← Back to Home

Data Processing Agreement

Data Processing Agreement (DPA)
===============================

Type: Data Processing Agreement (DPA)
Version: 1.0
Last Updated: 04 October 2025
Organisation: InvoiceTide

--------------------------------------------------------------------------------

DATA PROCESSING AGREEMENT (DPA)

Effective Date: 2025-10-04

This Data Processing Agreement ("DPA") forms part of the agreement between:

DATA CONTROLLER (the "Customer"):
[Customer Name]
[Customer Address]

and

DATA PROCESSOR (the "Processor"):
InvoiceTide
71 Shelton St,
London,
WC2H 9JQ
info@invoicetide.com

WHEREAS:

A. The Customer acts as a Data Controller in respect of certain Personal Data.

B. The Customer wishes to engage the Processor to provide services which involve the Processing of Personal Data on behalf of the Customer.

C. The Parties wish to ensure that such Processing is conducted in accordance with applicable Data Protection Laws, including the UK GDPR and EU GDPR.

NOW IT IS AGREED as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

"Data Protection Laws" means all applicable laws relating to the Processing of Personal Data including:
- The UK General Data Protection Regulation (UK GDPR)
- The EU General Data Protection Regulation (EU GDPR) 2016/679
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003
- Any successor or replacement legislation

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by the Processor on behalf of the Customer under this DPA.

"Processing" has the meaning given in Data Protection Laws and "Process", "Processes" and "Processed" shall be construed accordingly.

"Sub-processor" means any third party appointed by the Processor to Process Personal Data on behalf of the Customer.

"Data Subject" means the individual to whom Personal Data relates.

"Supervisory Authority" means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the meanings set out in Data Protection Laws.

2. SCOPE AND DETAILS OF PROCESSING

2.1 Subject Matter
The Processor shall Process Personal Data on behalf of the Customer for the purpose of providing the services described in the main service agreement.

2.2 Duration
This DPA shall remain in force for the duration of the main service agreement and for as long as the Processor Processes Personal Data on behalf of the Customer.

2.3 Nature and Purpose of Processing
The Processor will Process Personal Data for the following purposes:
- Providing the contracted services
- Customer support and communication
- Service improvement and analytics
- Compliance with legal obligations

2.4 Types of Personal Data
The Personal Data that may be Processed includes:
- Contact information (names, email addresses, phone numbers)
- Account credentials
- Usage data and analytics
- Communication records
- Billing and payment information

2.5 Categories of Data Subjects
The Data Subjects whose Personal Data may be Processed include:
- Employees and contractors of the Customer
- Customers and clients of the Customer
- Website visitors
- Service users

3. PROCESSOR'S OBLIGATIONS

3.1 Compliance with Instructions
The Processor shall:
a) Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law
b) Immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws
c) Not Process Personal Data for any purpose other than as instructed by the Customer

3.2 Confidentiality
The Processor shall ensure that persons authorised to Process Personal Data:
a) Are subject to a duty of confidentiality
b) Have received appropriate training on Data Protection Laws
c) Process Personal Data only as necessary to perform their duties

3.3 Security Measures
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

a) Pseudonymisation and encryption of Personal Data
b) Ability to ensure ongoing confidentiality, integrity, availability and resilience of Processing systems
c) Ability to restore availability and access to Personal Data in a timely manner in the event of an incident
d) Regular testing, assessment and evaluation of the effectiveness of security measures

Specific security measures include:
- Secure data encryption (AES-256 or equivalent)
- Multi-factor authentication
- Regular security audits and penetration testing
- Intrusion detection and prevention systems
- Secure data centres with physical access controls
- Regular backups and disaster recovery procedures
- Employee background checks and security training
- Incident response procedures

3.4 Sub-processing
a) The Customer provides general authorisation for the Processor to engage Sub-processors
b) The Processor shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, giving the Customer the opportunity to object to such changes
c) Where the Processor engages a Sub-processor, the Processor shall impose the same data protection obligations on the Sub-processor as set out in this DPA
d) The Processor shall remain fully liable to the Customer for the performance of the Sub-processor's obligations

Current Sub-processors:
[List of Sub-processors to be provided separately]

3.5 Data Subject Rights
The Processor shall, taking into account the nature of the Processing, assist the Customer by implementing appropriate technical and organisational measures to fulfil the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of Processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling

3.6 Assistance to Customer
The Processor shall assist the Customer in ensuring compliance with:
a) The Customer's obligations regarding security of Processing
b) Data protection impact assessments
c) Prior consultation with Supervisory Authorities
d) Any other obligations under Data Protection Laws

4. PERSONAL DATA BREACHES

4.1 Notification
The Processor shall notify the Customer without undue delay (and in any event within 24 hours) after becoming aware of a Personal Data Breach.

4.2 Information to be Provided
The notification shall include, at a minimum:
a) Description of the nature of the Personal Data Breach
b) Categories and approximate number of Data Subjects affected
c) Categories and approximate number of Personal Data records affected
d) Likely consequences of the Personal Data Breach
e) Measures taken or proposed to address the breach and mitigate its effects

4.3 Cooperation
The Processor shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of the Personal Data Breach.

5. DATA TRANSFERS

5.1 Location of Processing
Personal Data will be Processed in the following locations:
[Specify locations]

5.2 International Transfers
If Personal Data is transferred outside the UK or EEA, the Processor shall ensure that:
a) The transfer is to a country with an adequacy decision, or
b) Appropriate safeguards are in place (such as Standard Contractual Clauses), or
c) A derogation applies under Data Protection Laws

5.3 Standard Contractual Clauses
Where applicable, the Parties agree to enter into the Standard Contractual Clauses approved by the European Commission or UK ICO.

