Client Service Agreement

1. Parties & Definitions

1.1 This Client Service Agreement ("Agreement") is entered into between:

1.2 In this Agreement, the following terms shall have the meanings set out below:

"Authorised Users"

means the Client and any individual practitioners, staff, or employees whom the Client permits to access the Platform under this Agreement.

"Confidential Information"

means any non-public information disclosed by either party, including business plans, technical data, patient information, pricing, and proprietary processes.

"Data Protection Laws"

means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any successor or supplementary legislation.

"Effective Date"

means the date on which the Client accepts this Agreement by clicking "I agree" or similar affirmative action on the Platform, or the date the Client first accesses the Platform, whichever is earlier.

"Patient Data"

means any personal data or special category data (including health data) relating to the Client's patients that is processed through the Platform.

"Platform"

means the HealSuite cloud-based healthcare practice management software, including all modules, features, updates, and associated APIs made available to the Client.

"Subscription Plan"

means the tier of service selected by the Client (Basic, Standard, or Premium) as detailed in Schedule 1.

"Subscription Term"

means the period during which the Client has an active, paid subscription to the Platform.

1.3 Electronic Acceptance. By clicking "I agree", "Accept & Continue", or any similar affirmative button or checkbox on the Platform, or by accessing or using the Platform after being presented with this Agreement, the Client agrees to be bound by this Agreement. This electronic acceptance constitutes a legally binding agreement with the same effect as a handwritten signature. The Client consents to the use of electronic records for the purposes of this Agreement.

1.4 Authority. The individual accepting this Agreement represents and warrants that they have the legal authority to bind the Client. If the Client is a company, partnership, or other entity, the individual accepting this Agreement confirms that they are duly authorised to enter into binding agreements on behalf of that entity.

2. Services

2.1 HealSuite shall provide the Client with access to the Platform in accordance with the Subscription Plan selected by the Client. The Platform is an AI-powered healthcare practice management system that includes the features set out in Schedule 1.

2.2 The Platform is provided as a Software-as-a-Service (SaaS) solution. HealSuite shall host, maintain, and update the Platform at its own expense. The Client accesses the Platform via the internet using a supported web browser.

2.3 Core Platform capabilities include, but are not limited to:

• Patient record management and CRM
• Appointment scheduling with smart calendar and automated reminders
• Patient portal for letters, results, and online booking
• AI-powered transcription and clinical assistance
• E-prescriptions and clinical document management
• Invoicing, insurance billing, and payment processing
• Email, SMS, and WhatsApp communications
• Marketing campaigns, lead management, and booking links
• Financial reporting and analytics
• Role-based access control and audit logging

2.4 HealSuite reserves the right to modify, update, or enhance the Platform at any time, provided that no update shall materially reduce the functionality included in the Client's Subscription Plan without 30 days' prior written notice.

2.5 HealSuite shall use commercially reasonable efforts to maintain Platform availability of 99.5% uptime, measured monthly, excluding planned maintenance windows. Planned maintenance shall be communicated at least 48 hours in advance where practicable. The uptime target in this Clause 2.5 is a service objective and does not give rise to service credits or any right to terminate; HealSuite's sole obligation is to use commercially reasonable efforts to meet the target.

3. Subscription & Fees

3.1 The Client shall pay the subscription fees applicable to the selected Subscription Plan, as set out in Schedule 1. All fees are quoted in British Pounds Sterling (GBP) and are exclusive of Value Added Tax (VAT), which shall be charged at the prevailing rate where applicable.

3.2 Subscription fees are payable monthly in advance by the payment method registered on the Client's account. Payments are processed through our authorised payment provider. Subscription fees are non-refundable, except where required by applicable law or as expressly stated in this Agreement.

3.3 Failed Payments & Grace Period. In the event of a failed payment, HealSuite shall:

• notify the Client of the failed payment and attempt to re-process the payment;
• provide a grace period of five (5) calendar days during which the Client retains full access to the Platform;
• if payment is not received within the grace period, suspend or restrict the Client's access to the Platform until payment is resolved.

3.4 Where the Client processes patient payments through the Platform, a transaction processing fee of 1.5% of the transaction value shall apply, unless a different rate has been agreed in writing between HealSuite and the Client. This fee is deducted automatically from payouts to the Client.

3.5 HealSuite may adjust subscription fees with not less than 60 days' written notice. The revised fees shall take effect at the start of the next billing cycle following the notice period. If the Client does not agree to the revised fees, the Client may terminate this Agreement in accordance with Clause 11.

