Vicarity

Data Processing Agreement

Last updated: 21 April 2026

When a care home uses Vicarity, we act as a data processor in relation to resident care records. The care home is the data controller.

A full signed DPA is included in the pilot agreement for care homes. The short version is below.

What we do on your behalf

  • Store resident and care records you enter into the platform
  • Make those records available to authorised users at your care home
  • Generate structured evidence for CQC inspections
  • Enable read-only access for family members you invite

What we don't do

  • We don't use resident data for marketing or model training.
  • We don't share resident data with other care homes.
  • We don't sell any data to anyone, ever.

Sub-processors

  • Supabase — database and auth (EU region)
  • Hetzner / OVH / Fast Hosts — UK application hosting
  • Stripe — payment processing
  • Resend — transactional email

We'll notify you of any sub-processor changes with at least 30 days' notice, per standard DPA terms.

Security

  • TLS 1.3 in transit, AES-256 at rest
  • Role-based access control, scoped per care home
  • Audit logs for sensitive actions
  • Regular dependency updates and security scans

Breach notification

If we become aware of a data breach affecting your data, we'll notify you without undue delay and in any event within 72 hours.

Need the full DPA?

Email hello@mykeralam.uk with your care home details and we'll send the current signable version.