CENTRIM LIFE LTD – TERMS & CONDITIONS (UK)

Company Number: 16529540

Registered Office: Victory House, 400 Pavilion Drive, Northampton Business Park, Northampton, NN4 7PA

1. DEFINITIONS

In these Terms:

"Centrim Life", "we", "our", "us" means Centrim Life Ltd.
"Customer", "you", "your" means the organisation entering into these Terms to access the Services.
"Services" means the Centrim Life SaaS platform and associated modules including: Dining, Maintenance & Housekeeping, CRM, Lifestyle, Visitor Management, Concierge, Feedback & Compliance.
"Authorised Users" means individuals permitted by the Customer to access the Services.
"Order Form" means a signed or electronically accepted agreement specifying the modules, fees, and term.
"Documentation" means user guides, specifications, policies, and manuals provided by Centrim Life.
"Data" means all information input into the Services by the Customer or its Authorised Users.

2. AGREEMENT STRUCTURE

These Terms govern your use of the Services and apply together with:

The Order Form
The Data Processing Agreement (DPA)
The GDPR, Data Storage, and Backup Policy
Any additional module-specific schedules

In the event of conflict, the following order of precedence applies:

Order Form
DPA
These Terms
Documentation

3. USE OF THE SERVICES

3.1 Licence

Centrim Life grants the Customer a non-exclusive, non-transferable, UK-only licence to use the Services for internal business purposes during the Subscription Term.

3.2 Authorised Users

The Customer is responsible for:

Ensuring login credentials are kept confidential
Ensuring only authorised staff access the platform
All actions taken using its accounts

3.3 Restrictions

You must not:

Attempt to reverse engineer, copy, or modify the Services
Use the platform for unlawful, harmful, or unethical purposes
Introduce malware or malicious code
Use the system to store clinical health records unless supported via approved integrations

4. CUSTOMER RESPONSIBILITIES

The Customer must:

Ensure all data entered into the system is accurate and lawful
Manage access rights and remove users who no longer require access
Comply with applicable UK data protection laws (including UK GDPR)
Provide timely feedback, approvals, and inputs to support onboarding and configuration
Ensure adequate network infrastructure and internet access

5. CENTRIM LIFE RESPONSIBILITIES

Centrim Life shall:

Provide the Services in accordance with industry standards
Maintain technical and organisational security measures
Ensure UK-based hosting and data residency
Provide reasonable support during business hours
Maintain system functionality, updates, and improvements
Notify the Customer of material service changes or downtime

6. SERVICE LEVELS

6.1 Availability

Centrim Life will use reasonable commercial efforts to ensure system availability, excluding:

Planned maintenance
Emergency maintenance
Events outside our reasonable control
Third-party outages (AWS, Postmark, etc.)

6.2 Support

Support is provided via:

Email
In-app ticketing (via Gleap)
Phone (where agreed)

Support hours: Monday–Friday, 9am–5pm UK time, excluding UK public holidays.

7. FEES & PAYMENT

7.1 Fees

Fees are as stated in the Order Form and may be based on:

Number of care home beds
Number of retirement village units
Modules selected
Implementation services
Training services

7.2 Payment Terms

Invoices payable within 30 days of issue
Late payments may incur interest under the Late Payment of Commercial Debts (Interest) Act 1998
Non-payment may lead to service suspension

7.3 Price Adjustments

Annual price adjustments may occur with 60 days' written notice.

8. DATA PROTECTION

8.1 Compliance

Both Parties will comply with the UK GDPR and Data Protection Act 2018.

8.2 DPA

Any processing of Personal Data shall be governed by the Centrim Life–Customer DPA (v1.4).

8.3 Data Residency

All Customer Data is stored within the United Kingdom.

9. INTELLECTUAL PROPERTY RIGHTS

Centrim Life retains all IP rights in the platform, software, logos, documentation, and related materials.
The Customer owns all Data it enters into the system.
The Customer must not copy, replicate, or create derivative works based on Centrim Life.

10. CONFIDENTIALITY

Each Party shall keep confidential all business, commercial, technical, and personal information obtained from the other Party unless:

Required by law
Required for performance of the Agreement
The information becomes public through no fault of the receiving Party

11. TERM & TERMINATION

11.1 Term

The Agreement runs for the Subscription Term defined in the Order Form.