3.6 Fair Usage. Use of email, SMS, and WhatsApp messaging features is subject to fair and reasonable usage. HealSuite reserves the right to impose reasonable limits on messaging volumes and to restrict or suspend messaging capabilities where usage is excessive, abusive, or inconsistent with normal healthcare practice operations. HealSuite shall notify the Client before imposing any such restriction where practicable.

4. Client Obligations

4.1 The Client shall ensure that all Authorised Users comply with the terms of this Agreement and all applicable laws and regulations, including but not limited to healthcare regulations and Data Protection Laws.

4.2 The Client shall be responsible for the security of all account credentials and must immediately notify HealSuite of any suspected unauthorised access.

4.3 The Client shall not:

• use the Platform for any unlawful purpose or in a manner that could damage, disable, or impair the Platform;
• attempt to gain unauthorised access to any part of the Platform, other users' accounts, or underlying systems;
• reverse engineer, decompile, or disassemble any part of the Platform;
• sub-license, resell, or transfer access to the Platform to any third party without HealSuite's prior written consent;
• upload or transmit any malicious code, viruses, or harmful content;
• use the messaging features of the Platform to send unsolicited marketing communications in breach of the Privacy and Electronic Communications Regulations 2003 or any applicable anti-spam legislation.

4.4 The Client acknowledges that they are solely responsible for the accuracy and legality of all data entered into the Platform, including Patient Data.

4.5 Where the Client operates as a clinic with multiple practitioners, the Client is responsible for managing user access permissions and ensuring that all practitioners and staff members are appropriately trained in the use of the Platform and data protection obligations.

4.6 Regulatory Compliance. The Client is solely responsible for:

• maintaining all necessary professional registrations, licences, and regulatory approvals required to operate their healthcare practice;
• complying with all applicable healthcare regulations, including (where applicable) Care Quality Commission (CQC) requirements;
• maintaining appropriate professional indemnity insurance;
• ensuring that all clinical decisions, diagnoses, and treatments are made by appropriately qualified and registered professionals;
• complying with professional duties of candour and all applicable clinical governance obligations.

4.7 Suspension. HealSuite may immediately suspend the Client's access to the Platform, in whole or in part, without liability, if:

• the Client's use of the Platform poses a security risk to the Platform or any third party;
• the Client's use may adversely impact the Platform's availability or performance for other clients;
• the Client is in material breach of this Agreement;
• suspension is required to comply with applicable law, regulation, or a court order;
• payment is not received within the grace period specified in Clause 3.3.

HealSuite shall use reasonable efforts to provide advance notice of any suspension and to restore access promptly once the cause of suspension has been resolved.

5. Data Protection & Privacy

5.1 Roles. The Client is the Data Controller for all Patient Data processed through the Platform. HealSuite is the Data Processor, processing Patient Data solely on the Client's documented instructions and for the purpose of providing the Platform services. The Client's use of the Platform features (including enabling AI features, sending communications, and configuring integrations) constitutes the Client's documented processing instructions for the purposes of Article 28 of the UK GDPR. Any processing instructions that fall outside the scope of the Platform's standard functionality must be agreed in writing.

5.2 Processing Details. The following details of processing are agreed:

• Subject matter: Provision of a cloud-based healthcare practice management platform.
• Duration: For the Subscription Term and any post-termination retention period required by Clause 11.4 or applicable law.
• Nature and purpose: Storage, retrieval, display, organisation, and transmission of Patient Data as necessary to provide the Platform's features (including patient records, appointment scheduling, clinical documentation, communications, and billing).
• Types of personal data: Names, dates of birth, contact details (email, phone, address), health and medical records, clinical notes, treatment history, appointment data, prescriptions, billing and payment information, insurance details, photographs, consent records, and communication history.
• Categories of data subjects: The Client's patients, and where applicable, the Client's staff and practitioners.

5.3 Client's Obligations as Controller. The Client shall:

• ensure that it has a lawful basis for processing Patient Data (e.g., patient consent, performance of a medical contract, or vital interests);
• provide clear and accurate privacy notices to its patients regarding the use of the Platform;
• respond to data subject access requests (DSARs) in accordance with Data Protection Laws, with HealSuite providing reasonable assistance.

