Data Processing Agreement

Effective Date: July 2025
Last Updated: July 2025
Version: 1.1

Agreement Overview

Purpose of This Agreement

This Data Processing Agreement ("DPA") forms part of the Service Agreement between you (the "Controller") and Workfree Limited trading as PAIDD (the "Processor") and governs the limited processing of personal data in connection with our e-invoicing platform services.

This DPA ensures compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

When This DPA Applies

This DPA applies when:

  • Customer uses PAIDD's platform for invoice processing that involves personal data
  • Contact information of suppliers, vendors, or individuals is processed through our platform
  • PAIDD acts as processor on Customer's behalf for personal data
  • Processing occurs within PAIDD's systems during service delivery

Scope of Personal Data Processing

Types of Personal Data Actually Processed

Personal data processed through our platform is minimal and typically limited to:

Business Contact Information

  • Supplier Contacts: Names and email addresses of supplier representatives
  • Customer Users: Names and email addresses of platform users within Customer's organization
  • Invoice Contacts: Contact details when included in invoice data by Customer
  • Communication Records: Email communications sent through platform notifications

Platform Usage Information

  • Authentication Data: Login credentials and session information
  • Access Logs: Platform usage timestamps and feature access (for security and troubleshooting)
  • Support Communications: Records of customer support interactions when personal data is involved

What We Don't Process

  • Extensive personal data databases or profiles
  • Sensitive personal data (health, financial details, etc.)
  • Personal data analytics beyond basic platform usage
  • Cross-platform tracking or behavioral profiling
  • Personal financial information (handled by Customer's existing systems)

Categories of Data Subjects

Data subjects typically include:

  • Supplier representatives: Employees and contacts of Customer's suppliers
  • Customer employees: Users of the PAIDD platform within Customer's organization
  • Individual suppliers: Sole traders and individual contractors (when applicable)
  • Invoice contacts: Individuals designated for invoice-related communications

Processing Details

Nature and Purpose of Processing

PAIDD processes personal data to:

  • Platform Authentication: Secure user access and session management
  • Service Delivery: Invoice processing and supplier communications on Customer's behalf
  • System Integration: Connect with Customer's existing accounting and ERP systems
  • Customer Support: Troubleshooting and technical assistance
  • Security: Platform security monitoring and fraud prevention
  • Compliance: Legal obligations for business operations

Technical Implementation

Processing Activity Personal Data Involved Technical Implementation
User Authentication Email addresses, session tokens Secure session management (paidd_session cookie)
Invoice Processing Contact names/emails in invoice data Integration with Customer's systems, minimal storage
Supplier Communications Supplier contact information Email notifications sent via platform
Platform Support User contact details, communication records Support ticket system and email communications

Retention Periods

Personal data is processed for the following periods:

  • Active service period: Duration of Customer's subscription
  • Post-termination: 30 days for data export and transition assistance
  • Session data: Deleted when session ends or within 30 days
  • Support records: 2 years for customer service continuity
  • Legal requirements: As required by applicable laws (minimal impact given data types)

Controller and Processor Obligations

Customer Obligations (as Controller)

Customer warrants and undertakes:

Legal Basis and Authority

  • Has lawful basis for processing all personal data provided to PAIDD
  • Has authority to provide personal data to PAIDD for processing
  • Will obtain necessary consents from data subjects where required
  • Will maintain records of processing activities as required

Data Subject Notifications

  • Will provide appropriate privacy notices to suppliers and contacts
  • Will inform data subjects about PAIDD's involvement in processing
  • Will handle data subject requests regarding their rights
  • Will maintain documentation of consent and legal bases

Data Quality

  • Ensures personal data provided is accurate and up-to-date
  • Will correct inaccuracies promptly when discovered
  • Will notify PAIDD of any data accuracy issues
  • Has systems to verify and maintain data quality

PAIDD Obligations (as Processor)

PAIDD warrants and undertakes:

Processing Instructions

  • Processes personal data only according to Customer's documented instructions
  • Does not process personal data for own purposes except as legally required
  • Immediately informs Customer if instructions appear to violate applicable law
  • Maintains records of all processing activities carried out on Customer's behalf

Personnel and Confidentiality

  • Ensures processing staff are bound by confidentiality obligations
  • Provides adequate data protection training to personnel
  • Limits access to personal data to authorized personnel only
  • Implements disciplinary measures for data protection violations

Technical Security Measures

  • Implements appropriate technical and organizational measures for data security
  • Maintains encryption for data in transit via TLS 1.3
  • Provides secure access controls and authentication mechanisms
  • Conducts regular security monitoring and incident response
  • Ensures secure integration with Customer's systems

