This policy applies to PracticeGrid and its products, including Cinchflow.
This page is the central index for PracticeGrid’s legal, privacy and data-protection documents. It is designed for partners, practice managers, compliance teams and advisers who need a clear view of how we contract with you and how we handle personal data.
Last updated: 27 November 2025
Each document below has a short description to help you understand its role. Together, they form the legal and compliance framework for using PracticeGrid and products such as CinchFlow, and support your own Records of Processing Activities (RoPA), DPIAs and vendor due-diligence work.
These summaries are provided for convenience only. The legally binding terms for your subscription are set out in the full Master Services Agreement (MSA), Data Processing Agreement (DPA) and related documents provided at the point of contract or checkout.
The primary services contract for your licence to use PracticeGrid and CinchFlow — covering what we provide, how you may use the service, key responsibilities and how either party can bring the agreement to an end.
Read MSA overviewSets out how PracticeGrid processes personal data on your behalf, our role as processor, key security measures, use of sub-processors and international transfers under the UK IDTA/Addendum where needed.
Read DPA overviewExplains what personal data we collect about users and website visitors, how and why we use it, where it is stored, how long we keep it and the rights individuals have under UK GDPR and the Data Protection Act.
Read Privacy overviewDescribes the cookies and similar technologies used on the PracticeGrid website and app, the purposes of each category, and how visitors can control or withdraw their consent via our cookie banner and settings.
Read Cookie overviewSets expectations for service availability, maintenance windows, support hours and target response times, and describes how we communicate incidents and outages.
Read SLA overviewDefines how PracticeGrid may and may not be used, including restrictions on unlawful content, abuse and attempts to bypass security, plus actions we may take if the rules are broken.
Read AUP overviewLists the third-party providers that process customer data on our behalf — such as hosting, email delivery, analytics and support tools — together with their role in the service and (where relevant) region.
Read Sub-processor overviewExtended overview of hosting regions, encryption, access control, backups, monitoring, incident response and responsible disclosure for PracticeGrid and CinchFlow.
Visit Security & Compliance pageNeed the full legal texts? The library below provides a short overview of each document and direct download links to the latest version of our core legal and data-protection terms.
Contract · Commercial terms · Licence & responsibilities
1. Introduction and Definitions
1.1 These Master Services Agreement terms (MSA) set out the basis on which Sapphire Info Solutions Pvt. Ltd., trading as PracticeGrid, and any of its relevant divisions (including Accent AI Technologies) ("PracticeGrid", "we", "us", "our") provide access to the PracticeGrid platform and related products such as CinchFlow (the "Services") to the customer identified in the relevant Order Form, online checkout, or sign-up page ("Customer", "you", "your").
1.2 Capitalised terms used in this MSA may be defined in the body of these terms or in an attached Schedule. In case of conflict between this MSA and an Order Form, the Order Form will take precedence for those conflicting terms.
2. Scope of Services
2.1 PracticeGrid will make the Services available to you in accordance with this MSA and any applicable Order Form. The Services may include access to cloud software, integrations, onboarding support and any other items explicitly stated in an Order Form or on our website at the time of order.
2.2 We may update or modify the Services from time to time, for example to improve functionality, address security issues or comply with law. We will not materially reduce the core functionality of the Services you have subscribed to during the current subscription term, except where required by law or to address security or compliance risks.
3. Customer Account and Use of the Services
3.1 You are responsible for the configuration of your account and for the actions of any users you invite into the Services ("Authorised Users"). You must ensure that all Authorised Users keep their login credentials secure and do not share them with others.
3.2 You must ensure that your use of the Services complies with all applicable laws and regulations, this MSA, and our Acceptable Use Policy (AUP). You are responsible for securing any necessary consents and providing any notices required in relation to data you input into the Services.
3.3 You must promptly notify us if you become aware of any unauthorised access to your account or any suspected misuse of the Services.
4. Fees and Payment
4.1 You agree to pay the fees set out in the applicable Order Form, together with any taxes (such as VAT) that are chargeable under applicable law.