11.2 Termination by Either Party

Either Party may terminate for:

Material breach not remedied within 30 days
Insolvency

11.3 Effect of Termination

Upon termination:

Customer access to the Services will cease
Data will be deleted in accordance with the DPA
No refunds are provided for unused periods unless stated otherwise

12. SUSPENSION OF SERVICE

Centrim Life may suspend access if:

Payment is overdue
Security incidents require action
Use of the service breaches these Terms
The Customer engages in behaviour that degrades system performance

13. WARRANTIES

Centrim Life warrants that:

It will provide the Services with reasonable skill and care
The Services will function substantially as described in the Documentation

The Customer warrants that:

It has lawful grounds for all data entered into the Services
It will comply with applicable laws and regulations

14. LIMITATION OF LIABILITY

To the fullest extent permitted by law:

Centrim Life is not liable for indirect, consequential, or economic losses
Liability for direct losses is limited to 12 months of Fees paid
Nothing limits liability for fraud or death/personal injury caused by negligence

15. CHANGES TO THESE TERMS

Centrim Life may amend these Terms by providing 30 days' written notice.

16. GOVERNING LAW

These Terms are governed by the laws of England and Wales.
The courts of England and Wales have exclusive jurisdiction.

17. CONTACT DETAILS

Centrim Life Ltd
Victory House,
400 Pavilion Drive,
Northampton Business Park,
Northampton, NN4 7PA

Email: support@centrimlife.co.uk
Phone: +44 (0) 1604 279636

CENTRIM LIFE LTD – PRIVACY POLICY (UK)

Company Number: 16529540

Registered Office: Victory House, 400 Pavilion Drive, Northampton Business Park, Northampton, NN4 7PA

Centrim Life Ltd ("Centrim Life", "we", "us", "our") is committed to protecting the privacy and security of personal data processed through:

The Centrim Life SaaS platform
The Centrim Life mobile and web applications
The Centrim Life corporate website (centrimlife.co.uk)

This Privacy Policy explains how we collect, use, store, and secure your personal data.

1. WHO WE ARE (DATA CONTROLLER / DATA PROCESSOR)

Depending on how our platform is used:

1.1 When we are the Data Processor

For all personal data entered into the Centrim Life SaaS platform by care homes, retirement villages, or staff users, Centrim Life acts as a Data Processor under UK GDPR.

The organisation using Centrim Life (the care provider) is the Data Controller.

1.2 When we are the Data Controller

We act as the Data Controller when:

Collecting data through our website (contact forms, cookies, analytics, marketing forms)
Collecting data from prospective customers
Managing our own sales, billing, and support operations
Managing support tickets submitted via Gleap
Managing error logs via Flare App

2. PERSONAL DATA WE COLLECT

2.1 Data collected through the Centrim Life application (Processor)

Data is entered by the care provider and may include:

I. Resident Data (determined by the care provider)

Name, room/unit
Dietary needs, allergies
IDDSI texture requirements
Feedback or incident records
Any notes or operational details added by staff

(Special Category Data may be included depending on customer configuration)

II. Staff & User Data

Name, role, email, phone (if provided)
Login credentials (hashed passwords), permissions
Activity logs

III. Visitor Data

Name, contact information
Visit logs
Sign-in/sign-out timestamps

IV. Operational Data

Maintenance jobs
Housekeeping workflows
Dining orders
Lifestyle activities
Facility records

Centrim Life only processes this data under the customer's instructions.

2.2 Data collected through the website and marketing activities (Controller)

I. Contact & Communication Forms

Name
Email
Phone number
Organisation details
Message contents

II. Marketing communications

Email address
Preferences & consent logs

III. Website analytics & cookies

IP address
Device/browser information
Pages visited
Session duration
Referrer URL

We may use Google Analytics, server-level logs, and security logs.

IV. Support Tickets (Gleap)

User email (optional)
Screenshots
Diagnostic logs
Steps leading to the issue

V. Error Logging (Flare App)

Error details
Request URL
User ID (if present in context)
Technical device/browser metadata

3. HOW WE USE PERSONAL DATA

3.1 As a Data Processor

We process data strictly to:

Provide the SaaS application
Support operational workflows
Maintain system security
Provide technical support

We do not use customer data for marketing, profiling, analytics, or any unrelated purpose.

