← NHS Performance Intelligence, by Nemora

Data Processing Agreement

Effective 3 July 2026 · Version 1.0
The short version. The Platform holds no patient data, so this DPA has an unusually small scope: it covers the professional user data (accounts and Peer Exchange activity) and any organisation-level figures your organisation chooses to upload. No data-sharing agreement is required for the national performance analytics, which are built entirely on published open data.

1. Scope and roles

  • Out of scope: all national performance statistics on the Platform. These are aggregate, organisation-level open data published under the OGL and contain no personal data of patients.
  • In scope: personal data of the Customer's authorised users (account details such as name, work email and role, sign-in and usage records, and Peer Exchange content), and any aggregate organisational figures the Customer uploads to the Platform ("Customer Data"). Uploaded organisational figures are generally not personal data; where they incidentally contain any, this DPA covers it.
  • For in-scope data, the Customer is the controller and Nemora the processor. For the processing described in our Privacy Policy as our own (marketing enquiries, publicly sourced board member records), Nemora is the controller.

2. Details of processing

  • Subject matter and duration: provision of NHS Performance Intelligence for the subscription term.
  • Nature and purpose: hosting, authentication, service delivery, analysis of Customer-uploaded figures, support, and security.
  • Data subjects: the Customer's staff who use the Platform.
  • Categories of data: professional contact details, role, sign-in records, usage records, Peer Exchange profile and messages, and Customer-uploaded aggregate organisational figures. No special-category data and no patient data is required, requested, or permitted.

3. Nemora's obligations as processor

  • Process in-scope data only on the Customer's documented instructions (the Terms and order form constitute those instructions), unless required by law.
  • Ensure everyone we authorise to process it is bound by confidentiality.
  • Apply the technical and organisational measures described on our Security page (Article 32).
  • Notify the Customer without undue delay after becoming aware of a personal data breach affecting in-scope data, and assist with the Customer's obligations under Articles 33 to 36.
  • Assist the Customer, by appropriate measures, in responding to data-subject rights requests.
  • At the Customer's choice, delete or return in-scope data at the end of the subscription, and delete remaining copies within 90 days unless the law requires retention.
  • Make available information reasonably necessary to demonstrate compliance, and allow for audits on reasonable notice, no more than once per year unless required by a regulator.

4. Subprocessors

The Customer gives general authorisation for the subprocessors listed on our Subprocessors page. We will give at least 30 days' notice of additions or replacements, during which the Customer may object on reasonable data-protection grounds. Every subprocessor is bound by terms equivalent to this DPA.

5. International transfers

In-scope data is hosted in the UK/EU where available. Any transfer outside the UK relies on adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

6. Liability and order of precedence

Liability under this DPA is subject to the limits in the Terms of Service. If this DPA conflicts with the Terms on data-protection matters, this DPA prevails.

7. Governing law

England and Wales.