4.2 Unless otherwise stated, fees are invoiced in advance for each subscription term and are payable within the period stated on the invoice. Where you purchase online, fees may be collected by card or other payment method at the time of order.
4.3 If you fail to pay any amount by the due date, we may suspend access to the Services until the outstanding amounts are paid in full.
4.4 Except where expressly stated otherwise in this MSA or required by law, fees are non-refundable.
5. Service Levels and Support
5.1 We will use reasonable commercial efforts to make the Services available in accordance with the Service Level Agreement (SLA) referenced in your Order Form or on our website from time to time.
5.2 We will provide standard support during the support hours and via the channels described in the SLA. Enhanced or premium support, if offered, may be subject to additional fees.
6. Data Protection and Security
6.1 Each party will comply with applicable data protection laws, including UK GDPR and the Data Protection Act 2018, in relation to any personal data processed under this MSA.
6.2 To the extent that we process personal data on your behalf as a processor, the Data Processing Agreement (DPA) available at the URL indicated in the Order Form (or otherwise provided to you) will apply and is hereby incorporated into this MSA by reference.
6.3 We will implement and maintain appropriate technical and organisational measures to protect Customer Data as described in the DPA and in our Security & Compliance overview.
7. Intellectual Property
7.1 All intellectual property rights in and to the Services, including all software, documentation, know-how, logos and branding, are and shall remain the exclusive property of PracticeGrid and its licensors.
7.2 We grant you a limited, non-exclusive, non-transferable, non-sublicensable licence to access and use the Services for your internal business purposes during the term of this MSA, in accordance with its terms and the AUP.
7.3 You retain ownership of any data you input into the Services ("Customer Data"). You grant us a non-exclusive licence to host, store, transmit, display and process Customer Data to the extent necessary to provide and improve the Services, to prevent or address technical or security issues, and as otherwise required by law.
8. Confidentiality
8.1 Each party (the "Receiving Party") may receive confidential information from the other party (the "Disclosing Party") in connection with this MSA. Confidential information includes any information of a confidential or proprietary nature that is marked as confidential or that a reasonable person would understand to be confidential.
8.2 The Receiving Party will use the Disclosing Party's confidential information only for the purposes of performing its obligations or exercising its rights under this MSA and will not disclose it to any third party, except to its personnel and professional advisers who need to know it and are bound by comparable confidentiality obligations.
8.3 These obligations do not apply to information that is already public, was lawfully known to the Receiving Party before disclosure, is independently developed without reference to the confidential information, or is required to be disclosed by law or court order (in which case the Receiving Party will, where lawful, give prompt notice to the Disclosing Party).
9. Warranties and Disclaimers
9.1 We warrant that we will provide the Services with reasonable skill and care and in material accordance with the description set out in the applicable Order Form and documentation.
9.2 Except as expressly stated in this MSA, the Services are provided "as is" and we exclude all other warranties, representations and conditions to the fullest extent permitted by law, including any implied warranties of merchantability, fitness for a particular purpose or non-infringement.
9.3 You acknowledge that use of the Services does not constitute legal, tax or accounting advice and that you are responsible for compliance with all laws and professional obligations applicable to your firm.
10. Limitation of Liability
10.1 Nothing in this MSA limits or excludes either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot lawfully be limited or excluded.
10.2 Subject to clause 10.1, neither party will be liable to the other for any loss of profits, loss of revenue, loss of business, loss of goodwill, loss of data, or any indirect or consequential loss or damage, whether arising in contract, tort (including negligence) or otherwise.
10.3 Subject to clauses 10.1 and 10.2, each party's total aggregate liability arising out of or in connection with this MSA (whether in contract, tort or otherwise) shall not exceed the total fees actually paid by you for the Services under this MSA in the 12 months immediately preceding the event giving rise to the claim.
11. Term, Suspension and Termination
11.1 This MSA begins on the effective date of your first Order Form and continues until all subscription terms have expired or been terminated in accordance with this clause 11.
