VPOP® PRO Mobile & Web Application Terms & Conditions of Use
Last updated: 31 July 2025
1. Interpretation
1.1 Definitions. In this Agreement the following capitalised terms have the meanings set opposite them unless the context otherwise requires.
Term | Meaning |
"Account" | the secure, individual user profile created by or for the Customer in order to access the App; |
"Account Data" | the personal data and subscription information processed by the Supplier as controller for the administration of the Account; |
"Affiliate" | any entity that directly or indirectly controls, is controlled by, or is under common control with a party; |
"AI Features" | the artificial‑intelligence and machine‑learning functionality embedded in or made available through the App; |
"App" | the VPOP® PRO software application (web and mobile), including all updates, enhancements, AI Features, documentation and other proprietary materials supplied by the Supplier; |
"Business Day" | any day other than a Saturday, Sunday or public holiday in England when banks in London are open for business; |
"Customer" | the natural or legal person that has entered into an Order for the App (also referred to as "you"); |
"DPA" | the Data Processing Agreement set out in Annex C; |
"Fees" | the charges payable by the Customer for the Subscription as specified in the Order; |
"Intellectual Property Rights" | patents, trademarks, service marks, design rights, copyright (including rights in software), database rights, domain names, trade secrets, know‑how and any other rights of a similar nature existing anywhere in the world, whether registered or unregistered; |
"Order" | the online or written ordering document (including any Enterprise Agreement) executed by the Customer which references and incorporates this Agreement; |
"Patient Data" | veterinary clinical images, diagnostics and case information uploaded to the App by Users; |
"Personal Data" | has the meaning given in the UK General Data Protection Regulation ("UK GDPR"); |
"Subscription" | the time‑limited, fee‑bearing right to use the App granted to the Customer pursuant to Clause 6; |
"Supplier" | VetSOS Education Ltd, incorporated in England & Wales under company number 10711944 (trading as "VPOP PRO"); |
"Term" | the duration of this Agreement as set out in Clause 18. |
"User” | an individual natural person authorised by the Customer to access and use the App under the Customer’s Subscription (including the Customer’s employees, contractors, students or other personnel) provided such person meets the eligibility requirements in Clause 3; |
1.2 Clause headings do not affect interpretation. The words including, includes, in particular or for example shall be construed as illustrative and shall not limit the sense of the preceding words.
2.1 The Order constitutes a binding contract between the Supplier and the Customer (the Parties). By (i) executing an Order, (ii) clicking Accept when prompted within the App, or (iii) otherwise accessing or using the App, the Customer accepts the terms of the Order in full.
2.2 Where a person acts on behalf of an organisation in making the Order, that person warrants that they have authority to bind that organisation and to enter into a binding contract pursuant to the Order.
3. Eligibility & Professional Responsibility
3.1 The App is not intended for consumers (as defined in the Consumer Rights Act 2015) and is intended solely for qualified veterinary professionals, veterinary students under direct supervision of their employer or primarily associated with veterinary work, or employees of veterinary practices acting within the scope of their employment. The Customer confirms that all Users meet these criteria.
3.2 The Customer remains responsible for verifying the clinical accuracy and suitability of any output generated by the App, including AI Features, before relying upon it in practice.
3.3 The App is a professional tool and is not directed at, nor intended for use by, individuals under the age of 17.
3.4 Pursuant to the UK Online Safety Act 2023 and the Information Commissioner’s “Age-Appropriate Design Code”, the Supplier operates an age‑gating policy based on professional email verification, licence checks and usage monitoring. The Customer shall ensure that Users shall comprise only of those aged 17 or over.
3.5 Where local law imposes a higher minimum digital-service age (for example, 21 in certain US states), that higher threshold shall apply to Users in the relevant territory.
3.6 The Supplier reserves the right to require documentary or technological proof of age (including identity or professional‑licence verification) and may suspend or terminate any Account where age eligibility cannot be demonstrated to the Supplier’s reasonable satisfaction.
3.7 If the Supplier becomes aware that Personal Data relating to a person under the applicable minimum age has been collected without lawful basis or parental authorisation, it shall erase such data without undue delay and may disable the associated Account.
4. Account Registration, Security & Prohibition on Account Sharing
4.1 Any Customer which is an organisation acquiring multiple licenses shall ensure that each User who is assigned a license creates a unique Account using an official email address provided and controlled by that Customer but used and accessed by the relevant User.