5.4 HealSuite's Obligations as Processor. HealSuite shall:

• process Patient Data only in accordance with the Client's documented instructions and for the purposes of this Agreement. HealSuite shall immediately inform the Client if, in HealSuite's opinion, a processing instruction infringes Data Protection Laws;
• implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • AES-256 encryption for all sensitive data at rest;
  • TLS 1.3 encryption for data in transit;
  • role-based access controls and multi-factor authentication;
  • comprehensive audit logging of all data access and modifications;
  • regular security assessments and penetration testing.
• ensure that all personnel who have access to Patient Data are bound by appropriate confidentiality obligations;
• not engage any new sub-processor without providing the Client with at least 30 days' prior written notice, during which the Client may object to the new sub-processor. If the Client reasonably objects and the parties cannot resolve the objection within 30 days, the Client may terminate this Agreement on written notice. HealSuite's current sub-processors are listed in Schedule 2;
• notify the Client without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Patient Data;
• assist the Client in fulfilling its obligations under Data Protection Laws, including DSARs, data protection impact assessments, and breach notifications;
• upon termination, delete or return all Patient Data to the Client in accordance with Clause 11.4, unless retention is required by applicable law.

5.5 Data Location. Patient Data shall be processed and stored within the United Kingdom and/or the European Economic Area. Where sub-processors listed in Schedule 2 are based outside these jurisdictions, HealSuite shall ensure that appropriate safeguards are in place in accordance with Data Protection Laws, including the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, as applicable.

5.6 Data Retention. HealSuite shall retain Patient Data for the duration of this Agreement and for such period thereafter as is required by applicable healthcare record retention laws. Upon termination, the provisions of Clause 11.4 shall apply.

5.7 Audit Rights. The Client (or an independent third-party auditor appointed by the Client) shall have the right, upon 30 days' written notice and no more than once per calendar year, to audit HealSuite's compliance with its data protection obligations under this Agreement. Any auditor appointed by the Client must: (i) be independent and not a competitor of HealSuite; (ii) be bound by written confidentiality obligations no less protective than those in Clause 12; and (iii) conduct the audit in a manner that minimises disruption to HealSuite's operations. The Client shall bear the costs of any such audit. HealSuite may satisfy audit requests by providing copies of relevant certifications, audit reports, or summaries prepared by its own independent auditors.

6. Security

6.1 HealSuite shall maintain industry-standard security measures informed by the principles of ISO 27001 and SOC 2 frameworks (this does not constitute a claim of certification under those standards), including:

• AES-256 encryption of all personal and sensitive data at rest;
• TLS 1.3 encryption for all data transmissions;
• role-based access control (RBAC) with granular permission management;
• multi-factor authentication (MFA) available for all user accounts;
• WebAuthn/passkey authentication support;
• comprehensive audit logging with 365-day retention;
• AWS cloud infrastructure with server-side encryption for file storage;
• session encryption enabled by default;
• daily encrypted backups with geo-redundancy.

6.2 Backups. Daily encrypted backups are maintained for disaster recovery purposes. Backups are designed to protect against catastrophic data loss at the infrastructure level and do not constitute an archival or point-in-time recovery service. HealSuite does not warrant the ability to restore individual records, specific data subsets, or data to a particular point in time. The Client is responsible for maintaining its own copies of critical data as appropriate.

6.3 HealSuite shall conduct periodic security assessments, vulnerability scans, and penetration testing. Material findings shall be remediated in a timely manner.

6.4 In the event of a security incident affecting the Client's data, HealSuite shall:

• notify the Client within 72 hours of confirmed discovery;
• provide a written incident report detailing the nature, scope, and impact of the incident;
• take all reasonable steps to contain and remediate the incident;
• cooperate with the Client in meeting any regulatory notification obligations.

7. Intellectual Property

7.1 All intellectual property rights in the Platform, including its software, design, documentation, and branding, remain the exclusive property of HealSuite. Nothing in this Agreement transfers any intellectual property rights to the Client. The Client is granted a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform for the duration of the Subscription Term solely for the Client's internal healthcare practice operations.

7.2 The Client retains all rights in its own data, including Patient Data. HealSuite shall not use Patient Data for any purpose other than providing the services under this Agreement.

7.3 HealSuite may use anonymised, aggregated, and de-identified data for the purpose of improving the Platform, developing new features, and generating industry benchmarks, provided that no individual patient or Client can be identified from such data.

8. AI Features & Clinical Disclaimer

8.1 AI-Powered Features. The Platform includes artificial intelligence features such as transcription, clinical note assistance, and an AI assistant ("Healy"). These features are provided as assistive tools only and are not intended to replace professional clinical judgement. AI outputs may contain errors, omissions, or inaccuracies.

8.2 Client Responsibility for AI Outputs. The Client shall:

• review and verify all AI-generated content (including transcriptions, suggested notes, and summaries) before relying on it or incorporating it into patient records;
• not use AI outputs as the sole basis for any clinical decision, diagnosis, or treatment;
• ensure that all Authorised Users are aware that AI features are assistive and must be verified by a qualified professional.