11.2 Either party may terminate this MSA (or a specific Order Form) for material breach by the other party, if the breach is not remedied within thirty (30) days of written notice.
11.3 We may suspend access to the Services immediately if we reasonably believe that:
(a) your account has been compromised;
(b) your use of the Services poses a security risk or could adversely impact other customers;
(c) you are in material breach of the AUP or have failed to pay undisputed fees when due.
11.4 On termination or expiry of this MSA:
(a) your rights to access and use the Services will cease;
(b) you will pay any outstanding fees; and
(c) we will handle Customer Data in accordance with DPA, including data export & deletion commitments.
12. General
12.1 Neither party may assign or transfer this MSA without the other party's prior written consent, except that either party may assign to an affiliate or as part of a bona fide corporate reorganisation or sale of its business, provided that such assignment does not adversely affect the other party's rights.
12.2 If any provision of this MSA is held by a court to be invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect.
12.3 This MSA, together with any applicable Order Forms, the DPA, SLA, AUP and any documents incorporated by reference, constitutes the entire agreement between the parties in relation to the Services and supersedes all prior discussions and agreements.
12.4 This MSA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction, subject to any mandatory consumer protection rules that apply if you qualify as a consumer.
Data protection · Roles & security · International transfers
1. Introduction and Roles
1.1 This Data Processing Agreement ("DPA") forms part of the MSA between PracticeGrid and the Customer and sets out the additional terms that apply when PracticeGrid processes personal data on behalf of the Customer in the course of providing the Services.
1.2 For the purposes of applicable data protection laws, including UK GDPR and the Data Protection Act 2018 ("Data Protection Laws"), the Customer is the controller of Customer personal data and PracticeGrid acts as a processor, except where PracticeGrid determines the purposes and means of processing in which case it will be a controller for that processing.
2. Subject Matter, Nature, Purpose and Duration
2.1 Subject matter: PracticeGrid processes personal data submitted to, stored in, or generated by the Services on behalf of the Customer.
2.2 Nature and purpose: The processing consists of hosting, storage, transmission, organisation and other operations necessary to provide the Services, including support, maintenance, security monitoring and service improvement as described in the MSA.
2.3 Categories of data: The personal data may include contact details, account information, billing details, usage data, communication logs and any other personal data that the Customer chooses to input into the Services in the course of using them.
2.4 Categories of data subjects: The personal data may relate to the Customer's staff, contractors, clients, prospective clients and other individuals whose data is included in Customer Data.
2.5 Duration: The processing will continue for the duration of the MSA and any further period required for data export, secure deletion or compliance with applicable law.
3. Customer Instructions
3.1 PracticeGrid will process personal data only on documented instructions from the Customer, as set out in the MSA, this DPA, the configuration of the Services and any lawful written instructions issued by the Customer from time to time.
3.2 If PracticeGrid is required by law to process personal data in a way that conflicts with the Customer's instructions, PracticeGrid will (where lawful) inform the Customer of that requirement before carrying out the processing.
4. Processor Obligations
4.1 PracticeGrid will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 PracticeGrid will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the factors set out in Data Protection Laws.
4.3 PracticeGrid will not transfer personal data outside the UK or EEA unless it ensures appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms.
5. Sub-processors
5.1 The Customer authorises PracticeGrid to engage third-party processors ("Sub-processors") to support the delivery of the Services. A current list of Sub-processors will be made available via the Sub-processor list referred to on our website or in the Order Form.
5.2 PracticeGrid will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA.
5.3 PracticeGrid will notify the Customer of any proposed changes to its Sub-processors (for example, by updating the online Sub-processor list and providing email or in-app notice where appropriate). The Customer may object on reasonable grounds relating to data protection by notifying PracticeGrid within the period stated in the notice. If the parties cannot reach agreement, the Customer may terminate the affected Services in accordance with the MSA.
