.svg)
Data Processing Agreement
This Data Processing Agreement (“DPA”) amends and forms part of the written agreement between Beam and Customer titled the Master Services Agreement (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1. Definitions
1.1 In this DPA, the following expressions have the following meanings:
1.1.1 Customer Personal Data means the personal data collected as part of the Customer’s use of the Product, as processed by Beam on behalf of the Customer under the Agreement (but excluding Service Management Data). For the avoidance of doubt, Personal Data includes Consumer Health Data or similar terms as defined by U.S. Privacy Laws.
1.1.2 Data Protection Laws means all data protection and privacy legislation applicable to a Party and/or its processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, U.S. Privacy Laws, the Privacy Act 1988 (Cth) (Australia), each as amended or replaced from time to time.
1.1.3 Consumer, controller, processor, personal data, processing, service provider, and appropriate technical and organisational measures shall each have the meanings given to them in the UK GDPR and U.S. Privacy Laws. Where the Privacy Act 1988 (Cth) applies, references to "personal data" include "personal information" and "sensitive information", and references to "data subject" include "individual", each as defined under that Act.
1.1.4 DP Regulator means a valid supervisory authority (as defined under the UK GDPR), which in the UK is the Information Commissioner's Office, and in Australia is the Office of the Australian Information Commissioner ("OAIC").
1.1.5 Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
1.1.6 “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.
1.1.7 “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.
1.1.8 Service Management Data means personal data relating to the Customer’s personnel using the Product that Beam processes as a controller for its own purposes, including for account administration, customer support, billing, user feedback analysis and service improvement analytics, as further described in Beam’s Privacy Policy.
1.1.9 Sub-Processor(s) means any processor, including any agent, sub-contractor or other third party, engaged by Beam (or by any other Sub-Processor) for carrying out any processing activities in respect of the Customer Personal Data.
1.1.10 UK GDPR has the meaning given to it under section 3(10), as amended by section 205(4), of the Data Protection Act 2018.
1.1.11 “U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data, including Consumer Health Data. U.S. Privacy Laws include, but are not limited to, the following:
1.1.11.1 California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
1.1.11.2 Colorado Privacy Act;
1.1.11.3 Connecticut Personal Data Privacy and Online Monitoring Act;
1.1.11.4 Delaware Personal Data Privacy Act;
1.1.11.5 Indiana Consumer Data Protection Act;
1.1.11.6 Iowa Consumer Data Protection Act;
1.1.11.7 Kentucky Consumer Data Protection Act;
1.1.11.8 Maryland Online Data Privacy Act;
1.1.11.9 Minnesota Consumer Data Privacy Act;
1.1.11.10 Montana Consumer Data Privacy Act;
1.1.11.11 Nebraska Data Privacy Act;
1.1.11.12 Nevada Consumer Health Privacy Act (NV SB 370);
1.1.11.13 New Hampshire Act Relative to the Expectation of Privacy;
1.1.11.14 New Jersey Act Concerning Online Services, Consumers, and Personal Data;
1.1.11.15 Oregon Consumer Privacy Act;
1.1.11.16 Rhode Island Data Transparency and Privacy Protection Act;
1.1.11.17 Tennessee Information Privacy Act;
1.1.11.18 Texas Data Privacy and Security Act;
1.1.11.19 Utah Consumer Privacy Act;
1.1.11.20 Virginia Consumer Data Protection Act; and
1.1.11.21 Washington My Health My Data Act.
1.2 In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
2. Data protection roles and relationship
2.1 The Parties acknowledge that for the purposes of Customer Personal Data the Customer is the controller and Beam is the processor of the Customer Personal Data. Excluding Section 2.2, this DPA applies to the Personal Data processed in this context.
2.2 The Parties acknowledge that Beam is an independent controller for the purposes of Service Management Data and shall process such data in accordance with its public Privacy Policy and applicable Data Protection Laws.
2.3 The Parties acknowledge and agree that the disclosure or making available of Customer Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.
2.4 Both Parties will comply with all applicable requirements of Data Protection Laws in relation to Customer Personal Data that is shared or processed under this Agreement, shall provide the level of privacy protection required by Data Protection Laws, and understand and shall comply with this DPA. This Agreement does not relieve, remove or replace, a Party's obligations or rights under applicable Data Protection Laws.
2.5 The data processing activities anticipated under this Agreement are described in Annex I to this DPA.
2.6 Except as expressly permitted by the U.S. Privacy Laws, Beam is prohibited from:
2.6.1 Selling or Sharing Customer Personal Data;
2.6.2 retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement or this DPA;
2.6.3 retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the parties; and
2.6.4 combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable U.S. Privacy Laws.
