Data Processing Agreement

Last updated: 15 May 2026 · Version 1.1 · Applies to all Addlify products

    What this document is: This Data Processing Agreement ("DPA") is entered into between
    Addlify ("Processor") and each subscriber of any Addlify product ("Controller") —
    including Addlify Finance, Addlify Medic, and any future Addlify add-ins.
    It governs the processing of personal data carried out by Addlify on the Controller's behalf,
    as required by Article 28 of the General Data Protection Regulation (GDPR) and the UK GDPR.
    By subscribing to any Addlify product, the Controller accepts the terms of this DPA.
  

1. Parties

Data Controller

You — the Addlify Finance subscriber

The natural person or legal entity that has purchased an Addlify Finance licence and determines the purposes and means of processing personal data through the add-in.

Data Processor

Addlify

Operating at addlify.uk
Contact: legal@addlify.uk
Processes personal data solely on the Controller's documented instructions.

2. Subject matter, nature and duration

The subject matter of this DPA is the provision of Addlify subscription services (any current or future Addlify product), which include:

Licence key generation, activation and validation across all Addlify products.
Receiving and storing data submitted via the add-in (e.g., UTR/VRN/CIF/VAT lookups, HMRC and ANAF submission results, medical form metadata, feedback).
Sending transactional emails on the Controller's behalf (e.g., licence confirmation, device-transfer approval).
Storing audit logs of actions performed by the Controller's device(s).

This DPA commences when the Controller subscribes to any Addlify product and terminates when the licence is permanently cancelled and all Controller data is deleted in accordance with Section 9 below.

3. Categories of personal data and data subjects

3.1 Data common to all Addlify products

Category of personal data	Data subjects	Purpose
Email address, licence key	Controller / Controller's employees	Licence management, transactional email
Device fingerprint (non-reversible hash)	Controller's device users	Per-device licence enforcement
IP address, browser/OS metadata	Controller's device users	Security, fraud prevention, rate limiting
Feedback messages and support tickets	Controller / Controller's employees	Customer support, product improvement

3.2 Product-specific data

Product	Additional data processed	Notes
Addlify Finance	UTR/NINO/VRN (UK) and CIF/VAT codes (RO); company names; HMRC and ANAF submission status codes and timestamps; HMRC OAuth tokens (encrypted at rest)	Invoice line items, period totals and self-employment figures are never stored on Addlify servers — generated locally in Excel and sent directly to HMRC or ANAF by the add-in. Addlify receives only success/error metadata and acknowledgement references.
Addlify Medic	Medical appointment metadata; patient identifiers where submitted by the Controller	May constitute special category data under GDPR Art. 9. The Controller is responsible for ensuring a valid Art. 9 legal basis before processing. Addlify processes only what the Controller explicitly submits.
Future products	To be specified in a product-specific annex published at addlify.uk/dpa at launch	This DPA will be updated with product-specific rows at least 14 days before a new product's general availability.

ℹ️ Data minimisation principle: Addlify add-ins are designed to process data locally on the Controller's device wherever possible. Server-side storage is limited to what is strictly necessary for licence management, security, and support. No document content (invoices, medical records, legal documents) is transmitted to Addlify servers unless the Controller explicitly initiates a sync or cloud feature.

4. Obligations of the Processor (Addlify)

4.1 Processing only on documented instructions

Addlify shall process personal data only on the documented instructions of the Controller (i.e., the actions the Controller initiates through the add-in or account portal). If Addlify is required by EU or UK law to process data beyond these instructions, it shall inform the Controller before that processing takes place, unless prohibited by law.

4.2 Confidentiality

Addlify ensures that all persons authorised to process Controller personal data are bound by confidentiality obligations and have received appropriate data protection training.

4.3 Security measures

Addlify implements and maintains appropriate technical and organisational measures, including:

TLS 1.2+ encryption for all data in transit.
Database encryption at rest.
Bcrypt hashing for all passwords and sensitive identifiers.
Parameterised SQL queries to prevent injection attacks.
Security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options).
Rate limiting and brute-force protection on all API endpoints.
Two-factor authentication (TOTP) on administrator accounts.
Regular security reviews and dependency updates.

The full, structured description of these technical and organisational measures, as required by Article 32 of the UK GDPR / EU GDPR, is set out in Annex 2 to this DPA and forms an integral part of it.