4.2 Each Subscription is personal to the named Customer and may not be shared, transferred or accessed concurrently by more than one individual nominated as the User.. The Supplier employs session monitoring, IP geolocation and behavioural analytics to detect sharing. Where sharing is identified the Supplier may, without prejudice to its other rights:
a. immediately suspend or terminate the affected Account(s);
b. invoice the Customer for additional seats covering the period of unauthorised access (calculated on a pro‑rata basis); and
c. claim damages and/or seek injunctive relief.
4.3 The Customer shall implement multi‑factor authentication ("MFA") where available. The Supplier shall not be liable for loss or damage arising from the Customer’s failure to comply with this Clause 4.
5. Acceptable Use
5.1 The Customer shall not, and shall procure that Users do not:
a. upload Patient Data containing Personal Data relating to human subjects;
b. use the App for activities that are unlawful, defamatory, obscene, infringing, harassing or otherwise objectionable;
c. attempt to gain unauthorised access to the App or its related systems;
d. probe, scan or test the vulnerability of the App without prior written consent; or
e. introduce malicious software or code.
5.2 The Supplier reserves the right to suspend access where, in its reasonable opinion, the Customer is in breach of this Clause 5.
6. Licence Grant & Subscription
6.1 Subject to payment of the Fees and compliance with this Agreement, the Supplier hereby grants the Customer a non‑exclusive, non‑transferable, revocable licence for the Term to permit Users to access and use the App for the Customer’s internal veterinary practice purposes.
6.2 The licence granted in Clause
6.1 does not include the right to: (a) resell or sublicense the App; (b) reverse engineer, decompile or disassemble the App except to the minimum extent permitted by applicable law; (c) remove proprietary notices; or (d) develop a competing product.
6.3 Subscription periods and renewal mechanics are set out in the Order. Unless otherwise stated, Subscriptions renew automatically for successive periods of equal length at the prevailing list price.
7. Fees & Payment
7.1 Fees shall be paid in the currency and by the method specified in the Order. All Fees are exclusive of VAT and other applicable taxes, which shall be added at the appropriate rate.
7.2 Without limiting all other rights and claims, the Supplier may suspend the Subscription if any Fees remain unpaid 14
days after the due date. Interest shall accrue on overdue sums at 4% per annum above the Bank of England base rate.
7.3 No refunds are provided for partial periods, save where required by law.
8. Support, Maintenance & Availability
8.1 The Supplier shall provide email‑based support during Business Hours and shall use reasonable endeavours to respond to support tickets within one Business Day.
8.2 The Supplier shall use commercially reasonable efforts to make the App available at least 99.5% of each calendar month, excluding scheduled maintenance (of which the Supplier shall give at least 24
hours’ notice) and emergency maintenance.
8.3 The Supplier may deploy Updates that it deems necessary to maintain the performance or security of the App. The Customer shall ensure that Users install the latest version without undue delay.
9. AI‑Powered Features
9.1 Functionality. The AI Features apply algorithmic models to Patient Data and other inputs to generate outputs including suggested implant sizes, measurements and narrative reports.
9.2 Data Use & Retention. To provide AI Features, the Supplier may transmit User inputs including Account Data, Patient Data and Personal Data to third‑party AI providers (currently OpenAI LLC and Anthropic PBC). Inputs and outputs are retained for a maximum of 30 days for debugging and safety unless the Customer or User opts‑out.
9.3 Model Improvement. De‑identified data sets may be used to improve algorithms, subject to the Customer’s right to object under Clause 12.6.
9.4 No Advice. AI outputs are provided for informational purposes only and are not a substitute for professional judgment. The Customer remains solely responsible for verifying accuracy and the Supplier shall not be liable for any loss or damage arising from the Customer’s use of AI functionality.
9.5 Fairness & Explainability. The Supplier audits models for performance bias.
10. Intellectual Property Rights
10.1 All Intellectual Property Rights in the App and AI models are and shall remain the exclusive property of the Supplier or its licensors.
10.2 The Customer retains ownership of Patient Data. The Supplier acquires no rights in Patient Data save the limited licence to process such data in accordance with this Agreement and the DPA.
11. Data Protection & Privacy
11.1 In respect of Account Data the Supplier acts as controller; in respect of Patient Data the Supplier acts as processor and the Customer acts as controller.
11.2 Each party shall comply with its obligations under applicable data‑protection laws, including the UK GDPR, EU GDPR and PIPEDA.
