Legal Document · UK GDPR Article 28

Data Processing Agreement

Version 1.1
Effective Date 28 April 2026
Governing Law England & Wales / UK GDPR
Processor SMEDTEC Ltd
Legal notice: This Data Processing Agreement is intended to satisfy the requirements of UK GDPR Article 28 and EU GDPR Article 28. It has been drafted in good faith by SMEDTEC Ltd as a commercially reasonable baseline. You are strongly advised to have this Agreement reviewed by a qualified data protection solicitor or your Data Protection Officer before execution, to ensure it meets your organisation's specific legal requirements and regulatory obligations.
How this Agreement works: This DPA is incorporated into and forms part of the Terms of Service between SMEDTEC Ltd ("Processor") and the Customer ("Controller"). Where the Customer accepts the Terms of Service via the platform's acceptance flow, this DPA is simultaneously accepted. No separate signature is required, though either party may request a countersigned version by contacting [email protected].
Background

Background

SMEDTEC Ltd provides SMEDTEC OS, a regulatory project management and operations platform for medical device organisations. In providing the Services, SMEDTEC Ltd processes personal data on behalf of the Customer. This Data Processing Agreement sets out the terms on which that processing takes place, in accordance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and Article 28 of Regulation (EU) 2016/679 (EU GDPR), as applicable.

The parties acknowledge that the Customer is the Controller of the personal data processed through SMEDTEC OS, and that SMEDTEC Ltd is the Processor acting on the Customer's instructions.

Section 1

Definitions

TermMeaning
"AI Act"Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, as amended from time to time, and where applicable to UK customers any equivalent UK statutory or regulatory framework adopted by the United Kingdom on the same subject matter.
"AI System"Has the meaning given in Article 3(1) of the AI Act.
"Controller"The Customer, being the natural or legal person who determines the purposes and means of the processing of personal data.
"Data Protection Laws"The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and where applicable, EU GDPR, together with all related guidance, codes of practice, and decisions issued by supervisory authorities, as amended from time to time.
"Data Subject"An identified or identifiable natural person to whom personal data relates.
"GPAI Model"A general-purpose AI model within the meaning of Article 3(63) of the AI Act.
"Personal Data"Any information relating to an identified or identifiable natural person, as defined in the Data Protection Laws.
"Personal Data Breach"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processor"SMEDTEC Ltd, being the natural or legal person who processes personal data on behalf of the Controller.
"Processing"Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.
"Services"SMEDTEC OS and all associated features and integrations provided by SMEDTEC Ltd under the Terms of Service.
"Standard Contractual Clauses" / "SCCs"The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Decision 2021/914/EU) or the International Data Transfer Agreement (IDTA) issued by the UK ICO, as applicable.
"Sub-processor"A third party engaged by SMEDTEC Ltd as a Processor to process Personal Data on behalf of the Controller.
"Supervisory Authority"For UK purposes, the Information Commissioner's Office (ICO). For EU purposes, the relevant national data protection authority.
Section 2

Roles & Relationships

2.1 Controller and Processor

The Customer is the Controller of Personal Data processed through SMEDTEC OS. SMEDTEC Ltd is a Processor acting on the documented instructions of the Controller. Both parties acknowledge that this characterisation reflects the actual allocation of responsibility for data processing decisions.

2.2 Processor Instructions

SMEDTEC Ltd shall process Personal Data only on the documented instructions of the Controller, except where required to do so by applicable law. SMEDTEC Ltd shall inform the Controller promptly if, in its opinion, an instruction infringes Data Protection Laws, and may suspend the relevant processing pending clarification from the Controller.

2.3 Independent Processing

Where SMEDTEC Ltd processes Personal Data for its own purposes (for example, using anonymised and aggregated usage data to improve the Services), it does so as an independent Controller. Such processing is governed by the SMEDTEC OS Privacy Policy and is not subject to this DPA. SMEDTEC Ltd does not process identifiable Customer Data for its own purposes.