3.2 As a Data Controller (for website & sales operations)

We process data to:

Respond to enquiries
Provide product demos
Send requested information
Improve the website
Maintain security and prevent misuse
Manage billing and customer account administration
Provide support services

3.3 Legal Bases

Depending on context:

Legitimate interests — responding to enquiries, securing systems
Performance of a contract — providing our services
Legal obligations — recordkeeping, finance
Consent — when subscribing to marketing emails

4. DATA SHARING & SUB-PROCESSORS

Centrim Life uses carefully selected sub-processors:

Sub-Processor	Purpose	Location
AWS UK (London Region)	Hosting, infrastructure, storage	United Kingdom
Postmark (EU/UK)	Transactional email delivery	EU/UK
Gleap (EU)	In-app bug reporting & diagnostics	EU
Flare App (EU)	Error logging & crash reporting	EU
Centrim Life Pty Ltd (UK-bound access only)	Technical support	Access only to UK systems
E-Caret Solutions (UK-bound access only)	Technical support & development assistance	Access only to UK systems

We do not sell or share personal data with advertisers.
We do not transfer application or resident data outside the UK.

5. INTERNATIONAL TRANSFERS

All application data is stored exclusively within the United Kingdom.
Sub-processor services run in UK or EU data centres (GDPR adequate).
Centrim Life Pty Ltd and E-Caret Solutions staff access only UK-hosted systems and no data is stored offshore.
No international transfers occur under Chapter V UK GDPR.

6. DATA RETENTION

6.1 Application data (Processor)

Retention is determined by the Customer (Data Controller).

After termination:

Live data deleted within 30 days
Backups deleted within 30–60 days
Destruction certificate issued

6.2 Website, sales & support data (Controller)

Contact form enquiries: 24 months
Marketing email lists: until unsubscribe
Website analytics: 26 months
Support tickets: 12 months
Error logs: 30–90 days

7. SECURITY MEASURES

Centrim Life enforces:

UK-only hosting (AWS London)
Encryption at rest (AES-256)
Encryption in transit (TLS 1.2+)
Access control with MFA & SSO
Role-based access control (RBAC)
Network-level firewalls & WAF
Vulnerability scanning & pen testing
Audit logging and monitoring
Strict least-privilege access
Disaster recovery with RTO 1 hour, RPO 4 hours.

8. YOUR RIGHTS

Under UK GDPR you have rights to:

Access your data
Correct inaccurate data
Request erasure
Restrict processing
Object to processing
Data portability
Withdraw consent (marketing emails)

To exercise rights, contact: privacy@centrimlife.co.uk

Requests relating to data inside customer systems must be directed to the care provider who acts as Data Controller.

9. COOKIES

We use cookies for:

Essential website functionality
Analytics (Google Analytics / server logs)
Security and fraud prevention
Performance optimisation

Users can manage cookies via browser settings.

A full cookie policy can be generated separately.

10. CHILDREN'S DATA

Centrim Life does not target or market to children.
Resident data is entered by the care provider in compliance with safeguarding and lawful basis requirements.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically.
Changes will be posted on our website with the updated effective date.

12. CONTACT US

For privacy requests or concerns:

Data Protection Officer
Centrim Life Ltd
Victory House
400 Pavilion Drive
Northampton Business Park
Northampton, NN4 7PA

Email: privacy@centrimlife.co.uk

Phone: +44 (0) 1604 279636

CENTRIM LIFE LTD - DATA GOVERNANCE SUMMARY

Company Number: 16529540

Registered Office: Victory House, 400 Pavilion Drive, Northampton Business Park, Northampton, NN4 7PA

Centrim Life Ltd operates a robust data governance framework to ensure the confidentiality, integrity, availability, and lawful processing of data across all Centrim Life SaaS modules (Dining, Maintenance, Housekeeping, CRM, Lifestyle, Visitor Management, Concierge, Feedback & Compliance).

This summary provides an overview of how personal data and operational records are governed within our UK environment.