11.3 The Supplier shall:
a. process Patient Data only on documented instructions, including transfers to third countries;
b. implement appropriate technical and organisational security measures (ISO
27001, encryption in transit and at rest, least‑privilege access controls);
c. assist the Customer with data subject requests;
d. on termination delete or return Patient Data as set out in Clause 19; and
e. make available information necessary to demonstrate compliance and allow for audits not more than once per year upon 30
days’ notice.
11.4 The Customer authorises the Supplier to appoint the sub‑processors listed in Annex C. The Supplier shall impose data‑protection obligations on sub‑processors equivalent to those set out herein.
11.5 Where Patient Data is transferred outside the UK/EEA, the Supplier shall ensure that Standard Contractual Clauses or other appropriate safeguards are in place. Regional hosting options are available for Enterprise customers.
11.6 Requests or objections may be submitted to the DPO. The Supplier shall acknowledge within 48 hours and respond within 30 days.
11.7 The Supplier shall notify the Customer without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Patient Data.
11.8 Live Patient Data shall be erased within 30 days of written request or account closure; encrypted backups shall expire automatically after six (6) months. For enterprise clients, the Supplier may offer an accelerated 60‑day post‑termination deletion schedule in order to meet individual requirements.
12. Confidentiality
12.1 Each party shall keep confidential all information disclosed by or on behalf of the other that is marked or ought reasonably to be considered confidential, including Patient Data and the terms of this Agreement.
12.2 This Clause shall not apply to information which is or becomes public through no fault of the recipient, is received from a third party without breach of confidence or is required to be disclosed by law or competent authority.
13. Warranties
13.1 The Supplier warrants that:
a. it has the right and authority to enter into this Agreement;
b. the App will perform to a reasonable standard when used in accordance with this Agreement; and
c. it shall provide the App with reasonable skill and care.
13.2 Except as expressly set out in this Agreement, all warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded.
14. Liability
14.1 Nothing in this Agreement limits or excludes liability for:
a. death or personal injury caused by negligence;
b. fraud or fraudulent misrepresentation; or
c. any other liability that cannot be limited by law.
14.2 Subject to Clause 14.1, the Supplier’s total aggregate liability arising out of or in connection with this Agreement (including liability for negligence) shall be limited to the lesser of:
(i) £10,000; or
(ii) an amount equal to twice the Fees paid by the Customer in the 12
months preceding the event giving rise to the claim.
14.3 Subject to Clause 14.1, neither party shall be liable for: loss of profit, loss of revenue, loss of goodwill, loss of anticipated savings, loss of data, or any indirect or consequential loss.
15. Indemnity
15.1 The Customer shall indemnify, defend and hold harmless the Supplier against any claim arising from:
a. Patient Data infringing a third party’s Intellectual Property Rights or privacy rights;
b. unauthorised account sharing; or
c. the Customer’s breach of Clause 5.
16. Force Majeure
Neither party shall be in breach nor liable for delay or failure to perform where such delay or failure results from an event beyond its reasonable control, including acts of God, epidemic, lockdowns, war, terrorism, civil commotion, flood, fire, or failure of suppliers or sub‑contractors.
17. Assignment & Sub‑Contracting
17.1 The Customer may not assign, novate or subcontract any rights or obligations under this Agreement without the Supplier’s prior written consent.
17.2 The Supplier may assign or transfer its rights and obligations to an Affiliate or as part of a bona fide corporate reorganisation, sale of assets or merger.
18. Term & Termination
18.1 This Agreement commences on the Effective Date and continues for the initial Subscription term set out in the Order.
18.2 Either party may terminate:
a. for convenience on 30 days’ written notice to expire at the end of the then‑current Subscription period;
b. immediately if the other party commits a material breach incapable of remedy; or
c. on 14 days’ notice if the other party commits a remediable material breach and fails to remedy within that period.
18.3 The Supplier may suspend access with immediate effect if: (i) the Customer is in payment default; or (ii) suspension is necessary to mitigate a security risk; or (iii) for any other reason relating to the Customer’s conduct
19. Consequences of Termination
19.1 Upon termination:
a. all licences granted hereunder shall immediately cease;
b. the Customer shall uninstall and cease all use of the App;
c. the Customer shall pay all outstanding Fees; and
d. data deletion shall proceed in accordance with Clause 11.8.
19.2 Clauses intended to survive (including Clauses 10, 11, 12, 14, 15, and 27) shall continue in force.
20. Variation
The Supplier may amend this Agreement by giving the Customer at least 30 days’ written notice. Continued use after the effective date constitutes acceptance. If the Customer objects, it may terminate before the variation takes effect and receive a pro‑rata refund of prepaid, unused Fees.