6. Data Subject Rights and Assistance
6.1 Taking into account the nature of the processing, PracticeGrid will implement appropriate technical and organisational measures to assist the Customer in responding to requests from data subjects to exercise their rights under Data Protection Laws (such as access, rectification, erasure, restriction, portability and objection).
6.2 If PracticeGrid receives a request directly from a data subject relating to Customer personal data, it will (where reasonably identifiable as such) promptly notify the Customer and, unless legally prohibited, direct the data subject to submit the request to the Customer.
7. Security Incidents
7.1 PracticeGrid will notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer personal data. The notification will include information reasonably required for the Customer to meet its obligations under Data Protection Laws, to the extent such information is known and can be disclosed.
7.2 PracticeGrid will take reasonable steps to investigate, mitigate and remedy the personal data breach and will keep the Customer informed of material developments.
8. Data Protection Impact Assessments and Consultation
8.1 PracticeGrid will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that are required under Data Protection Laws, taking into account the nature of the processing and the information available to PracticeGrid.
9. Audits
9.1 Upon reasonable advance notice and subject to appropriate confidentiality commitments, PracticeGrid will make available to the Customer information necessary to demonstrate compliance with this DPA, which may include independent audit reports or certifications where available.
9.2 Where such information does not provide sufficient assurance, the Customer may request an on-site audit or inspection (or appoint an independent auditor to conduct it), subject to agreement on scope, timing and cost. The Customer will bear its own costs and reimburse PracticeGrid's reasonable costs of facilitating any such audit.
10. Data Return and Deletion
10.1 Upon termination or expiry of the Services, the Customer may export Customer Data using the features of the Services or by requesting a final export within the period specified in the MSA or our standard data retention policy.
10.2 After the export period, PracticeGrid will delete or anonymise Customer personal data from its systems, subject to any retention required by law, regulatory obligations or legitimate business purposes (for example, billing records). Any retained data will continue to be protected in accordance with this DPA.
11. UK IDTA / Addendum and International Transfers
11.1 Where PracticeGrid or its Sub-processors transfer personal data outside the UK or EEA, the parties agree that the relevant international data transfer mechanism (such as the UK IDTA or the Addendum to the EU Standard Contractual Clauses) will apply as set out in the Schedules to this DPA or as otherwise agreed in writing.
12. Priority
12.1 In the event of any conflict between this DPA and the MSA, this DPA shall prevail to the extent of that conflict in relation to the processing of personal data.
Individuals’ rights · Transparency · How we use personal data
Who we are
1.1 This Privacy Notice explains how Sapphire Info Solutions Pvt. Ltd., trading as PracticeGrid, and its divisions (including Accent AI Technologies) ("PracticeGrid", "we", "us", "our") collect, use and share personal data in connection with our products and services, including the PracticeGrid platform and CinchFlow.
2. Contact details
2.1 If you have any questions about this Privacy Notice or how we handle personal data, you can contact us at: Email: privacy@practicegrid.co.uk
3. Personal data we collect
3.1 We may collect and process the following categories of personal data:
• Account and contact data: name, job title, firm name, email address, phone number and login details for user accounts.
• Billing and payment data: billing contact details, invoicing information and limited payment details (we typically use third-party payment processors).
• Usage data: information about how you use the Services, including log-ins, feature usage, support interactions and device information (such as browser type and approximate location).
• Communications: records of emails, support chats and other communications with us.
• Marketing preferences: your choices about receiving marketing communications from us.
4. How we collect personal data
4.1 We collect personal data in various ways, including:
• Directly from you when you sign up for a trial or paid account, request a demo or contact support.
• Automatically when you use the Services or visit our website, through cookies, logs and similar technologies.
• From your employer or colleagues where they create user accounts for you.
5. Purposes and legal bases
5.1 We use personal data for the following purposes and legal bases under UK GDPR:
• To provide and administer the Services (performance of a contract).
• To manage billing, renewals and account administration (performance of a contract and legitimate interests).
• To provide support and respond to enquiries (performance of a contract and legitimate interests).
• To monitor and improve the Services, including security monitoring, analytics and product development (legitimate interests).