6. AUDITS AND INSPECTIONS

6.1 Right to Audit
The Customer may, upon reasonable notice and during business hours, audit the Processor's compliance with this DPA, provided that:
a) Such audits shall not be conducted more than once per year unless required by a Supervisory Authority
b) The Customer shall give at least 30 days' written notice
c) The Customer shall execute a confidentiality agreement
d) The audit shall not unreasonably interfere with the Processor's business operations

6.2 Audit Reports
The Processor shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including:
- Security certifications (ISO 27001, SOC 2, etc.)
- Audit reports
- Compliance documentation

7. DELETION OR RETURN OF DATA

7.1 Upon Termination
Upon termination of the services or at the Customer's request, the Processor shall, at the Customer's choice:
a) Delete all Personal Data, or
b) Return all Personal Data to the Customer in a commonly used format

7.2 Retention Period
The Customer shall have 30 days after termination to request return of Personal Data.

7.3 Exceptions
The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of such Personal Data and shall only Process it as necessary for the purpose(s) specified in the applicable law.

7.4 Certification of Deletion
Upon request, the Processor shall provide written certification that Personal Data has been deleted in accordance with this clause.

8. LIABILITY AND INDEMNITY

8.1 Liability
Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the main service agreement.

8.2 Indemnity
The Processor shall indemnify and hold harmless the Customer against all claims, costs, damages, losses, liabilities and expenses arising out of or in connection with any breach by the Processor of this DPA.

9. TERM AND TERMINATION

9.1 Term
This DPA shall commence on the Effective Date and shall continue for as long as the Processor Processes Personal Data on behalf of the Customer.

9.2 Termination
This DPA may be terminated:
a) By either Party if the other Party commits a material breach and fails to remedy it within 30 days of written notice
b) Automatically upon termination of the main service agreement
c) By the Customer if the Processor fails to comply with Data Protection Laws

9.3 Survival
Clauses relating to confidentiality, data deletion, liability and indemnity shall survive termination of this DPA.

10. GENERAL PROVISIONS

10.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales.

10.2 Jurisdiction
The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

10.3 Amendments
No amendment to this DPA shall be effective unless it is in writing and signed by both Parties.

10.4 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

10.5 Entire Agreement
This DPA, together with the main service agreement, constitutes the entire agreement between the Parties relating to the Processing of Personal Data.

10.6 Conflict
In the event of any conflict between this DPA and the main service agreement, this DPA shall prevail to the extent of the conflict.

10.7 Third Party Rights
No person who is not a party to this DPA shall have any right to enforce any of its terms.

11. CONTACT INFORMATION

11.1 Customer Contact
For all matters relating to this DPA, the Customer should contact:
[Customer Contact Name]
[Customer Contact Email]
[Customer Contact Address]

11.2 Processor Contact
For all matters relating to this DPA, please contact the Processor:

InvoiceTide
Email: info@invoicetide.com
Address: 71 Shelton St,
London,
WC2H 9JQ

Data Protection Officer:
Name: InvoiceTide
Email: info@invoicetide.com

SCHEDULE 1: TECHNICAL AND ORGANISATIONAL MEASURES

The Processor has implemented the following technical and organisational measures:

1. PHYSICAL SECURITY
- Secure data centres with 24/7 monitoring
- Biometric access controls
- CCTV surveillance
- Visitor logs and escort requirements

2. SYSTEM SECURITY
- Firewall protection
- Intrusion detection systems
- Anti-malware software
- Regular security patches and updates
- Network segmentation

3. ACCESS CONTROLS
- Role-based access control (RBAC)
- Multi-factor authentication
- Password policies (complexity, rotation)
- Access logging and monitoring
- Principle of least privilege

4. DATA SECURITY
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Secure key management
- Data pseudonymisation where applicable
- Secure data disposal procedures

5. OPERATIONAL SECURITY
- Security awareness training for staff
- Background checks for employees
- Confidentiality agreements
- Incident response procedures
- Business continuity and disaster recovery plans

6. MONITORING AND TESTING
- Regular security audits
- Penetration testing
- Vulnerability assessments
- Security certifications (ISO 27001, SOC 2)
- Continuous monitoring and logging

SCHEDULE 2: LIST OF SUB-PROCESSORS

The Processor currently uses the following Sub-processors:

1. [Sub-processor Name]
   Purpose: [Purpose of Processing]
   Location: [Country/Region]

2. [Sub-processor Name]
   Purpose: [Purpose of Processing]
   Location: [Country/Region]

The Processor maintains an up-to-date list of Sub-processors at:
[Website]/subprocessors

SIGNATURES

By entering into the main service agreement, both Parties agree to be bound by the terms of this Data Processing Agreement.

FOR THE CUSTOMER:

Signed: _______________________
Name: _______________________
Title: _______________________
Date: _______________________

FOR THE PROCESSOR:

Signed: _______________________
Name: [Name]
Title: _______________________
Date: 2025-10-04
Company: InvoiceTide

--------------------------------------------------------------------------------
InvoiceTide - https://invoicetide.com