1. GOVERNANCE OVERVIEW

Centrim Life maintains data governance practices aligned to:

UK GDPR (Data Protection Act 2018)
ICO Security and Accountability Framework
Care-sector standards (CQC expectations, Digital Social Care guidance)
NIST & ISO 27001 principles (risk, access control, DR/BCP)

Our governance includes:

Clear data ownership and accountability
Transparent processing purposes
Strong access and identity controls
Continuous monitoring and audit logging
UK data residency

2. DATA OWNERSHIP & ROLES

2.1 Customer (Care Provider) – Data Controller

Determines what data is entered
Controls retention, deletion, and data subject rights
Manages internal user roles and permissions

2.2 Centrim Life Ltd – Data Processor

Processes data only on the Controller's documented instructions
Implements technical and organisational safeguards
Ensures data is not used for any secondary purpose
Ensures data remains within the UK

2.3 Sub-Processors

Approved sub-processors include:

AWS UK (London Region) – hosting & infrastructure
Postmark – transactional email (EU/UK)
Gleap – support diagnostics (EU)
Flare App – error logging (EU)
Centrim Life Pty Ltd – UK-bound technical support access only
E-Caret Solutions – UK-bound technical support & development access only

Each sub-processor is contractually bound under Article 28 UK GDPR and subject to ongoing risk assessment.

3. DATA COLLECTION & PROCESSING PRINCIPLES

Centrim Life governs data using the seven principles of UK GDPR:

Lawfulness, fairness, transparency
Purpose limitation – only used to deliver the service
Data minimisation
Accuracy
Storage limitations
Integrity & confidentiality (security)
Accountability – evidence-based governance

We do not collect unnecessary information and do not process data for analytics or marketing unless explicitly instructed by the Controller.

4. DATA STORAGE & RESIDENCY

4.1 Location

All primary data, backups, logs, files, and system metadata are stored exclusively in the United Kingdom on AWS London Region (eu-west-2).

4.2 UK Data Residency Enforcement

No data is transferred offshore
No non-UK backups
No international CDNs containing personal data
No offshore processing (including India)
Support access is strictly UK-bound

5. DATA SECURITY & ACCESS CONTROL

5.1 Security Measures

Centrim Life applies:

Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
AWS WAF, GuardDuty, VPC isolation
Secure secrets management
Annual penetration testing
Vulnerability management & patching
SIEM-style monitoring and alerting

5.2 Access Control

Multi-factor authentication (MFA)
Identity-based access (SSO for admin)
Role-based access control (RBAC)
Least-privilege access principle
Logged, monitored, and time-limited privileged access

5.3 Staff Governance

All staff and partners with system access undergo:

Confidentiality agreements
Annual GDPR & security training
Background checks where appropriate
Access revocation on role termination

6. DATA RETENTION & DELETION

6.1 Application Data

Retention is defined and controlled by the Customer (Data Controller).

6.2 Centrim Life Deletion Commitments

Upon contract termination:

Live data removed within 30 days
Backups fully purged within 30–60 days
Destruction Certificate provided

Centrim Life does not provide CSV/JSON/database exports unless contractually agreed.

7. BACKUP, RESILIENCE & DISASTER RECOVERY

7.1 Backups

Daily encrypted backups
AWS UK-only storage
Multi-AZ redundancy
Point-in-time recovery (PITR)

7.2 Disaster Recovery

DR aligned with ISO 27001
Quarterly DR tests
Annual full-scenario DR simulation

RTO: 1 hour
RPO: 4 hours

8. DATA SUBJECT RIGHTS

For platform data, rights requests (access, erasure, rectification, restriction, portability, objection) are handled by the Controller.

For website and marketing data, Centrim Life (as Controller) processes rights requests at: dpo@centrimlife.co.uk

9. AUDIT & ACCOUNTABILITY

Centrim Life maintains:

Full audit logs
Change management controls
Documented security & governance policies
Data flow diagrams and risk assessments
Vendor risk reviews for all sub-processors

Customers may request audits subject to reasonable notice and conditions.

10. DATA BREACH MANAGEMENT

Centrim Life maintains an ICO-compliant breach response process:

Identification & containment
Root-cause analysis
Controller notification within 24 hours
Assistance with regulatory reporting
Post-incident review & remediation

11. OVERSIGHT & GOVERNANCE STRUCTURE

Centrim Life uses the following governance model:

Data Protection Officer – oversees UK GDPR compliance
Security & Compliance Lead – manages controls, risks, and audits
Technical Team Lead – ensures secure architecture and DevOps governance
Support Team Lead – coordinates incident reporting and access requests

12. CONTACT DETAILS

Data Protection Officer
Centrim Life Ltd
Victory House
400 Pavilion Drive
Northampton Business Park
Northampton, NN4 7PA

Email: dpo@centrimlife.co.uk
Phone: +44 (0)1604 279636

CENTRIM LIFE - DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement ("DPA") forms part of the Service Agreement between:

(1) Customer Organisation, acting as the Controller; and
(2) Centrim Life Ltd, a company incorporated in England and Wales (Company No. 16529540) with registered office at Victory House, 400 Pavilion Drive, Northampton Business Park, Northampton, NN4 7PA ("Processor").