• To send service-related communications, such as important updates and incident notifications (performance of a contract and legal obligations).
• To send optional marketing communications about our products and services, where permitted by law and subject to your choices (consent or legitimate interests, as appropriate).
6. Sharing personal data
6.1 We may share personal data with:
• Our group companies and divisions where necessary for service delivery and administration.
• Service providers and Sub-processors that support the Services (for example, hosting providers, email delivery services, analytics and support tools).
• Professional advisers such as lawyers, auditors and insurers where necessary for our legitimate interests and legal obligations.
• Authorities, regulators or courts where we are legally required to do so or to protect our rights, users or third parties.
7. International transfers
7.1 We may transfer personal data outside the UK or EEA where we or our Sub-processors operate or store data. When we do so, we will ensure appropriate safeguards are in place, such as the UK IDTA, the Addendum to the EU Standard Contractual Clauses or other lawful transfer mechanisms.
8. Retention
8.1 We keep personal data for as long as necessary to fulfil the purposes described in this Privacy Notice and to comply with legal, accounting and reporting requirements. After this, we will delete or anonymise the data.
9. Your rights
9.1 Under UK GDPR, you may have rights in relation to your personal data, including:
• The right to access your personal data and receive a copy of it.
• The right to correct inaccurate or incomplete data.
• The right to request deletion of your data in certain circumstances.
• The right to restrict or object to processing in certain circumstances.
• The right to data portability for certain data you have provided.
• The right to withdraw consent where we rely on consent to process your data.
9.2 To exercise any of these rights, please contact privacy@practicegrid.co.uk.
10. Cookies and similar technologies
10.1 We use cookies and similar technologies on our website and in the Services. For more information, please see our Cookie Policy.
11. Complaints
11.1 If you have concerns about how we handle your personal data, we encourage you to contact us first so we can try to resolve your concern. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). Details of how to contact the ICO are available on their website.
12. Changes to this Privacy Notice
12.1 We may update this Privacy Notice from time to time. We will post any changes on our website and, where appropriate, notify you by email or in-app message.
13. Google API Data Usage (Google Drive Integration)
13.1 Our application integrates with Google APIs, specifically Google Drive, to enable users to manage documents within their own Google accounts.
13.2 When a user connects their Google account, we may:
• Create folders within the user’s Google Drive
• Upload and manage files related to client workflows
• Display file and folder metadata within the application
13.3 We only access data that the user explicitly authorises via Google OAuth and we request the minimum necessary permissions required for the functionality of the application.
13.4 We do not access, read, or process Gmail or email content unless explicitly enabled and configured by the user.
13.5 We do not use Google user data for advertising, profiling, or any purpose unrelated to the core functionality of the application.
14. Data Protection and Security Measures
14.1 We implement appropriate technical and organisational measures to protect user data, including:
• Encryption of data in transit using HTTPS (TLS)
• Secure storage of OAuth tokens and credentials
• Access controls to restrict data access to authorised personnel only
• Monitoring and logging of system access and activity
14.2 Google user data is handled in accordance with Google's API Services User Data Policy, including the Limited Use requirements.
14.3 We do not sell, rent, or share Google user data with third parties, except where necessary to provide the core functionality of the Services.
15. User Control and Revocation of Access
15.1 Users may disconnect their Google account at any time via their account settings or through their Google account permissions page.
15.2 Once access is revoked, our application will no longer be able to access the user’s Google data.
15.3 Users retain full control over their data stored within their Google Drive.
16. Gmail Data Usage (if enabled)
16.1 Where Gmail integration is enabled, our application may access Gmail data to:
• Read email content for display within the application
• Send emails on behalf of the user when explicitly triggered
16.2 We do not use Gmail data for advertising or any unrelated purposes.
Availability · Support · Incident communication
1. Purpose
1.1 This Service Level Agreement (SLA) describes the service availability, support and incident response commitments that apply to the Services, as referenced in the MSA or relevant Order Form.
