Data Processing Agreement

1. Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR or the Data Protection Act 2018.

• “Applicable Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and applicable UK privacy legislation.
• “Controller” has the meaning given in Article 4(7) UK GDPR.
• “Customer” means the accountancy firm party to this DPA.
• “Customer Personal Data” means Personal Data processed by the Processor on behalf of the Customer.
• “Personal Data” has the meaning given in Article 4(1) UK GDPR.
• “Processor” means RegisterTrack.
• “Sub-processor” means third parties engaged to process Customer Personal Data.
• “UK GDPR” means the United Kingdom General Data Protection Regulation.

2. Nature of the Service

2.1 The Service is workflow tracking software.

2.2 The Service does not verify identity, validate documents, determine legal compliance, or provide regulated compliance services.

2.3 The Customer remains solely responsible for:

(a) determining whether identity verification has been properly completed;

(b) determining the accuracy of information entered into the Service;

(c) compliance with applicable laws and regulations;

(d) professional obligations owed to clients and regulators.

2.4 The Service is not a substitute for professional judgement or independent verification of facts.

2.5 The Service is an administrative aid only.

3. Roles and instructions

3.1 The Customer is the Controller and RegisterTrack is the Processor.

3.2 The Customer is responsible for ensuring it has a lawful basis for all Processing instructions.

3.3 The Processor processes Customer Personal Data only on documented instructions from the Customer.

4. Details of Processing

4.1 Details of the Processing are set out in Schedule 1.

5. Processor obligations

The Processor will:

5.1 process Customer Personal Data only on documented instructions;

5.2 maintain confidentiality obligations;

5.3 implement appropriate technical and organisational measures;

5.4 engage Sub-processors in accordance with Clause 9;

5.5 provide reasonable assistance appropriate to the nature of the Service regarding Data Subject rights and compliance obligations;

5.6 delete or return Customer Personal Data in accordance with Clause 13.

6. Customer responsibilities

6.1 The Customer warrants that it has all necessary lawful bases and rights to upload and process Customer Personal Data.

6.2 The Customer must not upload:

(a) unnecessary or excessive Personal Data;

(b) unlawful special category or criminal offence data;

(c) unredacted identity documents unless strictly necessary and lawful.

6.3 The Processor does not review uploaded content for legal adequacy or compliance.

7. Security

7.1 The Processor implements and maintains reasonable technical and organisational security measures.

7.2 The Processor may update security measures provided the overall level of protection is not materially reduced.

7.3 No system can guarantee absolute security.

8. Personal Data Breaches

8.1 The Processor will notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

8.2 Information may be provided in phases as reasonably available.

9. Sub-processors

9.1 The Customer authorises the use of Sub-processors.

9.2 Current Sub-processors are listed in Schedule 3.

9.3 The Processor may update Sub-processors on notice to the Customer.

9.4 The Customer’s exclusive remedy for objection to a Sub-processor is termination of the affected Service.

10. International transfers

10.1 International transfers will use recognised transfer mechanisms including adequacy decisions, UK IDTA, or UK Addendum mechanisms where required.

11. Compliance information

11.1 The Processor will make available information reasonably necessary to demonstrate compliance with this DPA.

12. Audit

12.1 Audit obligations may be satisfied through provision of security documentation, audit reports, certifications, or questionnaires.

12.2 On-site audits are permitted only where legally required and subject to reasonable notice, confidentiality obligations, scope limitations, and reimbursement of reasonable internal and third-party costs.

13. Return or deletion of Customer Personal Data

13.1 On termination of the Service, Customer Personal Data will be deleted or returned within 90 days unless retention is legally required.

13.2 Encrypted backups may persist temporarily in ordinary backup rotation cycles.

14. Confidentiality

14.1 Persons authorised to process Customer Personal Data are subject to confidentiality obligations.

15. Service limitations

15.1 The Service depends on third-party systems and public-sector data sources including Companies House APIs.

15.2 The Processor does not guarantee uninterrupted availability, completeness, accuracy, or real-time delivery of third-party data.

15.3 The Customer should not rely on the Service as the sole means of meeting any regulatory obligation or deadline.

16. Liability

16.1 To the maximum extent permitted by law, the Processor excludes liability for:

(a) indirect or consequential losses;

(b) regulatory fines;

(c) client claims;

(d) inaccurate Customer-entered or third-party data;

(e) failure to complete identity verification obligations.

16.2 Aggregate liability under the DPA, Terms, and Service is limited to the greater of:

(a) fees paid in the previous 12 months; or

(b) £199.

16.3 Nothing excludes liability that cannot legally be excluded.

17. Variation

17.1 The Processor may amend this DPA on reasonable notice to reflect legal, operational, or Service changes.

18. Severability

18.1 Invalid provisions do not affect the remainder of the DPA.

19. Order of precedence

19.1 In the event of conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA prevails solely to the extent of that conflict.

20. Governing law and jurisdiction

20.1 This DPA is governed by the laws of England and Wales.

20.2 The courts of England and Wales have exclusive jurisdiction.

Subject matter and duration

Processing of Customer Personal Data by the Processor in connection with the provision of the Service to the Customer, for the duration of the Customer’s active subscription (the Bundle and any Compliance OS subscription that follows it) and any post-termination retention period set out in Clause 13.

Nature and purpose of Processing

The Processor processes Customer Personal Data for the purposes of:

• providing workflow recording, deadline tracking, reminders, evidence storage, chase logs, audit logging, and reporting in connection with Companies House identity verification workflows;
• operating, maintaining, securing, and supporting the Service;
• providing aggregated insights that do not identify any individual;
• complying with the Processor’s legal obligations.

Categories of Data Subjects

• Authorised users of the Customer (partners, employees, and agents of the Customer firm);
• Directors, secretaries, and other officers of the Customer’s corporate clients;
• Persons with Significant Control (PSCs) of the Customer’s corporate clients;
• Other individuals whose personal data the Customer chooses to load into the Service in connection with workflow tracking.

Categories of Personal Data

• Identity data: full name, preferred name, role, date-of-birth month and year, nationality;
• Contact data: email address, phone number, registered office address;
• Verification metadata: verification status and history; personal code references (stored in masked form); identity verification date; ACSP name; AML-supervisory body name; appointment verification windows;
• Evidence files uploaded by the Customer (PDFs, screenshots, code receipts);
• Workflow notes and chase logs entered by authorised users of the Customer;
• Audit-log entries (user actions, timestamps, IP and session metadata).

The Processor does not require the upload of unredacted identity documents or special-category data. Where the Customer chooses to upload such material, Clause 6.2 applies.

Frequency of Processing

Continuous, for the duration of the Customer’s active subscription.

The following Sub-processors are engaged by the Processor as at the “Last updated” date of this DPA. Each is bound by a written processing agreement on terms no less protective than this DPA, or, where the Sub-processor acts as an independent controller, by its own data-protection obligations. An up-to-date list is available on request and is published inside the Service for active customers.

The Processor will give notice of any material change to this list in accordance with Clause 9.3, during which the Customer may exercise the remedy in Clause 9.4.