21. Severability
If any provision is held by a court to be invalid or unenforceable, the remaining provisions shall remain in full force. The Parties shall negotiate a replacement provision that is lawful and reflects the original intent.
22. Waiver
No failure or delay by either party to exercise any right or remedy shall operate as a waiver of that or any other right or remedy.
23. Entire Agreement
This Agreement (together with the Order and its Annexes) constitutes the entire agreement between the Parties and supersedes all prior understandings.
24. Third‑Party Rights
Save for Affiliates of the Supplier, a person who is not a party to this Agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term.
25. Notices
Notices under this Agreement shall be in writing and delivered by hand, courier or recorded delivery to the address stated in the Order (or such other address as notified). Email notices are only valid where expressly permitted herein.
26. Governing Law & Jurisdiction
This Agreement and any dispute arising out of it shall be governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, save that the Supplier may seek injunctive relief in any competent court.
27. Separate Policies
ANNEX A – Region‑Specific Terms
The provisions set out in this Annex apply in addition to the main body of the Agreement where the Customer or a User is established, or the Patient Data is processed, in the relevant territory. Where there is any conflict between this Annex and the main body of the Agreement, this Annex shall prevail to the extent of that conflict.
A1. European Union / European Economic Area ("EU/EEA")
A1.1 Consumer Rights Directive– Where the Customer is a consumer resident in the EU, the 14‑day "cooling‑off" right of withdrawal under Directive
2011/83/EU applies to the initial Subscription purchase only, provided that the Customer has not begun to download, stream or otherwise access the App during that period.
A1.2 Data Protection – Processing is subject to Regulation (EU) 2016/679 (GDPR). The Parties shall comply with Articles 28 to
36 and execute the European Commission’s Standard Contractual Clauses where Patient Data is transferred outside the EEA.
A1.3 Medical Devices – The App is classified as veterinary practice management software and is not a medical device under Regulation (EU)
2017/745. It must not be relied upon as the sole basis for clinical decisions.
A2. United Kingdom ("UK")
A2.1 Consumer Rights Act 2015
– This agreement is not for use by consumers although in the event that a consumer contracts with the Supplier, nothing in the Agreement limits any statutory rights to receive digital content that is of satisfactory quality, fit for purpose and as described .
A2.2 UK GDPR and Data Protection Act 2018 – References in the Agreement to GDPR shall be construed as references to the UK
GDPR where the processing falls within the territorial scope of UK law.
A2.3 Medicines and Healthcare Products Regulatory Agency (MHRA) – The App is not a regulated medical device. Should future functionality fall within MHRA scope, the Supplier will obtain the requisite UKCA mark before release.
A3. United States of America – State‑by‑State Addendum
A3.1 California – CCPA/CPRA.
a. The Supplier acts as a "Service Provider" and will not "sell" or "share" Personal Information as those terms are defined in the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020.
b. Californian consumers have the right to know, delete, correct and opt‑out; requests shall be responded to within 45 days.
A3.2 Virginia – VCDPA. The Supplier acts as a "Processor"; the Customer, where acting as controller, may issue binding processing instructions.
A3.3 Colorado – CPA, Connecticut – CTDPA, Utah – UCPA. The Supplier shall provide reasonable assistance to enable the Customer to honour consumer access, deletion, correction and portability requests within the statutory time limits.
A3.4 New York SHIELD Act – Where the Customer is established in New York or Patient Data relates to New
York residents, the Supplier shall implement the reasonable safeguards required by the Act.
A3.5 Federal FDA / CVM – The App is categorised as clinical decision support for veterinary use; it is not currently subject to FDA pre‑market clearance.
A4. Canada
A4.1 PIPEDA – The Supplier adheres to the ten Fair Information Principles. Breach notification to the Office of the Privacy Commissioner of Canada (OPC) and affected individuals shall occur "as soon as feasible" and in any event within 72
hours where there is a real risk of significant harm.
A4.2 Provincial Health Privacy – Where the Customer uploads data regulated by PHIPA (Ontario) or similar laws, the Customer represents that it has obtained all necessary consents.
A4.3 Data Localisation – Enterprise clients may request that primary storage and disaster‑recovery copies be hosted in an AWS Canada region.
A5. Australia & New Zealand
A5.1 Australia – Privacy Act 1988 & Australian Privacy Principles (APPs) – The Supplier will not use or disclose Personal Information for direct marketing unless APP
7 requirements are met.