2. Service availability
2.1 We target a monthly uptime of, for example, 99.5% for the core application, excluding planned maintenance and permitted downtime as described below.
2.2 Uptime is calculated over a calendar month based on the total number of minutes in the month minus the number of minutes of unplanned downtime, divided by the total number of minutes in the month, and expressed as a percentage.
3. Planned maintenance
3.1 We may carry out planned maintenance from time to time to update or improve the Services. Where such maintenance is expected to cause material downtime, we will use reasonable efforts to schedule it outside of typical UK business hours and provide advance notice.
4. Support hours and channels
4.1 Standard support is available during UK business hours (for example, Monday to Friday, 9:00–17:30 UK time, excluding public holidays).
4.2 Support is provided via email and other channels referenced on our website (e.g. in-app support or ticketing).
5. Incident categorisation and response
5.1 We categorise incidents by severity, for example:
• Priority 1 (Critical): complete loss of service affecting all users or a severe security incident.
• Priority 2 (High): major functionality impaired for a significant number of users with no reasonable workaround.
• Priority 3 (Medium): partial loss of functionality with a workaround available.
• Priority 4 (Low): minor issues, cosmetic defects or general questions.
5.2 Target initial response times (during support hours) may be, for example:
• Priority 1: within 1 hour.
• Priority 2: within 4 hours.
• Priority 3: within 1 business day.
• Priority 4: within 2 business days.
These targets are not guarantees but reflect our normal practice.
6. Exclusions
6.1 The SLA does not apply to:
• Issues caused by factors outside our reasonable control, such as internet outages or failures of third‑party networks.
• Downtime caused by misuse of the Services or use in breach of the MSA or AUP.
• Beta, trial or experimental features clearly identified as such.
7. Service credits (if applicable)
7.1 If we offer service credits for failure to meet uptime targets, the specific credit structure and claim process will be stated in your Order Form or a separate schedule. Any such credits will be your sole and exclusive remedy for the relevant service level failure.
8. Changes to this SLA
8.1 We may update this SLA from time to time, for example to reflect changes to the Services or support model. Material changes will be communicated in accordance with the MSA.
Fair use · Misuse · Platform protection
1. Purpose of this AUP
1.1 This Acceptable Use Policy (AUP) sets out rules for using the PracticeGrid Services. It is designed to protect our users, infrastructure and third parties from misuse.
2. Prohibited content and activities
2.1 You must not use the Services to store, transmit or process any content that is unlawful, harmful, defamatory, discriminatory, harassing, infringing or otherwise objectionable.
2.2 You must not use the Services to:
• Engage in fraud, deception or other unlawful activity.
• Infringe the intellectual property or privacy rights of others.
• Send unsolicited bulk messages or spam.
3. Security and system integrity
3.1 You must not attempt to interfere with or disrupt the integrity or performance of the Services, including by:
• Gaining or attempting to gain unauthorised access to the Services or related systems.
• Probing, scanning or testing the vulnerability of any system without our prior written consent.
• Introducing malware, viruses, worms or other harmful code.
4. Resource usage
4.1 You must not use the Services in a way that imposes an unreasonable or disproportionately large load on our infrastructure, for example through excessive API calls, storage or automated traffic, except where explicitly permitted by your plan or Order Form.
5. User conduct
5.1 You must treat our staff and other users with respect. Abusive, threatening or harassing behaviour towards our team or other users is not permitted.
6. Monitoring and enforcement
6.1 We may monitor use of the Services (in accordance with our Privacy Notice and applicable laws) to ensure compliance with this AUP and to protect the security and stability of the platform.
6.2 If we reasonably believe that you have breached this AUP, we may take appropriate action, which may include:
• Asking you to remove or modify content.
• Temporarily suspending or restricting access to the Services.
• Terminating your account in serious or repeated cases, in accordance with the MSA.
7. Changes to this AUP
7.1 We may update this AUP from time to time. The updated version will be posted on our website and, where appropriate, notified to you.