Section 3

Subject Matter & Duration

The details of the processing subject to this DPA are set out in Schedule 1. In summary:

ElementDetail
Subject matterProcessing of personal data in connection with the Customer's use of SMEDTEC OS
DurationFor the term of the Customer's Subscription under the Terms of Service, plus the data deletion period described in Section 12
NatureStorage, retrieval, display, transmission, analysis, and deletion of personal data in connection with the Services
PurposeTo provide SMEDTEC OS to the Customer and its Users in accordance with the Terms of Service
Types of dataSee Schedule 1 — Processing Details
Categories of data subjectsUsers, Customer's employees, and other individuals whose data is included in Customer Data
Section 4

Controller Obligations

The Controller represents, warrants, and undertakes that:

  • It has a valid legal basis under Data Protection Laws for each Processing activity it instructs SMEDTEC Ltd to carry out
  • It has provided all required notices and obtained all required consents from Data Subjects in connection with their Personal Data being processed through SMEDTEC OS
  • It will comply with its obligations as Controller under Data Protection Laws, including maintaining records of processing activities where required
  • The Personal Data it provides to SMEDTEC OS is accurate, up to date, and limited to what is necessary for the purposes of the Services
  • It will not instruct SMEDTEC Ltd to process Personal Data in a manner that would cause SMEDTEC Ltd to violate Data Protection Laws
  • It will promptly communicate to SMEDTEC Ltd any changes to its instructions or any circumstances that may affect the lawfulness of the processing
Section 5

Processor Obligations

5.1 Lawful Processing

SMEDTEC Ltd shall process Personal Data only: (a) on the documented instructions of the Controller, as set out in this DPA and the Terms of Service; (b) as required by applicable law; or (c) as otherwise agreed in writing by the parties.

5.2 Confidentiality

SMEDTEC Ltd shall ensure that persons authorised to process Personal Data on its behalf are subject to a duty of confidentiality, whether under contract or statutory obligation. Access to Personal Data is restricted to personnel who need access to perform their job functions in connection with the Services.

5.3 Security

SMEDTEC Ltd shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The security measures implemented are described in Schedule 3.

5.4 Sub-processing

SMEDTEC Ltd shall engage Sub-processors only in accordance with Section 6 of this DPA. SMEDTEC Ltd shall impose data protection obligations on Sub-processors equivalent to those set out in this DPA, and remains liable to the Controller for the acts and omissions of Sub-processors as if they were SMEDTEC Ltd's own acts and omissions.

5.5 Data Subject Rights

SMEDTEC Ltd shall assist the Controller in fulfilling its obligations to respond to Data Subject requests in accordance with Section 7 of this DPA.

5.6 Assistance with Compliance

Taking into account the nature of the processing and information available to SMEDTEC Ltd, SMEDTEC Ltd shall provide reasonable assistance to the Controller in ensuring compliance with the Controller's obligations under Data Protection Laws, including in relation to: (a) security of processing; (b) notification of Personal Data Breaches; (c) data protection impact assessments; and (d) prior consultation with supervisory authorities.

5.7 AI Processing

When Personal Data is processed through AI-assisted features of SMEDTEC OS (including the Notebook), SMEDTEC Ltd shall: (a) ensure all AI API calls are made server-side via authenticated Edge Functions, not from the customer's browser; (b) not permit the AI provider (Anthropic) to use Personal Data for model training unless the Controller has separately consented to such use and SMEDTEC Ltd has obtained appropriate assurances from Anthropic; (c) ensure that Personal Data processed in-memory for AI features is not retained by Anthropic beyond the duration of the API session, subject to Anthropic's then-current API terms. This Section 5.7 governs the data protection aspects of AI processing. The roles, classification, and transparency obligations of the parties under the AI Act are set out in Section 15.

Section 6

Sub-processors

6.1 Approved Sub-processors

The Controller provides general authorisation for SMEDTEC Ltd to engage the Sub-processors listed in Schedule 2. SMEDTEC Ltd shall inform the Controller in advance of any intended changes to this list (additions or replacements).

6.2 Objection Process

The Controller may object to the appointment of a new or replacement Sub-processor on reasonable data protection grounds by notifying SMEDTEC Ltd in writing within 14 days of receiving notice of the change. If the Controller objects and SMEDTEC Ltd is unable to accommodate the objection without material impact on the Services, the Controller may terminate the relevant Services on 30 days' written notice and receive a pro-rata refund of prepaid fees for the unused period.

6.3 Sub-processor Contracts

SMEDTEC Ltd shall enter into written data processing agreements with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. SMEDTEC Ltd shall provide copies of relevant Sub-processor DPAs to the Controller on reasonable request.