Together, the "Parties".

1. DEFINITIONS

Terms have the same meaning as under the UK GDPR and the Data Protection Act 2018.

"Personal Data", "Special Category Data", "Processing", "Controller", "Processor", and "Data Subject" have their statutory meanings.
"Services" means the Centrim Life SaaS platform and all activated modules (Dining, Maintenance, Housekeeping, Lifestyle, CRM, Visitor Management, Feedback & Compliance, Concierge).
"Sub-processor" means a third party engaged by the Processor to process Personal Data.
"Data Breach" has the meaning given under Article 4(12) UK-GDPR.

2. PURPOSE & SUBJECT MATTER OF PROCESSING

The Processor shall process Personal Data exclusively for the purpose of:

Operating and providing the Centrim Life SaaS platform
Delivering workflows for residents, staff, and visitors
Notifications, reporting, logging, and communications
Supporting integration enabled by the Controller
Providing technical support, development maintenance, and platform improvements

3. CATEGORIES OF DATA SUBJECTS

Residents and prospective residents
Staff, contractors, and volunteers
Family members and representatives
Visitors
Any individual whose data is entered into the platform by the Controller

4. CATEGORIES OF PERSONAL DATA

4.1 Standard Personal Data

Name, contact details, demographics, room identifiers, login details, logs, visitor records, maintenance/housekeeping data, activity logs, and internal notes.

4.2 Special Category Data

Only where entered by the Controller:

Allergies, dietary needs, IDDSI levels, complaints, incident data, and resident notes related to dining/lifestyle.

5. TERM

This DPA remains in force until all Personal Data is deleted under Section 12.

6. PROCESSOR OBLIGATIONS

Process Data only on written instructions from the Controller.
Ensure confidentiality of authorised personnel.
Implement robust security including UK-only hosting, encryption, WAF, MFA/SSO, RBAC, penetration testing, and least-privilege access.
Impose GDPR-equivalent obligations on Sub-processors.
Assist the Controller with rights requests, DPIAs, ICO interactions, and breach handling.

7. APPROVED SUB-PROCESSORS

Sub-Processor	Purpose	Processing Region
Amazon Web Services	Hosting & infrastructure	UK (London)
Postmark	Email delivery	EU region
Mixpanel	Analytics (pseudonymised)	EU region
Gleap	Support	EU region
Sinch Message Media	Optional SMS	EU routing
Centrim Life Pty Ltd	Support access	Secure VPN to UK region (no data export)
Ecaret Solutions	Development & support access	Secure VPN to UK region (no data export)

Sub-processor changes require 30 days' prior notice.

8. INTERNATIONAL TRANSFERS

The Processor shall not transfer Personal Data outside the UK.
No offshore hosting or replication.

9. DATA SUBJECT RIGHTS

The Processor will assist with access, rectification, erasure, restriction, portability, objection, and automated decision rights. The Processor will not respond directly unless instructed.

10. PERSONAL DATA BREACH

In the event of a Data Breach, the Processor will:

Notify the Controller within 24 hours
Provide breach details
Assist with investigations and ICO notifications
Support communication with affected Data Subjects
Provide a remediation plan

11. BACKUP & DISASTER RECOVERY

Daily encrypted backups (7-day retention), UK-only storage, PITR, S3 replication.

Multi-AZ DR architecture, quarterly DR tests, and annual full DR simulation.

RTO: 1 hour. RPO: 4 hours.

12. DATA DELETION

Upon termination:

Personal Data deleted from production within 30 days
Backups deleted within 30–60 days
Certificate of Data Destruction issued

13. AUDIT RIGHTS

The Controller may conduct remote or on-site audits or appoint an independent auditor. Audits must not compromise platform or security.

14. LIABILITY

Liability remains governed by the Service Agreement. This DPA does not alter liability terms.

15. GOVERNING LAW

This DPA is governed by the laws of England and Wales.