Third-party providers · Roles · Locations
1. Introduction
1.1 This section describes the categories of Sub-processors that PracticeGrid uses to help deliver the Services. A current, detailed Sub-processor list (including specific vendor names, locations and roles) is set out below and may be updated from time to time in accordance with the DPA.
1.2 Capitalised terms used in this Sub-processor List have the meaning given in the DPA or MSA (as applicable).
2. Categories of Sub‑processors
2.1 Typical categories of Sub-processors used by PracticeGrid include:
● Hosting and infrastructure providers (e.g. cloud platforms providing compute, storage and databases).
● Email and productivity integrations used to send emails from customer mailboxes via OAuth (e.g. Outlook, Gmail).
● Error monitoring and logging providers, used to capture and analyse application errors and performance issues.
● Payment service providers, used to process subscription and one-off payments for the Services.
3. Information provided in the Sub-processor table
3.1 The Sub-processor table below includes, at a minimum:
● Vendor name and trading name.
● Country or region of processing (where known or applicable).
● Type of service provided (e.g. hosting, email integration, error logging, payments).
● Whether data is stored, transmitted or otherwise processed.
● High-level categories of personal data processed.
4. Notification of changes
4.1 As described in the DPA, we will notify customers of material changes to our Sub‑processors in advance, for example by email, in‑app message or updates to the online Sub‑processor list.
4.2 Customers may object to changes on reasonable data protection grounds in accordance with the DPA.
5. Current Sub-processors
4.1 The following Sub-processors are currently engaged by PracticeGrid in connection with the Services:
Amazon Web Services, Inc. (AWS)
Country / Region of Processing: Primarily India (e.g. AWS India region, such as ap-south-1 – Mumbai)
Type of Service: Cloud hosting and infrastructure (EC2) used to host the PracticeGrid application and its database.
Data Involvement: Stores and processes Customer Data, including application database contents and system data necessary to operate the Services.
Microsoft 365 (Outlook)
Country / Region of Processing: Regions determined by Microsoft (may include India and other regions, depending on Microsoft's infrastructure)
Type of Service: Email integration: allows users to send emails from their Outlook accounts via OAuth directly from within the Services.
Data Involvement: Processes and transmits email content and related metadata. Stores OAuth tokens to enable the integration, in accordance with Microsoft's terms.
Google Workspace (Gmail)
Country / Region of Processing: Regions determined by Google (may include India and other regions, depending on Google's infrastructure)
Type of Service: Email integration: allows users to send emails from their Gmail accounts via OAuth directly from within the Services.
Data Involvement: Processes and transmits email content and related metadata. Stores OAuth tokens to enable the integration, in accordance with Google's terms.
Sentry (Functional Software, Inc.)
Country / Region of Processing: Regions determined by Sentry (may include non-Indian regions)
Type of Service: Error monitoring and logging service used to capture, store and analyse application errors and performance data.
Data Involvement: Stores and processes application error events and technical logs, which may incidentally include limited personal data.
Stripe, Inc. and Stripe group companies
Country / Region of Processing: Regions determined by Stripe (may include India, EU and other regions, including the US)
Type of Service: Online payment processing for subscription billing and one-off payments for the Services.
Data Involvement: Stores and processes payment and billing information and related transaction metadata. PracticeGrid primarily stores Stripe customer IDs, subscription details and payment status.
4.2 The engagement of each Sub-processor is subject to appropriate data protection terms, including obligations to implement suitable technical and organisational measures to protect Customer Data.
4.3 PracticeGrid may update this Sub-processor List from time to time in accordance with the DPA, including by adding or replacing Sub-processors. Customers will be notified of material changes in advance, for example by email, in-app notification or updates to the online Sub-processor list, and may object on reasonable data protection grounds as set out in the DPA.
Hosting · Encryption · Access control · Monitoring
The Security & compliance policy is an extended overview of how PracticeGrid protects your data, and how security is built into the product and our operations.
As PracticeGrid evolves, these documents may be updated. Where required, we will notify customers of material changes in line with the MSA and DPA.