6.4 Liability for Sub-processors

SMEDTEC Ltd remains fully liable to the Controller for the performance of each Sub-processor's data protection obligations as if SMEDTEC Ltd were performing them directly.

Section 7

Data Subject Rights

7.1 Handling Requests

Where SMEDTEC Ltd receives a Data Subject request (e.g., access, rectification, erasure, restriction, portability, or objection) directly from a Data Subject, SMEDTEC Ltd shall promptly forward the request to the Controller and shall not respond to the Data Subject directly except as instructed by the Controller or as required by applicable law.

7.2 Technical Assistance

SMEDTEC Ltd shall provide reasonable technical assistance to the Controller in responding to Data Subject requests, including by providing functionality within SMEDTEC OS that enables the Controller to export, correct, or delete Customer Data, and by assisting with searches for Personal Data held in the platform upon the Controller's reasonable request.

7.3 Timely Response

SMEDTEC Ltd shall provide the assistance described in this Section within a timescale that allows the Controller to meet its obligations under Data Protection Laws (which in the UK require a response within one calendar month of a valid Data Subject request, extendable by two months in complex cases).

Section 8

Security Measures

SMEDTEC Ltd implements the technical and organisational security measures described in Schedule 3. These measures are designed to achieve a level of security appropriate to the risk, taking into account:

  • The state of the art and costs of implementation
  • The nature, scope, context, and purposes of the processing
  • The risks of varying likelihood and severity posed to the rights and freedoms of Data Subjects

SMEDTEC Ltd shall regularly review and update its security measures. SMEDTEC Ltd may update Schedule 3 from time to time to reflect changes in security practices, provided that the overall level of security is not materially diminished. Material reductions in security measures will be notified to the Controller in advance.

Section 9

Personal Data Breaches

9.1 Notification to Controller

SMEDTEC Ltd shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data Breach affecting Customer Data. This notification will be made to the registered admin email address of the Customer's Organisation account. The notification will include:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned (to the extent known)
  • The name and contact details of SMEDTEC Ltd's data protection contact
  • A description of the likely consequences of the Personal Data Breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

9.2 Further Information

Where information cannot be provided simultaneously with the initial notification, SMEDTEC Ltd shall provide it in phases as it becomes available, without undue further delay.

9.3 Controller Responsibility for Regulatory Notification

The Controller is responsible for determining whether the Personal Data Breach must be reported to the Supervisory Authority and/or communicated to affected Data Subjects under Data Protection Laws, and for making any such notifications. SMEDTEC Ltd shall cooperate with the Controller and provide reasonable assistance in this process.

9.4 Security Incidents

SMEDTEC Ltd shall promptly investigate any security incident that may have resulted in a Personal Data Breach. SMEDTEC Ltd maintains incident response procedures designed to detect, contain, and remediate security incidents. Details of SMEDTEC OS's incident response programme are available on request.

Section 10

International Transfers

10.1 Processing Location

SMEDTEC OS is hosted on Supabase Cloud infrastructure. Supabase offers EU-region database hosting. EU-based data residency is available to Customers who require GDPR-compliant data storage within the European Economic Area — please contact [email protected] to discuss data residency requirements during onboarding.

10.2 Default Processing Location

Absent a specific data residency agreement, Customer Data may be processed in the United Kingdom and/or the European Economic Area. SMEDTEC Ltd will not transfer Personal Data to countries outside the UK and EEA without ensuring that an appropriate transfer mechanism is in place as described in Section 10.3.

10.3 Transfer Safeguards

Where Personal Data is transferred to a country not recognised as providing an adequate level of data protection under UK or EU law, SMEDTEC Ltd shall ensure that one of the following safeguards is in place:

  • An adequacy decision by the relevant supervisory authority or the UK Secretary of State
  • Standard Contractual Clauses (EU SCCs or UK IDTA) as appropriate
  • Binding Corporate Rules approved by a competent supervisory authority
  • Another approved transfer mechanism under applicable Data Protection Laws

10.4 AI Processing Transfers

AI processing via Anthropic's Claude API involves transfers of data to the United States. SMEDTEC Ltd relies on Standard Contractual Clauses (EU) and the UK IDTA for these transfers, as set out in its Sub-processor DPA with Anthropic.