A5.2 Australian Consumer Law (ACL) – Digital services come with non‑excludable guarantees. Where the App fails to comply, the Customer is entitled to a remedy under ACL.
A5.3 New Zealand – Privacy Act 2020 – Cross‑border disclosures will be made only where the receiving country provides comparable safeguards or with express authorisation under Information Privacy Principle 12.
A6. Singapore
A6.1 Personal Data Protection Act 2012 (PDPA)
– The Supplier shall obtain consent or rely on an exception under the PDPA before collecting, using or disclosing Singapore residents’ Personal Data.
A6.2 Data Breach Notification – Notifiable data breaches affecting 500 or more individuals, or with likely serious harm, will be reported to the Personal Data Protection Commission (PDPC) as soon as practicable and to affected individuals within three calendar days.
A7. Japan
A7.1 Act on the Protection of Personal Information (APPI) – The Supplier will not provide Personal Data to third parties in Japan without the prior consent of the data subject unless permitted under APPI Article 27.
A7.2 Anonymised Processing Information – Where the Supplier creates anonymised data sets for AI model improvement, it will comply with the specification and publication requirements of APPI Articles 36‑39.
A7.3 Consumer Contract Act – Nothing in the Agreement shall be interpreted so as to unfairly disadvantage a consumer within the meaning of the Act.
This Annex is reviewed quarterly and updated to reflect legislative amendments. An archive of previous versions is available on request.
ANNEX B – Privacy Notice
This Privacy Notice applies to the processing of Personal Data by VetSOS Education Ltd ("VPOP PRO", "we", "us" or "our") through the VPOP PRO App and related services. It is drafted to meet the information requirements of Articles 13 and 14 of the UK GDPR and EU GDPR and equivalent provisions in other jurisdictions.
VetSOS Education Ltd (Company No. 10711944)
Registered Address: Column House, London Road, Shrewsbury, SY2 6NN, United
Kingdom
Email: enquries@vpop‑pro.com
Data Protection Officer (DPO): Shreya Parashar
2. Categories of Personal Data We Collect
Category | Examples | Source |
Account Data | Name, professional e‑mail, postal address, licence number, subscription tier, payment history | You / your employer |
Authentication Data | Encrypted password hash, MFA token, session ID, IP address | Generated during log‑in |
Usage Data | Feature interaction logs, click‑stream, error reports, crash dumps | Automatically collected |
Device Data | Device type, OS version, browser/SDK, screen resolution | Automatically collected |
Communications | Support emails, in‑app chat transcripts, feedback forms | You |
AI Interaction Logs | Prompts, outputs, model telemetry | You / generated |
Patient Data (may contain Personal Data relating to animal owners) | DICOM images, clinical notes, owner initials, contact details | You / third‑party integrators |
We do not intentionally collect special‑category data about humans. If such data is inadvertently uploaded, it will be processed strictly as instructed by you and deleted on request.
3. Purposes and Legal Bases for Processing
Purpose | Description | Legal Basis (UK/EU) |
Account Set‑up & Billing | Create and administer your Account, process payments | Art 6(1)(b) contract performance |
App Provision | Deliver core functionality, AI Features, updates, support | Art 6(1)(b) contract performance |
Security & Fraud Prevention | MFA, intrusion detection, abuse monitoring | Art 6(1)(f) legitimate interests (security) |
Analytics & Product Improvement | Aggregate usage metrics, debug errors, model training (with de‑identification) | Art 6(1)(f) legitimate interests (improve services) |
Marketing (B2B) | Send newsletters and product updates | Art 6(1)(f) legitimate interests* / consent where required |
Regulatory Compliance | Tax, accounting, legal obligations | Art 6(1)(c) legal obligation |
Data Subject Requests | Respond to rights requests under GDPR et al | Art 6(1)(c) legal obligation |
For EU/UK recipients, electronic direct marketing is sent only with opt‑in consent (PECR/ e‑Privacy Directive).
4. Recipients and International Transfers
Cloud Hosting: Amazon Web Services (AWS), Digital
Ocean – global regions.
AI Infrastructure: OpenAI LLC (USA), Anthropic
PBC (USA).
CRM & Support: Zoho Corporation Pvt
Ltd (USA/India/EU).
Payments: Stripe Inc. / Stripe Payments UK
Ltd.
When transferring Personal Data outside the UK/EEA we rely on Standard Contractual Clauses or an adequacy decision. A copy of the SCCs is available on request.
