Data Processing Agreement

1. Definitions

Words and phrases defined in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 have the same meaning when used in this DPA. In particular:

• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller under this DPA.
• “Data Subject” means the natural person to whom Personal Data relates — in the context of OTOFILL, typically the Controller’s employees, suppliers, customers, contacts, and other natural persons whose details the Controller enters into the Service.
• “Processing” has the meaning given in UK GDPR Article 4 and includes storage, structuring, retrieval, transmission, restriction, erasure, and destruction.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on the Processor’s behalf under this DPA.
• “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and any other data-protection legislation applicable in the United Kingdom from time to time.

2. Subject matter, duration, nature, and purpose of the processing

• Subject matter: the Processor’s processing of Personal Data on behalf of the Controller as necessary to provide the Service.
• Duration: the term of the Principal Agreement, plus any retention period required by Data Protection Laws or HMRC record-keeping obligations as set out in section 9.
• Nature of the processing: the operations described in UK GDPR Article 4(2) — in particular, collection, recording, organisation, structuring, storage, retrieval, transmission to HMRC where the Controller has approved a filing, and erasure.
• Purpose: to provide the Controller with bookkeeping, invoicing, payroll, expense, and tax-filing functionality, and to enable the Controller to comply with its own statutory record-keeping and tax obligations.

3. Types of personal data and categories of data subjects

3.1 Categories of Data Subjects

• The Controller’s employees and any other workers (including directors, contractors, and pension members) processed via the payroll module.
• The Controller’s suppliers and supplier contacts.
• The Controller’s customers and customer contacts.
• Any other natural persons whose details the Controller chooses to enter into the Service (for example, named contacts on invoices, expense claimants, or recipients of bookkeeping correspondence).

3.2 Types of Personal Data

• Identification and contact details: name, business email, business telephone, postal address.
• Employment and payroll data (for the Controller’s employees): National Insurance number, date of birth, tax code, pay-period earnings, tax and NI deductions, pension contributions, statutory payments (SSP/SMP/SPP/SAP/SPBP), bank account details for net-pay disbursement, and any other items required for an HMRC Real Time Information (RTI) submission.
• Financial transaction data: invoice and purchase-invoice line items, expense claims, bank-statement lines and reconciliations, payment records.
• Tax-related identifiers: VAT numbers, UTRs, Companies House numbers, and HMRC Government Gateway sender IDs where the Controller has supplied them.

The Processor does not intentionally process any “special category” data within the meaning of UK GDPR Article 9 or criminal-offence data within the meaning of Article 10. The Controller undertakes not to enter such data into the Service except where strictly necessary (for example, statutory sick pay records that incidentally reveal sickness) and acknowledges that the Service is not designed to be the system of record for such categories.

4. Processor obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by UK or EU law. The Controller’s instructions are set out in this DPA, the Principal Agreement, and the actions the Controller takes within the Service.
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all measures required pursuant to UK GDPR Article 32 (security of processing) as set out in section 5 of this DPA.
• Respect the conditions for engaging Sub-processors referred to in section 6 of this DPA.
• Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subjects’ rights (section 8).
• Assist the Controller in ensuring compliance with the obligations pursuant to UK GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, in accordance with section 9.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and UK GDPR Article 28, and allow for and contribute to audits, in accordance with section 7.
• Immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes UK GDPR, the Data Protection Act 2018, or any other applicable Data Protection Law. This obligation is set out in the final paragraph of UK GDPR Article 28(3).

4A. Controller obligations and rights

UK GDPR Article 28(3)(a) requires this agreement to set out the obligations and rights of the Controller. The Controller:

• is the “data controller” for the Personal Data the Controller enters into the Service and accepts the responsibilities that role carries under UK GDPR — including identifying a lawful basis for the processing, giving Data Subjects the transparency information UK GDPR Articles 13 and 14 require, and being the first point of contact for Data Subject requests;
• warrants that it has the right to process and to instruct the Processor to process the Personal Data it uploads, that the Personal Data is accurate and lawfully obtained, and that it will not enter Personal Data into the Service in breach of any other contract or legal duty owed to the Data Subjects;
• is responsible for ensuring its own users access the Service with appropriately secured accounts (strong passwords, MFA where supported, prompt removal of departed members) and for the actions those users take inside the Service;
• retains the right to issue further written processing instructions to the Processor, in addition to those set out in this DPA and the Principal Agreement, and to terminate the Principal Agreement (subject to its own terms) if the Processor is unable or unwilling to comply with this DPA;
• retains the right to receive the assistance and information described in sections 4, 7, 8, and 11 of this DPA on reasonable written request.

5. Technical and Organisational Measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by UK GDPR Article 32. These measures include:

• encryption of Personal Data in transit and at rest using industry-standard techniques;
• access controls (including authentication) restricting access to Personal Data to authorised personnel on a need-to-know basis;
• per-organisation data isolation in the Service;
• audit trails of access to Personal Data and of security-relevant administrative actions;
• periodic encrypted backups, with a retention period determined by the Processor’s disaster-recovery objectives;
• written confidentiality obligations on Processor personnel and role-appropriate data-protection training.

Further detail about the Processor’s technical and organisational measures is available on request to support@otofill.com, and may be set out in a separate security overview that the Processor publishes from time to time.

