data into the platform
Provide appropriate notices to data subjects (children's families, staff) about processing
Ensure that Special Category Data (health information) is processed under a valid Schedule 1 DPA 2018 condition (e.g., safeguarding of children — paragraph 18)
Not instruct KingCare to process data in a way that would breach applicable law
Maintain your own records of processing activities as required by UK GDPR Article 30

5. Security measures

KingCare implements the following technical and organisational security measures:

5.1 Technical measures

All data transmitted over public networks encrypted with TLS 1.2 or higher
All data at rest encrypted using Microsoft Azure Transparent Data Encryption (AES-256)
Passwords hashed using PBKDF2 with HMAC-SHA256 (10,000 iterations minimum)
Role-based access control: staff only access records within their organisation
Organisation-level data isolation: each organisation's data is logically separated in a shared database with row-level tenancy enforcement
Audit logs recording all access to and modification of Children's Data
Inspector accounts: read-only access, scoped to a single inspection session
Automated dependency vulnerability scanning

5.2 Organisational measures

Access to production systems is restricted to authorised personnel only
All personnel with access to personal data are bound by confidentiality obligations
Security incidents are escalated and responded to within 24 hours of detection
This DPA and related security policies are reviewed at least annually

6. Sub-processors

You authorise KingCare to engage the following sub-processors. KingCare will notify you of any intended changes to this list (additions or replacements) with at least 14 days' notice, giving you the opportunity to object.

Sub-processor	Location	Processing activity
Microsoft Azure	UK South (London)	Database hosting; persistent storage of all personal data
Render.com	United States (Oregon)	Application hosting; processes data in transit only; no persistent storage of personal data
Stripe	United States / EU	Payment processing; processes billing contact information only; no access to Children's Data

Where sub-processors are located outside the UK, KingCare ensures appropriate safeguards are in place (UK Addendum to EU Standard Contractual Clauses, or adequacy decision) before any transfer of personal data.

7. International transfers

All Children's Data is stored on Microsoft Azure UK South (London) and does not leave the United Kingdom.

Application code runs on Render.com infrastructure in the United States. Data is processed in memory during request handling but is not persistently stored outside the UK. KingCare has in place standard contractual clauses (UK Addendum) with Render.com to cover this in-transit processing.

8. Data subject rights

Where a child, their representative, or a staff member exercises a data subject right (access, erasure, rectification, portability) that relates to data processed by KingCare on your behalf:

KingCare will promptly notify you of any such request received directly by KingCare
KingCare will not respond to such requests except on your documented instruction
KingCare will assist you technically in fulfilling such requests (e.g., data exports, targeted deletion)

You remain responsible for responding to data subjects within the statutory timeframes (one month under UK GDPR, extendable by two further months in complex cases).

9. Personal data breaches

In the event of a personal data breach affecting Children's Data, KingCare shall:

Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach
Provide all available information about the breach: nature, categories of data, approximate number of individuals affected, likely consequences, and measures taken or proposed
Cooperate fully with your investigation and remediation efforts
Assist you in making any required notification to the ICO and/or affected data subjects

10. Audit rights

You have the right to audit KingCare's compliance with this DPA. In practice, audits will be conducted by:

Reviewing this DPA and any supporting documentation provided by KingCare
Requesting written confirmation of specific security measures
Where necessary, an on-site audit conducted on reasonable notice (at least 30 days) and at your cost

KingCare may satisfy audit requests by providing current third-party audit reports (ISO 27001, SOC 2) from its sub-processors where available.

11. Return and deletion of data

On termination of the Service agreement, or on your written request:

KingCare will provide a complete export of your Children's Data in JSON or CSV format within 14 days of request
Following export confirmation, or after 90 days of account closure (whichever is earlier), KingCare will securely delete all Children's Data from its systems
Deletion will be confirmed in writing
Backup copies will be deleted within a further 30 days (consistent with backup rotation schedules)

Certain data may be retained where required by law (e.g., billing records for HMRC purposes — these do not include Children's Data).

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

13. Governing law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.

14. Contact

For all data protection matters relating to this DPA:
Mandy Support Ltd (trading as KingCare)
Email: branson@kingcare.uk
ICO Registration: ZB763838
Registered address: Leicester, England, United Kingdom