5. Retention Periods
Data Set | Retention in Live Systems | Retention in Back‑ups |
Account & Billing Records | Duration of Subscription + 6 years (statutory) | 6 months |
Patient Data | Duration of Subscription or 30 days after deletion request | 6 months |
AI Logs | 30 days | n/a (excluded from back‑ups) |
Support Tickets | 3 years from closure | 6 months |
Marketing Preference Logs | Until opt‑out + 2 years | 6 months |
6. Automated Decision‑Making / Profiling
The App uses rule‑based heuristics to flag potential account‑sharing or suspicious log‑ins. These measures do not produce legal or similarly significant effects on individuals; they simply trigger a manual review by our security team.
7. Your Rights
Subject to conditions and exemptions, you have the following rights:
Access
– obtain a copy of your Personal Data.
Rectification
– correct inaccurate or incomplete data.
Erasure
– request deletion where processing is no longer necessary.
Restriction
– request restricted processing pending verification.
Portability
– receive data in a structured, machine‑readable format.
Object
– object to processing based on legitimate interests or direct marketing.
Withdraw Consent
– at any time where processing is based on consent.
Complaint – lodge a complaint with a supervisory authority (e.g., ICO in the UK, DPA in your EEA country, OPC in Canada, PDPC in Singapore, PCPD in Hong
Kong, etc.).
We respond within one calendar month (extendable by two months for complex requests).
8. Source of Data (Article 14 GDPR)
Where we receive Personal Data about you from third parties (e.g., your employer, payment provider, or integrator), we process it in accordance with this Notice and for the purposes set out in Section 3.
9. Data Security Measures
ISO 27001‑certified hosting centres
TLS 1.2+ encryption in transit and AES‑256 at rest
Role‑based access control, MFA for staff
Quarterly penetration testing and annual SOC 2 Type
II audits
Incident‑response plan aligned with ISO
27035
10. Changes to This Notice
We may update this Notice periodically. Material changes will be notified via e‑mail and in‑App banner at least 30
days before they take effect.
For any queries about this Notice or your Personal Data, please contact our DPO using the details above.
ANNEX C – Data Processing Agreement (GDPR Art 28 Compliant) Controller-to-Processor
This Annex forms part of the Agreement for the purposes of Article 28 UK GDPR/EU GDPR and sets out the mandatory data-processing clauses between the Customer (the “Controller”) and VetSOS Education Ltd (the “Processor”).
1. Subject-Matter, Nature and Purpose of Processing
Item | Description |
Subject-Matter | The provision of the VPOP PRO App and related services under the Agreement. |
Nature | Hosting, storage, retrieval, machine-learning processing, transmission, backup and deletion of Personal Data. |
Purpose | To enable veterinary professionals to plan and manage orthopaedic cases, including AI-driven measurements, templating and reporting, and to provide support and maintenance. |
Duration | From the Effective Date until deletion or return of the Personal Data in accordance with Clause 11 below. |
2. Types of Personal Data and Categories of Data Subject
Types of Personal Data | Categories of Data Subject |
Account Data (names, business contact details, licence numbers); Authentication data; Usage logs; Patient Data (DICOM images, clinical notes, owner initials, limited contact information) | Users (veterinary surgeons, technicians, students); Animal owners/pet guardians (incidental) |
The Controller shall not upload special-category data relating to humans save with a lawful basis and appropriate safeguards.
3. Processor Obligations
3.1 Instructions. The Processor shall process Personal Data only on the documented instructions of the Controller as set out in the Agreement, this Annex and any Order, unless required otherwise by applicable law. In such case the Processor shall inform the Controller before processing, unless the law prohibits such notice.
3.2 Confidentiality. The Processor shall ensure that all persons authorised to process Personal Data are subject to a duty of confidence.
3.3 Security. The Processor shall implement the technical and organisational measures described in Schedule 1 (Security Measures) and shall not materially diminish the protections during the Term.
3.4 Sub-Processors. The Controller grants general written authorisation for the engagement of sub-processors listed at
https://vpop-pro.com/legal/sub-processors. The Processor shall impose data-protection obligations equivalent to those set out herein and shall remain liable for their acts and omissions. The Processor shall notify the Controller of any intended addition or replacement at least 15 days in advance, giving the Controller the opportunity to object on reasonable grounds.
3.5 Data Subject Rights. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise rights under the Data-Protection Laws.
3.6 Assistance with Compliance. The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA and prior consultation) taking into account the nature of processing and information available to the Processor.