6. Sub-processors

The Controller authorises the Processor to engage Sub-processors, provided that the Processor:

• imposes by written contract obligations on the Sub-processor that are no less protective than those imposed on the Processor under this DPA;
• remains liable to the Controller for the performance of the Sub-processor’s data-protection obligations;
• maintains a current list of categories of Sub-processors (set out below); and
• notifies the Controller of any intended change concerning the addition or replacement of a Sub-processor in a category, giving the Controller a reasonable opportunity to object on data-protection grounds before that change takes effect.

6.1 Current categories of Sub-processors

The Processor uses Sub-processors in the following categories. The named entities currently in use within each category are available on request to support@otofill.com:

• Hosting: the application and primary database, pinned to the European Union.
• Backups: encrypted off-site backup storage, located in Western Europe.
• Payments: subscription billing and payment processing.
• Email delivery: operational email (password resets, system notifications), routed through the provider’s European Union region.
• HMRC: at the Controller’s instruction, the Processor transmits filing payloads to HMRC’s production endpoints. HMRC is a recipient, not a Sub-processor; the legal basis for that transmission is the Controller’s instruction in the act of approving a filing.

The Processor will notify the Controller by reasonable means (currently: email to the registered account-owner address, or a prominent in-app notice) at least thirty (30) days before adding a new category of Sub-processor, or before replacing the principal named provider within an existing category.

7. Audit rights

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28. In practice, the Processor satisfies this obligation by:

• making this DPA, the Privacy Policy, and the Sub-processor list available on request;
• responding to reasonable written questionnaires from the Controller (or the Controller’s appointed auditor) about the Processor’s technical and organisational measures, within thirty (30) days of receipt; and
• where the Controller requires an on-site audit, the parties will agree the scope, timing, and reasonable cost in advance. On-site audits are limited to once per calendar year unless required by a regulator or following a confirmed Personal Data Breach.

8. Assistance with Data Subject requests

Taking into account the nature of the processing, the Processor assists the Controller in responding to Data Subject requests by:

• providing the Controller with self-service export of all Personal Data the Controller has entered into the Service, in a structured, commonly used, and machine-readable format, in support of UK GDPR Articles 15 (right of access) and 20 (right to data portability);
• providing the Controller with self-service account deletion in support of UK GDPR Article 17 (right to erasure), subject to the retention exceptions in section 9 of this DPA and the Privacy Policy;
• forwarding to the Controller, without undue delay, any Data Subject request the Processor receives directly that relates to Personal Data the Processor holds on the Controller’s behalf, so that the Controller can respond as the data controller; and
• assisting with rectification (Article 16), restriction (Article 18), and objection (Article 21) requests where the Service’s self-service editing functions do not suffice, on reasonable written request to support@otofill.com.

9. Return or deletion of Personal Data

On termination of the Principal Agreement, the Processor will, at the Controller’s choice, either return or delete the Personal Data, except to the extent that the Processor is required to retain Personal Data under UK or EU law — in particular, the HMRC record-keeping obligations that apply to bookkeeping and payroll records for the periods set out in the Privacy Policy.

Where Personal Data is retained under such an obligation, the Processor will continue to apply the Technical and Organisational Measures in section 5 for the duration of the retention period, and will not process the retained Personal Data for any purpose other than complying with the retention obligation itself.

10. International transfers

The Processor stores the great majority of Personal Data in the United Kingdom or the European Economic Area. Where a Sub-processor transfers Personal Data outside the UK or EEA (for example, where a payment provider’s backend infrastructure sits in the United States), such transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the mechanism approved by the UK Government and the Information Commissioner’s Office for transfers of this kind. The Addendum binds the recipient to broadly the same level of protection that Personal Data would receive under UK GDPR.

11. Personal data breaches

The Processor will notify the Controller of any confirmed Personal Data Breach affecting the Controller’s Personal Data without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of it. The notification will, to the extent the information is available at the time:

• describe the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
• describe the likely consequences of the breach;
• describe the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and
• identify a point of contact within the Processor from whom further information can be obtained.

Where it is not possible to provide all the information at the same time, the information may be provided in phases without further undue delay.

12. Liability

Each party’s total aggregate liability arising out of or in connection with this DPA is limited to the total subscription fees paid by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim.

Nothing in this DPA limits or excludes either party’s liability:

• for death or personal injury caused by negligence;
• for fraud or fraudulent misrepresentation; or
• for any other liability that cannot lawfully be limited or excluded under English law.

Where a separate written agreement (such as a Master Services Agreement or Terms of Service) sets a different overall limitation-of-liability shape between the parties, that agreement governs the parties’ non-DPA liabilities; this section 12 continues to govern liabilities arising specifically under this DPA.

13. General

• Governing law: this DPA is governed by the laws of England and Wales.
• Jurisdiction: the courts of England and Wales have exclusive jurisdiction in respect of any dispute arising out of or in connection with this DPA.
• Versioning: the Processor maintains a dated version of this DPA at /legal/dpa/. Where the Controller has accepted a specific version of this DPA, that version continues to govern until the Controller accepts a later version.
• Notification of material changes: the Processor will notify the Controller by reasonable means (email to the account-owner address, or a prominent in-app notice) of any material change to this DPA, and will give the Controller a reasonable opportunity to review the updated version before continued use of the Service is taken to constitute acceptance.