Data Processing Agreement

UK GDPR Article 28 / DPA 2018 — last updated 2026-05-08. Forms part of the Terms of Service. By creating an account you accept the terms of this DPA where you are acting as a controller for any data you input that goes beyond your own personal account use.
Scope. Most users of PLAB 2 OSCE Trainer are individual candidates (data subjects in their own right). For those users we are a single controller. This DPA also covers the sub-processor relationships we maintain with OpenAI, Anthropic, Stripe, Cloudflare, Sentry, Resend, and the EU-region database host, regardless of which user side you are on.

1. Definitions

"UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. "DPA 2018" means the Data Protection Act 2018. "Controller", "processor", "personal data", "processing", "data subject", "personal data breach" and "supervisory authority" have the meanings given in UK GDPR Article 4.

2. Roles

For account-holder data and for transcripts/recordings generated within an individual account, plab2osce.ai acts as the controller. Where plab2osce.ai engages a sub-processor (Annex III), that sub-processor acts as a processor on plab2osce.ai's documented written instructions per Article 28(3) UK GDPR.

3. Subject matter, duration, nature, and purpose (Article 28(3))

See Annex I.

4. Categories of data subjects and personal data

See Annex I sections (B) and (C).

5. Processor's obligations

Each processor agrees to:

6. Security of processing (Article 32)

See Annex II — technical and organisational measures.

7. Personal data breach (Articles 33 and 34)

The processor will notify the controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification will include, where available: nature of the breach; categories and approximate number of data subjects and records concerned; likely consequences; measures taken or proposed.

8. International transfers

Where personal data is transferred outside the UK, the parties rely on:

For OpenAI (United States): we rely on the Standard Contractual Clauses (Module 2: controller-to-processor) plus the UK Addendum. Audio is transmitted over TLS, processed for transcription/synthesis, and not retained by OpenAI for model training under their API data policy.

9. Audits

The controller may, at its own cost and on at least 30 days' notice, request a copy of the processor's most recent SOC 2 Type II / ISO 27001 / equivalent attestation. On-site audit will be arranged only where reasonably required and where confidentiality and security are preserved.

10. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service.

11. Governing law

This DPA is governed by the laws of England and Wales.


Annex I — Description of processing

(A) Subject matter and duration

Provision of the PLAB 2 OSCE Trainer Service. Duration: for the term of the candidate's account, plus the retention windows set out in the Privacy Policy.

(B) Categories of data subjects

(C) Categories of personal data

No Article 9 special-category data is collected. The clinical content of role-play sessions is fictional and is not the candidate's own medical record.

(D) Frequency and nature of processing

Continuous (during sessions); batch (cron-based audio purge, lifecycle email scans, audit-log retention).

(E) Purpose

Run OSCE practice sessions; produce examiner feedback; manage subscriptions; enforce free-tier quotas; communicate transactional and lifecycle messages; investigate abuse and security incidents.

(F) Retention

See the Privacy Policy retention table.


Annex II — Technical and organisational measures (TOMs)

1. Pseudonymisation and encryption

2. Confidentiality, integrity, availability and resilience (Art. 32(1)(b))

3. Restoring availability (Art. 32(1)(c))

4. Regular testing (Art. 32(1)(d))

5. Access control

6. Sub-processor management

7. Personal data breach handling


Annex III — Authorised sub-processors

Sub-processor Service Country / region Transfer mechanism
OpenAI, L.L.C. Whisper STT, TTS USA SCC Module 2 + UK Addendum
Anthropic PBC Claude Haiku (patient AI), Claude Sonnet (examiner AI) USA SCC Module 2 + UK Addendum
Stripe Payments Europe Ltd Subscription + one-off billing Ireland (EU) + US group SCC + UK Addendum
Cloudflare, Inc. (R2) Audio object storage (EU bucket where feasible) EU + US SCC + UK Addendum
Sentry GmbH (EU region) Error and performance monitoring EU Intra-UK/EEA — adequacy
Supabase Inc. or Neon Inc. (EU region) Postgres database hosting EU SCC + UK Addendum where applicable
Resend Inc. Transactional and lifecycle email USA SCC Module 2 + UK Addendum

Material changes to this list will be notified at least 14 days in advance via the registered email address.

Questions or to request a counter-signed copy of this DPA: hi@plab2osce.ai