Section 11

Audit & Assistance

11.1 Information and Audit Rights

SMEDTEC Ltd shall make available to the Controller all information necessary to demonstrate compliance with its obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits are subject to:

  • Reasonable prior written notice of at least 30 days (except in the case of a confirmed security incident)
  • Execution of a confidentiality agreement by the auditor
  • Conduct of the audit during normal business hours and in a manner that does not unreasonably disrupt SMEDTEC Ltd's operations
  • The Controller bearing the costs of any third-party auditor engaged by the Controller

11.2 Certification and Reports

SMEDTEC Ltd may satisfy the Controller's audit rights by providing the Controller with copies of relevant third-party audit reports, certifications, or penetration testing summaries where available, subject to confidentiality restrictions. The Controller may request an additional audit where it has reasonable, documented grounds to believe that these reports are insufficient to demonstrate compliance with this DPA.

11.3 DPIA Assistance

Where a data protection impact assessment (DPIA) is required in connection with the Customer's use of SMEDTEC OS, SMEDTEC Ltd shall provide reasonable assistance to the Controller in conducting such an assessment, including by providing information about its security measures, sub-processor arrangements, and data flows.

Section 12

Deletion & Return of Personal Data

12.1 Post-Termination Process

Upon expiry or termination of the Subscription, and at the Controller's request or at the end of the export window, SMEDTEC Ltd shall:

  1. Provide the Controller with a 30-day export window to retrieve Customer Data via the API or platform export features
  2. Delete all Personal Data from SMEDTEC OS active systems within 30 days of the end of the export window
  3. Ensure that Personal Data in encrypted backup systems is destroyed within a further 60 days
  4. Issue a written confirmation of deletion to the Controller upon request

12.2 Exceptions

SMEDTEC Ltd may retain Personal Data beyond the periods described above where required by applicable law, in which case SMEDTEC Ltd shall: (a) inform the Controller of the legal basis for retention; (b) limit the retained Personal Data to the minimum necessary; and (c) continue to apply the security measures in this DPA to the retained data.

12.3 Sub-processor Deletion

SMEDTEC Ltd shall procure that Sub-processors delete Personal Data in accordance with their respective DPAs upon SMEDTEC Ltd's instruction following the termination of the Customer's Subscription.

Section 13

Liability

13.1 DPA Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except that:

  • Nothing in this DPA or the Terms of Service limits or excludes a party's liability for any breach of Data Protection Laws to the extent that such limitation or exclusion is not permitted under applicable law
  • SMEDTEC Ltd shall be fully liable to the Controller for the acts and omissions of Sub-processors as if they were SMEDTEC Ltd's own acts and omissions, consistent with the Controller's ability to bring claims against SMEDTEC Ltd rather than Sub-processors directly

13.2 Regulatory Fines

Where a Supervisory Authority imposes a fine on the Controller that is attributable to SMEDTEC Ltd's breach of this DPA or Data Protection Laws, SMEDTEC Ltd shall indemnify the Controller for the portion of the fine directly attributable to SMEDTEC Ltd's breach, subject to the liability cap in the Terms of Service. This indemnity does not apply where the Controller is at fault.

Section 14

Term & Termination

This DPA commences on the date of acceptance of the Terms of Service and continues until all Personal Data processed under this DPA has been deleted or returned in accordance with Section 12. The DPA cannot be terminated independently of the Terms of Service.

In the event of any conflict between this DPA and the Terms of Service in respect of data protection matters, this DPA shall prevail.

Section 15

AI Act Compliance

15.1 Roles under the AI Act

SMEDTEC Ltd acts as Provider of the AI Systems integrated into the SMEDTEC OS platform within the meaning of Article 3(3) of the AI Act. SMEDTEC Ltd is also a Deployer of GPAI Models supplied by Anthropic, PBC. The Customer is itself a Deployer of those AI Systems within its own organisation, with the obligations applicable to Deployers under the AI Act.

15.2 Risk Classification

SMEDTEC Ltd has assessed the AI Systems integrated into the platform under the AI Act and classifies them as Limited Risk. The classification analysis confirms that none of the AI Systems are prohibited under Article 5, are subject to the high-risk regime under Annex I or Annex III, or perform any of the functions described in Articles 50(3) or 50(4). The transparency obligations under Articles 50(1) and 50(2), and the AI literacy obligation under Article 4, apply to SMEDTEC Ltd. The classification assessment is recorded in an internal document (ISMS-AIR-001) which SMEDTEC Ltd will make available to the Customer on reasonable request, subject to confidentiality.

