Data Processing Addendum

1. Definitions

“Personal data”, “data subject”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given to them in UK GDPR.

2. Subject matter and duration

We process personal data for the duration of the Agreement to provide the Service, which includes importing, storing, matching, and reporting on purchase and sales transaction data for VAT Margin Scheme compliance.

3. Nature and purpose of processing

• Importing and storing purchase and sales records
• Storing and processing uploaded documents and extracting text for data entry
• Generating stock-item records, matching purchases to sales, and calculating VAT
• Producing VAT summaries, stock-book reports, and data exports
• Storing audit logs of data processing activities

4. Categories of data subjects

• The Controller's customers and suppliers (whose names, business names, or identifiers may appear in transaction data)
• The Controller's employees or team members who use the Service

5. Categories of personal data

• Supplier and customer names, business names, addresses, invoice references
• Device identifiers (IMEI numbers, serial numbers) that may relate to identifiable individuals
• Financial data (purchase prices, sale prices, VAT amounts)
• Any personal data contained within uploaded invoice documents

We do not intentionally process special category data. The Controller should not upload documents containing special category data.

6. Processor obligations

We shall:

• Process personal data only on your documented instructions, unless required by law
• Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 8 below)
• Not engage a subprocessor without your prior authorisation (see Section 9 below)
• Assist you, taking into account the nature of processing, in responding to data subject requests
• Assist you in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation
• At your choice, delete or return all personal data at the end of the Agreement, except where retention is required by law
• Make available to you all information necessary to demonstrate compliance, and allow for and contribute to audits and inspections

7. Confidentiality

We shall ensure that all personnel who have access to personal data processed under this DPA are subject to confidentiality obligations. Access to personal data is restricted to personnel who require it to provide the Service.

8. Security measures

We implement appropriate technical and organisational measures designed to protect the security, confidentiality, and integrity of personal data, including:

• Encrypted connections for all data in transit
• Encryption of sensitive credentials and tokens at rest
• Secure password storage using industry-standard hashing
• Session management with appropriate security controls
• Role-based access controls to limit access to authorised personnel
• Logical separation of each customer's data from other accounts
• Audit logging of key data processing activities
• Safeguards against automated attacks and abuse

We regularly review these measures and update them as appropriate. Further information is available on our Security page.

9. Subprocessors

By entering into this DPA, you provide general authorisation for us to engage subprocessors to assist with providing the Service. Our subprocessors support functions including payment processing, email delivery, accounting data synchronisation, document processing, application hosting, and data storage.

Each subprocessor is engaged under terms no less protective than those in this DPA. We will inform you of any intended changes to our subprocessors, giving you the opportunity to object. A current list of subprocessors is available on request by contacting [email protected].

10. Data subject requests

If we receive a request from a data subject relating to personal data we process on your behalf, we will promptly notify you and will not respond to the request directly unless you instruct us to do so or we are legally required to respond. We will provide reasonable assistance to help you respond.

11. Data breach notification

We will notify you without undue delay upon becoming aware of a personal data breach affecting data processed under this DPA. The notification will include:

• A description of the nature of the breach
• The categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• Measures taken or proposed to address and mitigate the breach

12. Deletion and return of data

On termination of the Agreement, we will, at your choice and within 30 days of your request:

• Return your personal data in a structured, commonly used, machine-readable format; or
• Delete your personal data and confirm deletion in writing

We may retain personal data where required by law (e.g. billing records under UK tax regulations), but will isolate and protect such data and limit processing to the legally required purpose.

13. International transfers

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or reliance on adequacy decisions as applicable.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

15. Governing law

This DPA is governed by the laws of England and Wales, and any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact

For questions about this DPA, contact us at [email protected].