NoLapse

Data Processing Agreement

Last updated: 9 April 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service and forms part of the agreement between NoLapse (the "Processor") and you, the account holder (the "Controller"). It governs the processing of personal data by NoLapse on your behalf, as required by UK GDPR Article 28.

1. Definitions

"Personal data", "data controller", "data processor", "processing", and "data subject" have the meanings given in UK GDPR.

Controller: the organisation or individual who holds a NoLapse account and enters practitioner data into the platform.

Processor: Paul Church, operating NoLapse (nolapse.co.uk), based in the United Kingdom.

2. Subject matter and duration

The Processor will process personal data on behalf of the Controller for the purpose of providing the NoLapse compliance monitoring service: storing practitioner registration records, calculating registration status, sending expiry alert emails, and generating compliance evidence exports.

Processing will continue for the duration of the Controller's active subscription. On termination of the subscription, the Processor will delete all practitioner data belonging to the Controller within 30 days, unless required by law to retain it for longer.

3. Nature and purpose of processing

The Processor will process personal data solely to:

  • Store and display practitioner registration records entered by the Controller.
  • Calculate registration status based on expiry dates provided by the Controller.
  • Send automated expiry alert emails to the Controller's account email address.
  • Send renewal reminder emails to practitioner email addresses where provided by the Controller.
  • Generate PDF compliance evidence exports on demand.

The Processor will not process personal data for any purpose other than those listed above without the prior written consent of the Controller.

4. Types of personal data

The personal data processed under this agreement may include:

  • Practitioner first name and last name.
  • Professional registration number (e.g. HCPC, NMC, GMC, GDC, GPhC).
  • Profession and regulated register.
  • Registration expiry date.
  • Practitioner email address (optional, where provided by the Controller).

5. Categories of data subjects

The data subjects are the healthcare practitioners employed or engaged by the Controller whose registration details are entered into the NoLapse platform.

6. Obligations of the Processor

The Processor will:

  • Process personal data only on the documented instructions of the Controller (i.e. the data entered and actions taken through the NoLapse platform).
  • Ensure that persons authorised to process personal data are subject to a duty of confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest and in transit, access controls, and row-level security policies in the database.
  • Not engage any sub-processor without informing the Controller. Current sub-processors are listed in Section 8 below.
  • Assist the Controller in responding to data subject rights requests and in meeting obligations under UK GDPR Articles 32-36, to the extent reasonably practicable.
  • Delete or return all personal data to the Controller upon termination of the service, at the Controller's choice, and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with this agreement, and allow for and contribute to audits and inspections, on reasonable notice.

7. Obligations of the Controller

The Controller warrants and undertakes that:

  • It has a lawful basis for processing the practitioner data it enters into NoLapse, and has informed data subjects of their data being processed where required.
  • The personal data entered is accurate and the Controller is authorised to provide it to the Processor for the stated purpose.
  • It will comply with its own obligations as data controller under UK GDPR.

8. Sub-processors

The Processor currently uses the following sub-processors:

  • Supabase Inc. (database hosting) -- data stored in AWS eu-west-2 (London).
  • Vercel Inc. (application hosting and CDN) -- servers in EU regions.
  • Resend Inc. (transactional email delivery) -- for alert and reminder emails.

The Processor will notify the Controller of any intended changes to sub-processors. The Controller may object to a new sub-processor in writing within 14 days of notification. If the parties cannot resolve the objection, the Controller may terminate the agreement with 30 days' notice.

9. International transfers

All personal data is stored within the UK or EU. Supabase uses AWS eu-west-2 (London). No transfers of personal data to third countries outside the UK or EEA will take place without appropriate safeguards in place.

10. Governing law

This agreement is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

11. Contact

Questions about this agreement or data protection at NoLapse should be directed to hello@nolapse.co.uk.