15.3 Transparency to Users

SMEDTEC Ltd discloses to users of the platform that they are interacting with an AI System before any AI output is shown, in accordance with Article 50(1) of the AI Act. AI-generated content within the platform is marked through visible labelling and machine-readable provenance fields, in accordance with Article 50(2). The form of such marking will follow the AI Office Code of Practice on transparency of AI-generated content as it is finalised and adopted.

15.4 No Autonomous Decisioning

The AI Systems within the platform are designed to support, not replace, the Customer's regulatory professionals. Outputs of the AI Systems are advisory, are presented for human review, and are not used by SMEDTEC Ltd to make autonomous decisions about the Customer's products, regulatory pathways, or compliance status.

15.5 GPAI Provider Documentation

Anthropic, PBC is the provider of the GPAI Models used by the platform and is responsible for the GPAI provider obligations under Chapter V of the AI Act. SMEDTEC Ltd retains evidence of Anthropic's GPAI compliance (technical documentation, training data summaries, copyright policy, where published) and will share relevant information with the Customer on reasonable request, subject to Anthropic's confidentiality terms.

15.6 Customer Obligations as Deployer

The Customer remains responsible for its own obligations as a Deployer of the AI Systems within its organisation, including (without limitation): (a) ensuring that its own staff have a sufficient level of AI literacy under Article 4; (b) using the AI Systems within their intended purpose as documented in the platform's User Guide; (c) exercising human oversight in accordance with the Customer's own quality and regulatory procedures; and (d) refraining from using AI outputs as a substitute for the regulatory judgement required of a competent person under applicable medical device legislation.

15.7 Updates to AI Features

SMEDTEC Ltd will inform the Customer in advance of material changes to the AI Systems integrated into the platform that affect the categories of personal data processed, the role of SMEDTEC Ltd under the AI Act, or the risk classification recorded under Section 15.2. Minor changes that do not affect those matters may be deployed without advance notice but will be reflected in the next periodic update of the User Guide.

15.8 Serious Incident Cooperation

Where a serious incident within the meaning of Article 73 of the AI Act involves an AI System integrated into the platform, the parties shall cooperate in providing information necessary to support any reporting obligation owed by either party to the relevant market surveillance authority.

Schedule 1

Processing Details

ItemDetail
Subject matter Processing of personal data submitted to SMEDTEC OS by or on behalf of the Customer in the course of using the regulatory project management and operations platform.
Duration For the term of the Customer's Subscription plus the post-termination data retention period described in Section 12.
Nature of processing Collection, storage, retrieval, display, organisation, analysis (including AI-assisted analysis), transmission, and deletion of personal data in connection with providing the Services.
Purpose of processing To provide SMEDTEC OS — a regulatory project management and operations platform — to the Customer and its authorised Users.
Categories of personal data User account data: Full name, email address, job title, role, profile avatar, last login timestamp, notification preferences.

Regulatory contact data: Names, contact details, and roles of Responsible Persons, Notified Body contacts, regulatory body contacts, and similar individuals included in regulatory documentation.

Collaboration data: Comments, @mentions, activity log entries, work item assignments — all of which may reference named individuals.

Authentication data: Hashed passwords and session tokens managed by Supabase Auth (not directly accessible to SMEDTEC Ltd).

Usage data: Feature usage patterns, AI feature usage logs (linked to user ID), error logs.
Special categories SMEDTEC OS is not designed to process special category personal data (Article 9 data). The Customer must not upload clinical patient data, health data identifying individuals, or other special category data to SMEDTEC OS without prior written agreement with SMEDTEC Ltd.
Categories of data subjects • Authorised Users of the Customer's SMEDTEC OS account
• The Customer's employees, contractors, and consultants whose details are included in Customer Data
• Third parties (e.g., regulatory contacts, Notified Body representatives) whose contact details are included in Customer Data by the Customer
Schedule 2

Approved Sub-processors

The following Sub-processors are approved as of the Effective Date. SMEDTEC Ltd will notify the Controller of any changes to this list in accordance with Section 6.

