Data Processing Agreement

1. Parties

This Data Processing Agreement forms part of the Terms and Conditions between:

2. Scope

This agreement applies where we process personal data on your behalf as a processor in connection with your use of ForwardifyMtd.

It does not apply to personal data for which we act as an independent controller, such as our own account management, billing, security, support, analytics or marketing data.

3. Processing details

4. Categories of personal data

Customer Data may include:

• names;
• business names;
• email addresses;
• telephone numbers;
• postal addresses;
• invoice and credit note details;
• payment records;
• VAT numbers and tax references;
• customer and supplier records;
• user account and permission records;
• audit logs and activity records.

5. Categories of data subjects

Customer Data may relate to:

• customer employees and authorised users;
• the customer’s clients;
• the customer’s suppliers;
• directors, shareholders or officers;
• sole traders and business contacts;
• accountants, bookkeepers or advisers authorised by the customer.

6. Customer obligations

You are responsible for:

• having a lawful basis for processing Customer Data;
• providing privacy notices to relevant individuals where required;
• ensuring Customer Data is accurate and lawful;
• ensuring users have appropriate authority and permissions;
• using the application in accordance with applicable law;
• responding to data subject requests where you are controller;
• ensuring HMRC submissions are authorised and accurate.

7. Our processor obligations

Where we act as your processor, we will:

• process Customer Data only to provide and support the service, or as otherwise instructed by you;
• ensure persons authorised to process Customer Data are subject to confidentiality obligations;
• take appropriate technical and organisational security measures;
• assist you reasonably with data subject rights requests where applicable;
• assist you reasonably with security, breach and compliance obligations where applicable;
• make available relevant information reasonably necessary to demonstrate compliance;
• delete or return Customer Data at the end of the service where reasonably possible, subject to legal, backup and retention requirements.

8. Security measures

We will maintain appropriate security measures, which may include:

9. Subprocessors

You authorise us to use subprocessors where necessary to provide the application, including hosting, email delivery, payments, backups, analytics, support and security services.

We will maintain a subprocessor list and take reasonable steps to ensure subprocessors are subject to appropriate data protection obligations.

Where we make material changes to subprocessors, we may notify you by email, website notice or in-app notification.

10. International transfers

If Customer Data is transferred outside the UK, we will take reasonable steps to ensure appropriate safeguards are in place, such as adequacy arrangements or UK-approved contractual safeguards.

11. Personal data breaches

If we become aware of a personal data breach affecting Customer Data processed on your behalf, we will notify you without undue delay after becoming aware of it.

Our notification will include information reasonably available to us at the time, and we may provide further updates as our investigation progresses.

12. Audits and information

We will provide reasonable information to help you assess our compliance with this agreement.

Any audit must be reasonable, proportionate, subject to confidentiality, and must not compromise the security, confidentiality or availability of our systems or other customers’ data.

13. Deletion or return of data

At the end of the service, we will delete or return Customer Data where reasonably possible.

We may retain data where required for legal, tax, accounting, regulatory, security, dispute resolution or backup purposes.

14. Contact