Data Processing Agreement (DPA)

Effective Date: 22 January 2024

Version 1.0

This Data Processing Agreement (“DPA”) outlines the terms and conditions under which Ground Truth Labs Ltd (“Data Processor”) processes personal data on behalf of its clients (“Data Controllers”). This agreement is designed to ensure compliance with the General Data Protection Regulation (GDPR), UK Data Protection Act, and other relevant data protection laws. Our commitment to transparency and clarity in processing personal data is paramount.

Scope of Agreement

This DPA applies to the processing of personal data by Ground Truth Labs Ltd in the course of providing services to Data Controllers, including but not limited to data collection, storage, and analysis.

Data Processing Terms

  1. Purpose of Processing: The Data Processor shall process personal data solely for the purpose of contracting towards and providing computer-vision enabled pathology image analysis and reports as agreed upon in the service agreement or general engagement contract with the Data Controller.
  2. Data Types and Categories: The Data Processor shall handle the following types of personal data: customer emails, names, company affiliations, and job titles, as well as fully anonymised health data provided in de-identified form by the Data Controller.
  3. Legal Basis for Processing: Processing of personal data shall be conducted under the legal basis of legitimate interest, as detailed in our Privacy Policy.
  4. Data Subject Rights: The Data Processor shall facilitate the Data Controller in fulfilling data subject rights under the GDPR and other applicable data protection laws.
  5. Sub-Processors: The Data Processor may engage sub-processors to fulfil its contractual obligations. All sub-processors will be bound by data processing agreements that meet the standards of this DPA.
  6. Security Measures: Appropriate technical and organisational measures will be implemented to ensure the security of the processed data.
  7. Data Breach Notification: In the event of a data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach.
  8. Data Transfer: Transfers of personal data outside the European Economic Area (EEA) shall be conducted in compliance with GDPR transfer mechanisms.

Rights and Obligations of the Data Controller

  1. Data Controller Responsibility: The Data Controller shall ensure that data provided to the Data Processor complies with applicable data protection laws.
  2. Audit Rights: The Data Controller retains the right to conduct desktop/paper audits to verify compliance with this DPA so long as it notifies Ground Truth Labs with at least 2 weeks advance and limits the total number of audits during a contract period to once every 2 years.
  3. Data Controller Instructions: The Data Processor shall comply with Data Controllers requests to correct, alter, transfer or destroy personal data belonging to the Data Controllers

Acceptance Mechanism

Users must accept the terms of this DPA before utilising Ground Truth Labs Ltd's services or engaging with its website. This acceptance can be facilitated through an online acceptance mechanism on the DPA page.

Version Control and Updates

Users will be informed of any updates to this DPA, which will be clearly displayed with its version number and effective date. Continued use of our services after an update implies acceptance of the revised terms.

Data Controller Communication

Data Controllers are encouraged to contact Ground Truth Labs Ltd for any specific DPA requirements or modifications to address their individual needs by emailing

Link in Privacy Policy

A link to this DPA is provided in our Privacy Policy to ensure easy access for all users.