Sub-processorService ProvidedProcessing LocationData Protection Contact / DPA
Supabase, Inc. Database hosting (PostgreSQL), authentication (Supabase Auth), file storage (Supabase Storage), and Edge Function runtime. Primary infrastructure layer for all Customer Data. EU (Ireland) by default; US available. Customer may request EU-only residency. [email protected] · supabase.com/privacy
Anthropic, PBC AI language model API (Claude) — used exclusively for AI-assisted features including the Notebook, document embeddings, and semantic search. Personal Data is processed in-session only and not retained for model training. Anthropic, PBC also acts as the provider of the general-purpose AI models used by the platform and is responsible for the GPAI provider obligations under Chapter V of the EU AI Act. United States. Transfer safeguarded by SCCs (EU) and UK IDTA. [email protected] · anthropic.com/privacy
Stripe, Inc. Payment processing and subscription management. Processes billing contact information and payment method data. SMEDTEC Ltd does not store payment card data. United States / Ireland. Stripe is PCI-DSS Level 1 certified. [email protected] · stripe.com/privacy
Vercel, Inc. Application hosting and content delivery network (CDN) for the SMEDTEC OS frontend. Processes request logs that may include IP addresses. Global CDN; primary compute in United States. Transfer safeguarded by SCCs. [email protected] · vercel.com/legal/privacy-policy
Sentry, Inc. Application error monitoring and performance tracking. Processes error logs and stack traces which may include limited personal data in the event of application errors. United States. Transfer safeguarded by SCCs and UK IDTA. [email protected] · sentry.io/privacy

SMEDTEC Ltd does not use third-party analytics platforms, advertising trackers, or marketing cookies. The only cookies placed by SMEDTEC OS are authentication tokens (strictly necessary) set by Supabase Auth.

Schedule 3

Technical & Organisational Security Measures

SMEDTEC Ltd implements the following security measures in respect of Personal Data processed through SMEDTEC OS:

Access Control

  • Row-Level Security (RLS) policies enforced by PostgreSQL on every database table, ensuring each Organisation's data is isolated at the database layer independent of application code
  • JWT-based authentication with session tokens managed by Supabase Auth; sessions invalidated on logout
  • Role-based access control within each Organisation (Admin / Member / Viewer); permissions enforced at both application and database levels
  • All AI and third-party API calls proxied through authenticated server-side Edge Functions — no client-side API keys exposed
  • Storage bucket access controlled by RLS — direct URL access to another organisation's files is not possible
  • SMEDTEC Ltd internal access to Customer Data is restricted to personnel with a legitimate operational need and is logged

Encryption

  • All data in transit encrypted via TLS 1.2 or higher
  • All data at rest encrypted by Supabase's AES-256 encryption at the storage layer
  • Backup data encrypted at rest
  • API keys stored as SHA-256 hashes only — full keys shown once at creation and never stored in plaintext

Integrity & Availability

  • Supabase Point-in-Time Recovery (PITR) enabled for database backups
  • Content hash recorded on every vault document upload — enabling detection of file tampering
  • Audit log recording all significant platform actions with user ID and timestamp; audit log is append-only and cannot be modified by users
  • Application error monitoring via Sentry for rapid detection and remediation of system failures

Incident Response

  • SMEDTEC Ltd maintains an incident response procedure for security incidents and Personal Data Breaches
  • Confirmed Personal Data Breaches notified to the Controller within 72 hours of SMEDTEC Ltd becoming aware
  • Security vulnerability disclosures accepted at [email protected] (subject line: "Security Disclosure")

Organisational Measures

  • Confidentiality obligations on all personnel with access to Customer Data
  • Sub-processor data processing agreements in place with all Sub-processors listed in Schedule 2
  • Regular review of security measures and practices
  • No third-party analytics, advertising cookies, or marketing tracking deployed in SMEDTEC OS
Data residency: EU-based data residency (all Customer Data stored in Supabase EU region, Ireland) is available on request for Customers with GDPR-specific requirements. Contact [email protected] to discuss data residency configuration during or after onboarding.
Version History

Version History

VersionDateSummary of Changes
1.1 28 April 2026 Added Section 15 (AI Act Compliance) and supporting definitions (AI Act, AI System, GPAI Model). Added cross-reference between Section 5.7 and Section 15. Recorded Anthropic, PBC as GPAI provider in Schedule 2.
1.0 1 March 2026 Initial publication.