8.3 No Medical Advice. Nothing provided through the Platform, including AI-generated outputs, constitutes medical advice, diagnosis, or treatment recommendation. HealSuite is not liable for any clinical decision made by the Client or any Authorised User using or relying upon the Platform or its AI features.

8.4 AI Data Handling. Where AI features process Patient Data (including clinical text and audio recordings), the following safeguards apply:

• Patient Data is transmitted to the AI sub-processor (as listed in Schedule 2) solely for the purpose of generating the requested output (e.g., transcription, summary, or clinical note assistance);
• HealSuite accesses AI services through enterprise-grade API agreements that contractually prohibit the AI sub-processor from using, retaining, or training on Patient Data submitted through the API;
• Patient Data submitted to AI sub-processors is processed in transit and is not stored by the AI sub-processor beyond the time necessary to generate the output, except as required for abuse monitoring with a maximum retention of 30 days;
• the Client may disable AI features at any time through the Platform settings, in which case no Patient Data will be transmitted to AI sub-processors.

8.5 E-Prescriptions. The Platform provides electronic prescribing tools as an administrative convenience. The Client is solely responsible for the accuracy, clinical appropriateness, and legality of all prescriptions issued through the Platform. HealSuite does not verify, validate, or approve prescriptions.

9. Warranties & Limitation of Liability

9.1 HealSuite warrants that:

• it shall provide the Platform with reasonable care and skill;
• the Platform shall materially conform to its published documentation and feature descriptions;
• it shall comply with all applicable laws and regulations in the provision of the Platform.

9.2 Disclaimer. Except as expressly stated in this Agreement, the Platform is provided "as is" and "as available". To the maximum extent permitted by law, HealSuite disclaims all implied warranties, including warranties of merchantability, fitness for a particular purpose, and non-infringement. HealSuite does not warrant that the Platform will be uninterrupted, error-free, or free of all vulnerabilities, or that defects will be corrected within any particular timeframe.

9.3 Limitation of Liability. To the maximum extent permitted by law:

• HealSuite's total aggregate liability arising out of or in connection with this Agreement shall not exceed the total fees paid by the Client in the twelve (12) months preceding the event giving rise to the claim;
• neither party shall be liable for any indirect, consequential, special, incidental, or punitive damages, including loss of profits, loss of revenue, loss of data (except as caused by HealSuite's breach of its data protection obligations), loss of goodwill, or business interruption, however caused and under any theory of liability;
• HealSuite shall have no liability for any claim arising from: (i) the Client's failure to verify AI-generated outputs; (ii) clinical decisions made using the Platform; (iii) the Client's failure to maintain adequate backups of data outside the Platform; or (iv) the Client's breach of its obligations under this Agreement.

9.4 Exclusions. Nothing in this Agreement shall limit or exclude liability for:

• death or personal injury caused by negligence;
• fraud or fraudulent misrepresentation;
• any liability which cannot be limited or excluded by applicable law.

10. Indemnification

10.1 The Client shall indemnify, defend, and hold harmless HealSuite and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

• the Client's breach of this Agreement;
• the Client's breach of any applicable law, regulation, or professional obligation;
• any claim by a patient or third party arising from the Client's clinical decisions, diagnoses, treatments, or professional conduct;
• the Client's failure to obtain appropriate consent or lawful basis for processing Patient Data;
• any data or content uploaded, stored, or transmitted by the Client or its Authorised Users through the Platform;
• the Client's use of AI-generated outputs without appropriate professional verification.

10.2 HealSuite shall promptly notify the Client of any claim subject to indemnification and shall provide reasonable cooperation in the defence of such claim at the Client's expense.

11. Term & Termination

11.1 Term. This Agreement shall commence on the Effective Date and continue on a rolling monthly basis unless terminated in accordance with this Clause 11.

11.2 Termination by Client. The Client may terminate this Agreement at any time by providing 30 days' written notice to HealSuite. Termination shall take effect at the end of the current billing cycle following the notice period. No refund shall be given for any unused portion of a billing period.

11.3 Termination by HealSuite. HealSuite may terminate this Agreement:

• with 30 days' written notice for any reason;
• immediately, if the Client commits a material breach of this Agreement that is not remedied within 14 days of receiving written notice of the breach;
• immediately, if the Client becomes insolvent, enters administration, or ceases to carry on business;
• immediately, if required by law, regulation, or a court order.

