Help Centre

The Companies module tracks all organisations that process personal data on your behalf (processors), organisations you share data with (recipients), or organisations you jointly process with (joint controllers). Every supplier relationship should be recorded here.

How to add a company

1. 1 Go to Dashboard → Companies.
2. 2 Click + Add Company (bottom right).
3. 3 Enter the Company Name, type (Processor, Recipient, Joint Controller, or Sub-processor).
4. 4 Add the company's address, country, and primary contact name and email.
5. 5 Set the DPA Status: In Place, Pending, Not Required, or Expired.
6. 6 Click Save.

Company relationship types

• Processor — processes personal data solely on your instructions (e.g. your cloud hosting provider, payroll bureau). Must have a DPA.
• Sub-processor — a processor engaged by your processor (e.g. a cloud database used by your SaaS provider). Must be covered by your processor's DPA.
• Joint Controller — you and another organisation make decisions together about the purposes and means of processing (e.g. a shared clinical network). Requires a Joint Controller Agreement.
• Recipient — you share data with them for their own purposes (e.g. a clinical referral to another NHS Trust). Does not require a DPA but should be documented.

DPA status

UK GDPR Article 28 requires a written Data Processing Agreement with every processor. The DPA status field tracks this:

• In Place — DPA signed and current. Upload a copy using the Attachments panel.
• Pending — DPA requested but not yet returned.
• Not Required — the company is a recipient, not a processor.
• Expired — DPA in place but needs renewal (e.g. after a contract change).