3.7 Records and Audit. The Processor shall maintain records required by Article 30(2) GDPR and, upon 30 days’ written notice no more than once per calendar year, make such records (or relevant extracts) available to the Controller and allow for audits conducted by the Controller or an auditor mandated by the Controller, provided such audits are subject to appropriate confidentiality obligations and conducted during business hours with minimal disruption.
3.8 Personal Data Breach. The Processor shall without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach notify the Controller and provide all information reasonably required to meet the Controller’s breach-notification obligations.
3.9 International Transfers. The Processor shall not transfer Personal Data outside the UK/EEA (or permit its sub-processors to do so) unless it has ensured that such transfer is in compliance with Data-Protection Laws, e.g., via an adequacy regulation, approved certification, Binding Corporate Rules or the relevant Standard Contractual Clauses
3.10 Return and Deletion. At the choice of the Controller, the Processor shall delete or return all Personal Data after the end of the provision of services and delete existing copies within 60 days (encrypted backups within 6 months) unless storage is required by law.
3.11 Compliance Evidence. On request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Annex.
4. Liability and Indemnity
Liability between the parties arising from this Annex shall be determined in accordance with Clause 14 of the Agreement.
5. Costs
Where the Controller’s requests for assistance under Clauses 3.5, 3.6 or 3.7 are manifestly unfounded or excessive, the Processor may charge reasonable costs (based on time and materials) for the provision of such assistance.
6. Precedence
In the event of inconsistency between this Annex and any other documents between the parties, this Annex shall prevail to the extent required by Data-Protection Laws.
Schedule 1 – Security Measures
The Processor shall maintain, and be able to demonstrate on request, an information-security programme that conforms to ISO/IEC 27001:2022 and incorporates the following technical and organisational measures (“TOMs”). Capitalised terms have the meanings given in the Agreement.
# | Control Domain | Measures Implemented |
1 | Governance & Policy Framework | • Board-approved Information-Security Management System (“ISMS”) certified to ISO/IEC 27001:2022.
• Annual risk assessment covering confidentiality, integrity and availability of Personal Data.
• Policies covering access control, acceptable use, cryptography, secure development, incident response, business continuity and supplier security; reviewed at least annually. |
2 | Human Resources Security | • Pre-employment vetting (identity, right-to-work, criminal-record and, for privileged roles, credit checks).
• Contractual confidentiality and data-protection clauses.
• Mandatory induction and annual refresher training on GDPR, secure-coding and phishing awareness.
• Immediate revocation of logical and physical access on termination or role change. |
3 | Access Control & Identity Management | • Role-Based Access Control (“RBAC”) aligned to the principle of least privilege.
• Multi-Factor Authentication (MFA) enforced for all administrative and developer accounts.
• Federated SSO with conditional access policies (geo-IP, device posture).
• Segregated production, staging and development environments; no live data in non-production. |
4 | Encryption & Key Management | • TLS 1.2/1.3 with forward secrecy for all data-in-transit (HTTPS, TLS-encrypted VPN for back-end links).
• Data-at-rest encrypted using AES-256 (AWS KMS-managed Customer Master Keys).
• Separate keys per environment; automatic rotation every 12 months or earlier upon risk triggers.
• Strong hashing (bcrypt ≥ 12 rounds) + per-user salt for credentials. |
5 | Physical & Environmental Security | • Primary and DR workloads hosted in AWS and DigitalOcean Tier III-equivalent data centres with 24/7 manned security, CCTV, biometric access control, N+1 redundant power and cooling.
• Processor offices protected by access-cards, intrusion alarms and secure disposal bins for confidential waste. |
6 | Operations, Logging & Monitoring | • Hardened OS baselines (CIS Benchmarks) and immutable infrastructure via infrastructure-as-code.
• Centralised logging (AWS CloudTrail & CloudWatch) shipped to a SIEM with real-time correlation rules and 400-day retention.
• Endpoint Detection & Response (EDR) on all servers and corporate laptops.
• 24/7 security-operations monitoring with defined escalation paths. |
7 | Vulnerability & Patch Management | • Weekly vulnerability scanning of code repositories and container images; critical findings remediated within 48 hours, high within 7 days.
• Annual external CREST-accredited penetration tests; executive summary available to Controllers under NDA.
• Automated dependency-checking (SCA) during CI/CD pipeline; build fails on critical CVEs. |
8 | Secure Development & Change Control | • Secure-coding guidelines aligned to OWASP ASVS; mandatory code review and static-analysis gating.