Security Measures

Technical Safeguards Actually Implemented

  • Data in Transit: TLS 1.3 encryption for all connections and data transfers
  • Access Controls: Role-based access with multi-factor authentication
  • Session Security: Secure session management with automatic logout
  • Network Security: Firewalls, intrusion detection, and monitoring
  • API Security: Secure integration protocols with Customer systems
  • Audit Logging: Comprehensive logs of data access and processing activities

Organizational Safeguards

  • Staff Training: Regular data protection training for all personnel
  • Access Management: Need-to-know basis access to personal data
  • Incident Response: Documented procedures for security incident handling
  • Vendor Management: Due diligence for sub-processors and service providers
  • Compliance Monitoring: Regular reviews of data protection practices

Integration Security

Given our integration-based approach:

  • Secure API connections to Customer's accounting and ERP systems
  • Data minimization through real-time processing rather than storage
  • Customer retains control over their data in their own systems
  • Limited data exposure through minimal retention periods

Sub-Processing

Current Sub-Processors

Sub-processor Service Location Data Processed
Google Workspace Email and collaboration UK/EU Business communications
SendGrid Email delivery services US (with SCCs) Platform notification emails
Cloud hosting providers Infrastructure hosting UK/EU Platform operations data
Stripe Payment processing US/EU (with SCCs) Billing contact information

Sub-Processor Management

PAIDD ensures all sub-processors:

  • Provide equivalent data protection as required under this DPA
  • Are bound by appropriate data processing agreements
  • Undergo security and compliance assessments
  • Implement adequate safeguards for international transfers

Data Subject Rights

Assistance with Data Subject Requests

When PAIDD receives a data subject request, we will:

  • Immediate notification: Notify Customer within 48 hours
  • Information provision: Provide details of personal data processed
  • Technical assistance: Support Customer in responding to requests
  • Data retrieval: Extract relevant data in usable format where possible

Customer Responsibilities

As Controller, Customer must:

  • Verify the identity of data subjects making requests
  • Determine appropriate response under applicable law
  • Respond to data subjects within required timeframes (typically 30 days)
  • Provide clear instructions to PAIDD for any required actions

Data Breach Response

Incident Response Process

For personal data breaches, PAIDD will:

Immediate Response

  • Contain and assess the breach immediately upon discovery
  • Notify Customer without undue delay (target: within 4 hours)
  • Provide initial assessment of breach scope and impact
  • Implement immediate remediation measures

Detailed Reporting

Written breach notification will include:

  • Nature of the breach and categories of personal data affected
  • Number of data subjects and data records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details for further information

Customer Obligations

Customer remains responsible for:

  • Assessing whether to notify supervisory authorities
  • Determining whether to notify affected data subjects
  • Meeting legal notification timeframes (72 hours to authority, without undue delay to data subjects)
  • Coordinating with supervisory authorities as required

Data Return and Deletion

Data Export Process

Upon service termination, PAIDD will:

  • Data export: Provide personal data in structured format (CSV, JSON)
  • Assistance period: 30 days for data migration and transition
  • Technical support: Reasonable assistance with data transfer
  • Verification: Confirm successful data transfer before deletion

Secure Deletion

After the assistance period:

  • Secure deletion of all personal data from active systems
  • Removal from backup systems according to standard retention cycles
  • Confirmation of deletion from all sub-processors
  • Deletion certification provided upon request

Exceptions to Deletion

Personal data may be retained only where:

  • Required by applicable law or regulation
  • Necessary for establishment, exercise, or defense of legal claims
  • Stored in backup systems with standard deletion schedules
  • Rendered completely anonymous for statistical purposes

International Transfers

Transfer Safeguards

When personal data is transferred outside the UK:

  • Adequacy decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: UK ICO-approved contractual safeguards
  • Additional measures: Supplementary safeguards where required
  • Impact assessments: Regular review of transfer risks

Current Transfer Arrangements

Limited international transfers occur to:

  • United States: Sub-processors with Standard Contractual Clauses
  • European Economic Area: Based on adequacy decisions
  • Other jurisdictions: Only with explicit safeguards and necessity

Compliance and Audit

Audit Rights

Customer may:

  • Request compliance documentation and reports
  • Conduct audits with reasonable advance notice (30 days)
  • Engage qualified third parties for audits
  • Review security certifications and assessment reports

Compliance Documentation

PAIDD maintains and provides:

  • Annual security and compliance reports
  • Sub-processor compliance documentation
  • Security certification progress (pursuing ISO 27001)
  • Incident reports and breach notifications

Governing Law and Jurisdiction

This DPA is governed by English law and UK GDPR requirements. Disputes will be resolved through good faith negotiations, followed by mediation, with English courts having exclusive jurisdiction.

Questions About Data Processing?

Our team is available to discuss any aspects of our data processing practices and compliance measures.

📧 support@paidd.io

© 2025 Workfree Limited (trading as PAIDD)
This agreement was last updated: July 2025
Next review date: July 2026