11.4 Effect of Termination. Upon termination:

• HealSuite shall provide the Client with a 90-day data export window during which the Client may download their data in machine-readable format (CSV/JSON);
• following the data export window, HealSuite shall securely delete or anonymise the Client's data from active systems within 30 days, subject to any retention obligations required by applicable healthcare record retention laws;
• all outstanding fees shall become immediately due and payable;
• the Client's licence to use the Platform shall immediately cease;
• Clauses 5 (Data Protection), 7 (Intellectual Property), 8 (AI & Clinical Disclaimer), 9 (Warranties & Liability), 10 (Indemnification), 12 (Confidentiality), and 13 (General Provisions) shall survive termination.

12. Confidentiality

12.1 Each party shall keep confidential all Confidential Information received from the other party and shall not disclose such information to any third party without the prior written consent of the disclosing party, except:

• to employees, contractors, or advisers who need to know such information for the purposes of this Agreement and who are bound by equivalent confidentiality obligations;
• where disclosure is required by law, regulation, or court order.

12.2 The obligations in Clause 12.1 shall not apply to information that:

• is or becomes publicly available through no fault of the receiving party;
• was already known to the receiving party at the time of disclosure, as evidenced by written records;
• is independently developed by the receiving party without use of or reference to the disclosing party's Confidential Information;
• is lawfully received from a third party without restriction on disclosure and without breach of any obligation of confidentiality.

12.3 The confidentiality obligations in this Clause 12 shall survive the termination of this Agreement for a period of three (3) years, except in respect of Patient Data, for which confidentiality obligations shall continue indefinitely.

13. General Provisions

13.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

13.2 Dispute Resolution. The parties shall attempt to resolve any dispute arising from this Agreement through good-faith negotiation. If unresolved within 30 days, either party may refer the dispute to mediation under the CEDR Mediation Rules before commencing legal proceedings. If mediation does not resolve the dispute within 60 days of referral, either party may commence legal proceedings.

13.3 Force Majeure. Neither party shall be liable for any failure to perform its obligations where such failure results from circumstances beyond its reasonable control, including natural disasters, war, pandemic, government action, power failure, or internet outages. The affected party shall promptly notify the other party of the force majeure event and its expected duration. If a force majeure event continues for more than 90 days, either party may terminate this Agreement on written notice.

13.4 Entire Agreement. This Agreement (including its Schedules) constitutes the entire agreement between the parties and supersedes all prior agreements, understandings, and representations relating to its subject matter. Each party acknowledges that it has not relied on any representation, warranty, or undertaking not set out in this Agreement.

13.5 Amendments. HealSuite may update this Agreement from time to time by publishing the revised terms on the Platform and providing the Client with at least 30 days' written notice (by email or in-Platform notification). The notice shall include a summary of material changes. Continued use of the Platform after the effective date of the revised terms constitutes acceptance. If the Client does not agree to the revised terms, the Client may terminate this Agreement before the revised terms take effect in accordance with Clause 11.

13.6 Severability. If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.7 Waiver. No failure or delay by either party in exercising any right or remedy under this Agreement shall constitute a waiver of that right or remedy. No single or partial exercise of any right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

13.8 Third-Party Rights. No person other than a party to this Agreement shall have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

13.9 Notices. All notices under this Agreement shall be in writing. Notices to HealSuite shall be sent to: admin@healsuite.ai or by recorded delivery post to the registered office address stated in Clause 1.1. Notices to the Client shall be sent to the email address registered on the Client's account. Notices sent by email shall be deemed received on the next business day after sending.

13.10 Assignment. Neither party may assign or transfer its rights or obligations under this Agreement without the prior written consent of the other party, except that HealSuite may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of its assets.

13.11 Limitation Period. Any claim arising out of or in connection with this Agreement must be brought within twelve (12) months of the date on which the claiming party became aware (or ought reasonably to have become aware) of the circumstances giving rise to the claim. This Clause 13.11 does not apply to claims under Clause 9.4 (statutory exclusions) or claims relating to a personal data breach under Clause 5.

13.12 Governing Version. The version of this Agreement published on the Platform at healsuite.ai/terms-and-conditions is the authoritative version. In the event of any conflict between the online version and any printed, cached, or offline copy, the online version shall prevail.

Schedules

The following Schedules form part of this Agreement and are provided to the Client upon account creation:

• Schedule 1 — Subscription Plans & Pricing
• Schedule 2 — Sub-Processors
• Schedule 3 — Service Level Commitments

Copies of the Schedules are available on request by contacting admin@healsuite.ai.