• Secrets held in AWS Secrets Manager / HashiCorp Vault; never hard-coded.
• Changes tracked in Git with pull-request approval by at least two reviewers from separate teams. |
9 | Business Continuity & Disaster Recovery | • Documented Business Continuity Plan (“BCP”) and Disaster-Recovery Plan (“DRP”) aligned to ISO 22301; tested at least annually.
• Data replicated across ≥ 2 AWS Availability Zones; automated daily backups retained for 30 days plus encrypted cold storage for 6 months.
• Target Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 15 minutes. |
10 | Incident Response & Breach Notification | • Written Incident-Response Plan following ISO/IEC 27035 with triage, containment, eradication, recovery and post-incident review stages.
• 24/7 incident hotline and on-call security engineer rota.
• Breach notification to Controller within 48 hours of confirmation, including root-cause analysis and mitigation steps.
• Post-incident lessons learned fed back into risk register. |
11 | Supplier & Sub-Processor Management | • Formal due-diligence checklist (security questionnaire, SOC 2/ISO 27001 verification) before onboarding.
• Written DPAs with all sub-processors incorporating GDPR-equivalent TOMs.
• Annual re-assessment and right to audit sub-processors on 30 days’ notice. |
12 | Compliance & Audit | • External audits for ISO 27001 certification, PCI-DSS SAQ A (for Stripe flows) and Cyber Essentials Plus.
• Internal audit schedule covering each ISO 27001 Annex A domain at least once every 18 months.
• Management review and continual-improvement cycle documented in ISMS portal. |
Notes / Controller Options
If the Controller requires enhanced data-residency or sovereign-cloud options, the Processor can isolate all workloads to a single AWS region and disable cross-region replication on written request.
For Controllers subject to HIPAA, NHS DSP Toolkit or other sector-specific standards, an addendum with additional controls (e.g. audit-log immutability, PHI segregation) can be appended.
ANNEX D – Cookie Policy
This Cookie Policy explains how VetSOS Education Ltd (“VPOP PRO”, “we”, “us” or “our”) uses cookies and similar technologies on the VPOP PRO websites and applications (together, the “Platform”). It is drafted to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR.
1. What Are Cookies?
A cookie is a small text file placed on your device when you visit a website or use an application. Cookies perform various functions such as enabling the Platform to recognise your device, keeping you logged-in and remembering your preferences.
2. Categories of Cookies We Use
Category | Purpose | Legal Basis |
Strictly Necessary | Required for core functionality such as session authentication, load balancing and fraud prevention. | Regulation 6(4) PECR (no consent required) |
Performance / Analytics | Collect aggregated information about how users interact with the Platform in order to improve performance and features. | Consent (Reg 6 PECR) |
Functionality | Remember choices you make (e.g. language, region) to enhance your experience. | Consent |
Advertising / Social Media | Track browsing habits to deliver relevant advertising or enable social-media plug-ins. Currently disabled by default. | Consent |
3. First-Party Cookies Set by Us
Cookie | Purpose | Expiry |
vpop_session | Maintains authenticated session state. | End of session |
csrf_token | Protects forms against CSRF attacks. | 2 hours |
cookie_preferences | Stores your cookie-consent choices. | 12 months |
ai_session | Enables continuity for in-App AI chat conversations. | 24 hours |
4. Third-Party Cookies
Provider | Cookie(s) | Purpose | Expiry |
Google Analytics | _ga, _gid, _gat | Site analytics and performance metrics. | 1 day – 24 months |
Stripe | __stripe_sid, __stripe_mid | Secure payment processing and fraud detection. | 30 minutes – 12 months |
Zoho SalesIQ | LS_CSRF_TOKEN, ZCAMPAIGN | Live-chat support and visitor insights. | End of session – 24 months |
Third-party cookies are subject to the respective provider’s privacy policies. We do not control these cookies and they may change over time.
5. Managing Cookies
You can manage or withdraw your cookie consent at any time by:
Cookie Banner
– Using the “Preferences” link in the cookie banner to toggle cookie categories on or off.
Browser Settings
– Blocking or deleting cookies via your browser. The Help function within your browser explains how. Note that blocking strictly necessary cookies may impair the Platform’s functionality.
Opt-Out Tools
6. Changes to This Policy
We may update this Cookie Policy from time to time to reflect technological or legal changes. Significant changes will be highlighted via a banner on the Platform for at least 30 days.
If you have any questions about our use of cookies, please contact us at info@vpop-pro.com.
© 2025 VetSOS Education Ltd. All rights reserved.