3. Data processing obligations
3.1 To the extent that Beam processes Customer Personal Data on behalf of the Customer, Beam shall process that Customer Personal Data only on the documented instructions of the Customer (which shall include processing the Customer Personal Data to the extent necessary for the provision of the Product), unless Beam is otherwise required by applicable laws. Beam shall notify the Customer if its instructions infringe Data Protection Laws or other applicable laws.
3.2 Beam shall only process Customer Personal Data for the purpose of operating and maintaining the Product.
3.3 Beam shall implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, including the measures listed in Annex II. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended processing.
3.4 Beam shall maintain the confidentiality of the Customer Personal Data, not disclose the Customer Personal Data to any third party other than as required or authorised to do so under this Agreement and ensure that any personnel engaged and authorised by Beam to process Customer Personal Data have committed themselves to obligations of confidentiality.
3.5 Beam shall assist the Customer in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under applicable Data Protection Laws. This process shall be provided (at the Customer’s cost) and shall include:
3.5.1 referring requests and communications received from data subjects or any DP Regulator to the Customer which relate to any Customer Personal Data promptly (and in any event within five days of receipt); and
3.5.2 not responding to any such requests without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by applicable law.
3.6 Beam shall promptly (and in any event within 48 hours from becoming aware):
3.6.1 notify the Customer if it becomes aware of any confirmed occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
3.6.2 provide all information, to the extent available, as the Customer reasonably requires to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws. Where the Privacy Act 1988 (Cth) applies and the breach may constitute an eligible data breach under Part IIIC of that Act, Beam shall provide such information and assistance as is necessary to enable the Customer to comply with its notification obligations to the OAIC and affected individuals as soon as practicable.
3.7 Beam shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Upon receiving notice from Beam in accordance with this subsection, Customer may direct Beam to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
4. Sub-processors
4.1 The Customer provides its prior general written authorisation for Beam to appoint Sub-processors to process Customer Personal Data. A current list of Sub-processors is maintained at https://trust.beam.org, which the Customer confirms it has reviewed as at the date of signature of this Agreement.
4.2 Beam shall provide the Customer with at least 30 days' prior written notice of any intended new or replacement Sub-processor. The Customer may object to any such change on reasonable grounds relating to data protection within thirty (30) days following Beam’s notification of the intended change. If the Customer objects, the parties shall work together in good faith to resolve the issue. If the issue cannot be resolved, the Customer may terminate the relevant part of the affected services. Such termination shall be the Customer’s sole and exclusive remedy in relation to the objection.
4.3 Beam shall enter into a written agreement with each Sub-processor containing data protection obligations that are materially similar to those in this DPA. Beam shall remain fully liable to the Customer for the performance of the Sub-processor's data protection obligations.
5. Data transfers
5.1 Subject to compliance with the terms of this Agreement, Beam may transfer Customer Personal Data within the United Kingdom and European Economic Area (the “EEA”).
5.2 To the extent that the processing of Customer Personal Data involves a transfer outside the UK and EEA, to a country not subject to an adequacy decision, Beam shall ensure such transfer is subject to appropriate safeguards, such as the UK's International Data Transfer Agreement or the UK Addendum to the EU's Standard Contractual Clauses as amended or replaced from time to time.
5.3 To the extent that the processing of Customer Personal Data involves a cross-border disclosure of personal information outside Australia, Beam shall take reasonable steps to ensure that any overseas recipient handles that information in a manner consistent with the Australian Privacy Principles, in accordance with APP 8 of the Privacy Act 1988 (Cth). This obligation shall be satisfied where the relevant Sub-Processor is bound by contractual terms materially consistent with this DPA.
6. Audit
6.1 Customer has the right to take reasonable and appropriate steps to ensure that Beam uses Customer Personal Data consistent with Customer’s obligations under applicable Data Protection Laws and this DPA. Beam shall (and shall ensure all Sub-Processors shall) promptly on no less than 30 business days’ written request by the Customer make available to the Customer such information as is reasonably required to demonstrate Beam’s compliance with their obligations under this Agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by the Customer (or another auditor instructed by the Customer) for this purpose annually (if requested) and in the event of an actual or suspected Personal Data Breach. The foregoing shall only extend to those documents and facilities relevant and material to the processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.
6.2 Customer shall conduct no more than one audit per year, unless Beam has been subject to an actual Personal Data Breach or committed a material breach of this DPA, in which case Customer may conduct an additional audit limited to matters directly related to such breach. Unless the audit reveals a breach by Beam of this DPA or applicable Data Protection Laws, Customer shall bear the costs of the audit.
