Data Processing Agreement

Effective Date July 2025
Last Updated July 2025
Version 1.1

1. Agreement Overview

Purpose of This Agreement

This Data Processing Agreement ("DPA") forms part of the Service Agreement between you (the "Controller") and Workfree Limited trading as PAIDD (the "Processor") and governs the limited processing of personal data in connection with our e-invoicing platform services.

This DPA ensures compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

When This DPA Applies

This DPA applies when:

  • Customer uses PAIDD's platform for invoice processing that involves personal data
  • Contact information of suppliers, vendors, or individuals is processed through our platform
  • PAIDD acts as processor on Customer's behalf for personal data
  • Processing occurs within PAIDD's systems during service delivery

2. Scope of Personal Data Processing

Types of Personal Data Actually Processed

Personal data processed through our platform is minimal and typically limited to:

Business Contact Information

  • Supplier Contacts: Names and email addresses of supplier representatives
  • Customer Users: Names and email addresses of platform users within Customer's organization
  • Invoice Contacts: Contact details when included in invoice data by Customer
  • Communication Records: Email communications sent through platform notifications

Platform Usage Information

  • Authentication Data: Login credentials and session information
  • Access Logs: Platform usage timestamps and feature access (for security and troubleshooting)
  • Support Communications: Records of customer support interactions when personal data is involved

What We Don't Process

  • Extensive personal data databases or profiles
  • Sensitive personal data (health, financial details, etc.)
  • Personal data analytics beyond basic platform usage
  • Cross-platform tracking or behavioral profiling
  • Personal financial information (handled by Customer's existing systems)

Categories of Data Subjects

Data subjects typically include:

  • Supplier representatives: Employees and contacts of Customer's suppliers
  • Customer employees: Users of the PAIDD platform within Customer's organization
  • Individual suppliers: Sole traders and individual contractors (when applicable)
  • Invoice contacts: Individuals designated for invoice-related communications

3. Processing Details

Nature and Purpose of Processing

PAIDD processes personal data to:

  • Platform Authentication: Secure user access and session management
  • Service Delivery: Invoice processing and supplier communications on Customer's behalf
  • System Integration: Connect with Customer's existing accounting and ERP systems
  • Customer Support: Troubleshooting and technical assistance
  • Security: Platform security monitoring and fraud prevention
  • Compliance: Legal obligations for business operations

Retention Periods

Personal data is processed for the following periods:

  • Active service period: Duration of Customer's subscription
  • Post-termination: 30 days for data export and transition assistance
  • Session data: Deleted when session ends or within 30 days
  • Support records: 2 years for customer service continuity
  • Legal requirements: As required by applicable laws (minimal impact given data types)

4. Controller and Processor Obligations

Customer Obligations (as Controller)

Customer warrants and undertakes:

Legal Basis and Authority

  • Has lawful basis for processing all personal data provided to PAIDD
  • Has authority to provide personal data to PAIDD for processing
  • Will obtain necessary consents from data subjects where required
  • Will maintain records of processing activities as required

Data Subject Notifications

  • Will provide appropriate privacy notices to suppliers and contacts
  • Will inform data subjects about PAIDD's involvement in processing
  • Will handle data subject requests regarding their rights
  • Will maintain documentation of consent and legal bases

PAIDD Obligations (as Processor)

Processing Instructions

  • Processes personal data only according to Customer's documented instructions
  • Does not process personal data for own purposes except as legally required
  • Immediately informs Customer if instructions appear to violate applicable law
  • Maintains records of all processing activities carried out on Customer's behalf

Technical Security Measures

  • Implements appropriate technical and organizational measures for data security
  • Maintains encryption for data in transit via TLS 1.3
  • Provides secure access controls and authentication mechanisms
  • Conducts regular security monitoring and incident response
  • Ensures secure integration with Customer's systems

5. Security Measures

Technical Safeguards

  • Data in Transit: TLS 1.3 encryption for all connections and data transfers
  • Access Controls: Role-based access with multi-factor authentication
  • Session Security: Secure session management with automatic logout
  • Network Security: Firewalls, intrusion detection, and monitoring
  • API Security: Secure integration protocols with Customer systems
  • Audit Logging: Comprehensive logs of data access and processing activities

6. Sub-Processing

Current Sub-Processors

Sub-processor Service Location Data Processed
Google Workspace Email and collaboration UK/EU Business communications
SendGrid Email delivery services US (with SCCs) Platform notification emails
Cloud hosting providers Infrastructure hosting UK/EU Platform operations data
Stripe Payment processing US/EU (with SCCs) Billing contact information

7. Data Subject Rights

Assistance with Data Subject Requests

When PAIDD receives a data subject request, we will:

  • Immediate notification: Notify Customer within 48 hours
  • Information provision: Provide details of personal data processed
  • Technical assistance: Support Customer in responding to requests
  • Data retrieval: Extract relevant data in usable format where possible

8. Data Breach Response

Incident Response Process

For personal data breaches, PAIDD will:

  • Contain and assess the breach immediately upon discovery
  • Notify Customer without undue delay (target: within 4 hours)
  • Provide initial assessment of breach scope and impact
  • Implement immediate remediation measures

9. Data Return and Deletion

Data Export Process

Upon service termination, PAIDD will:

  • Data export: Provide personal data in structured format (CSV, JSON)
  • Assistance period: 30 days for data migration and transition
  • Technical support: Reasonable assistance with data transfer
  • Verification: Confirm successful data transfer before deletion

10. International Transfers

Transfer Safeguards

When personal data is transferred outside the UK:

  • Adequacy decisions: Transfers to countries with adequate protection
  • Standard Contractual Clauses: UK ICO-approved contractual safeguards
  • Additional measures: Supplementary safeguards where required
  • Impact assessments: Regular review of transfer risks

11. Compliance and Audit

Audit Rights

Customer may:

  • Request compliance documentation and reports
  • Conduct audits with reasonable advance notice (30 days)
  • Engage qualified third parties for audits
  • Review security certifications and assessment reports

12. Contact Us

For questions about this Data Processing Agreement, contact us at:

Email: support@paidd.io