7. Data on termination
7.1 On termination of this Agreement for any reason:
7.1.1 Customer shall, within 10 business days from such termination, provide Beam with instructions as to any data return or deletion requirements and Beam undertakes to use reasonable commercial endeavours to comply with such instructions within one hundred eighty (180) days from receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination); and
7.1.2 where no such instructions are provided, Beam shall proceed with the deletion of the Customer Personal Data within one hundred eighty (180) days after the termination of the Agreement.
7.2 For the avoidance of doubt, Beam shall have no obligation to delete copies of Customer Personal Data where it is not technically feasible to do so or where Customer Personal Data must be retained to comply with legal, regulatory, or professional obligations. In such cases, Beam shall be a controller for such data and shall ensure that any retained Personal Data continues to be protected in accordance with this Agreement.
Annex I
Data Processing Schedule (for Customer Personal Data)
| Subject matter and nature of processing |
Providing AI-powered platform designed for public sector and care professionals. The platform offers a suite of tools that process various data inputs (including audio, video, and text) to generate structured and analytical outputs. This involves data collection, storage, analysis, communication, and hosting. Specific processing activities may include, depending on the services used by the Customer: audio and video recording, transcription, real-time translation, summarisation, data extraction, automated interaction (e.g., voice bots), and the generation of reports, notes, chronologies, and other analytical outputs. Beam processes Customer Personal Data only on the documented instructions of the Customer, to the extent necessary for providing the Product. |
| Identity of Controller and Processor for each Category of Personal Data |
The Customer is the controller of the Customer Personal Data provided to Beam and Beam is the processor of this data. |
| Duration of Processing |
Processing will occur from the start of the Customer subscription to the Services until the end of the customer-defined retention period or as otherwise required for Beam to comply with its legal obligations. Data related to the program (e.g., contract performance, correspondence) will be retained for 6 years following the date of termination of the Services agreement. |
| Type of Personal Data |
Customer Personal Data: Customer/Service Users and Connected Individuals: Names, unique reference numbers, postal addresses, contact details (email, phone), date of birth/age, National Insurance Number, NHS Number, employment status/employer details, financial information, details of family members/carers/next of kin, other agencies involved, family composition/relationships/support network, housing status, language and interpreter needs, referral/assessment information, GP details, risk factors, personal experience, and any personal data (including special category data) contained within video and/or audio recordings uploaded by the Customer. Special Category Data (as applicable): Physical and mental health data (including disabilities, illnesses, mental health difficulties, behavioural difficulties), racial or ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, sexual life/orientation, criminal conviction data. Customer's Employees/Staff: Names, contact details (email, phone), job title, user profile information (username, password) for application access. |
| Categories of Data Subject |
Customer Staff, members of the public receiving support (service users) including individuals under the age of 18, and connected individuals. |
| Approved Sub-Processors |
A full list of current Sub-processors is maintained at https://trust.beam.org/. |
Annex II
Technical and Organizational Measures to Ensure the Security of Data
Beam will implement the following types of security measures:
| Measure | Technical and organizational measures |
|---|---|
| Physical access control |
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed are managed by our Sub-processors. |
| Virtual access control |
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include: User identification and authentication procedures; Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password); Automatic blocking (e.g. password or timeout); Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; Creation of one master record per user, user-master data procedures per data processing environment; and |
| Data access control |
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include: Internal policies and procedures; Control authorization schemes; Differentiated access rights (profiles, roles, transactions and objects); Monitoring and logging of accesses; Disciplinary action against employees who access Customer Personal Data without authorization; Reports of access; Access procedure; Change procedure; Deletion procedure; and Encryption. |
| Disclosure control |
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include: Encryption/tunneling; Logging; and Transport security. |
| Entry control |
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include: Logging and reporting systems; and Audit trails and documentation. |
| Control of instructions |
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the controller include: Unambiguous wording of the contract; Formal commissioning (request form); and Criteria for selecting the Processor. |
| Availability control |
Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include: Backup procedures; Anti-virus/firewall systems; and Disaster recovery plan. |
| Separation control |
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include: Separation of databases; Segregation of functions (production/testing); and Procedures for storage, amendment, deletion, transmission of data for different purposes. |
| Testing controls |
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include: Periodical review and test of disaster recovery plan; Testing and evaluation of software updates before they are installed; Authenticated (with elevated rights) vulnerability scanning; and Test bed for specific penetration tests and Red Team attacks. |
| IT governance |
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include: Certification/assurance of processes and products; Processes for data minimization; Processes for data quality; Processes for limited data retention; Processes for ensuring accountability; and Data subject rights policies. |
© Beam, the trading name of Beam Up Ltd 2026 (“Beam”)