4.4 Sub-processors

The Controller authorises Addlify to engage the following sub-processors. Addlify has entered into data processing agreements with each that impose equivalent obligations to those in this DPA. This list is exhaustive — Addlify does not use any undisclosed third-party data processors:

Sub-processor	Role	Data shared	Location	More info
Stripe, Inc.	Payment processing and subscription management	Email address, billing country, payment method (card number stored solely by Stripe under PCI-DSS — never by Addlify)	USA (Standard Contractual Clauses in place)	stripe.com/privacy
PayPal (Europe) S.à r.l. et Cie, S.C.A.	Alternate payment processing for orders chosen via PayPal at checkout	Email address, billing country, transaction reference (PayPal holds all account/funding data directly)	Luxembourg / USA (Standard Contractual Clauses in place)	paypal.com/privacy
Hostico SRL	Web server, MariaDB database hosting, and transactional email delivery (server-native PHP mail / SMTP relay)	All data stored on Addlify servers under shared cPanel hosting; email recipient address and email content for transactional messages	Romania (EU)	hostico.ro/politica-de-confidentialitate
Twilio Inc. (SendGrid)	Transactional email delivery (newsletter, license activation, password recovery) where SMTP relay is used in addition to native PHP mail	Recipient email address, email subject and body content	USA / Ireland (Standard Contractual Clauses in place)	twilio.com/privacy
Cloudflare, Inc.	CDN, DDoS protection, WAF and TLS termination for addlify.uk	IP address, request metadata; HTTP request/response bodies in transit (not stored at rest by Cloudflare beyond short-lived caches)	USA / EU edge (Standard Contractual Clauses in place)	cloudflare.com/privacy
Microsoft Corporation	Add-in runtime environment (Microsoft Office / Excel / Word add-in platform). Microsoft acts as a Processor in respect of add-in storage and runtime carried out on Addlify's behalf, and as an Independent Controller in respect of its own Office product telemetry, which it collects and uses for its own purposes.	Standard Office add-in telemetry (controlled by the Controller's Microsoft 365 policy — Addlify has no access to this telemetry). The Microsoft Products and Services Data Protection Addendum (DPA) governs Microsoft's processing.	USA / EU (per Controller's Microsoft 365 tenant region)	Microsoft Privacy Statement

Scope of this DPA: the sub-processors listed above are engaged by Addlify to deliver the SaaS service to the Controller. Marketing/advertising tools loaded on the public website (Google Analytics 4, Google Ads, Meta Pixel) are not sub-processors of this DPA: they only run after a website visitor (who may also be a Controller) gives explicit cookie consent, and they process the visitor's own data — not Controller-uploaded data. They are listed in our Privacy Policy and Cookie Policy for transparency.

Addlify will notify the Controller of any intended addition or replacement of a sub-processor by updating the list above and the "Last updated" date of this DPA at least 30 days in advance. This DPA is the authoritative, version-dated record of Addlify's current sub-processors. The Controller may object to a new sub-processor on reasonable, data-protection-related grounds by emailing legal@addlify.uk within those 30 days and stating the grounds for the objection. Addlify will work in good faith to address the concern; if no resolution is reached, the Controller may, as its sole remedy, terminate the affected part of the subscription without penalty before the new sub-processor begins processing Controller data.

4.5 Assistance with data subject rights

Addlify shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). Requests should be directed to legal@addlify.uk and will be addressed within 5 business days to allow the Controller to meet the 30-day GDPR deadline.

4.6 Data breach notification

Addlify (as Processor) shall notify the Controller without undue delay — and no later than 48 hours after becoming aware — of any personal data breach affecting Controller data. This 48-hour window is deliberately tighter than the 72-hour Controller-to-supervisor deadline under UK GDPR / EU GDPR Article 33, so the Controller has time to assess and onward-notify the supervisory authority where required. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

4.7 Data Protection Impact Assessments (DPIAs)

Addlify shall provide reasonable assistance to the Controller in carrying out DPIAs and prior consultations with supervisory authorities where required by GDPR Article 35–36.

4.8 Return and deletion of data

Upon termination of the subscription, Addlify shall, at the Controller's choice:

Delete all Controller personal data within 30 days, or
Return a copy of the data in JSON format upon written request, after which it will be deleted.

Addlify may retain anonymised, aggregated data (no personal identifiers) for statistical purposes after deletion.

4.9 Audit rights

The Controller may request, at most once per calendar year, a written summary of Addlify's security measures and this DPA's compliance. Addlify shall also provide any information reasonably necessary to demonstrate compliance. Requests should be sent to legal@addlify.uk.

5. Obligations of the Controller

The Controller warrants and represents that:

It has a valid legal basis (under GDPR Article 6 and, where applicable, Article 9) for all personal data it causes to be processed by Addlify.
It will provide data subjects with all required notices about the processing described in this DPA.
It will not instruct Addlify to process data in a manner that violates applicable law.
It is responsible for the security of any device on which the Addlify Finance add-in is installed.

6. International data transfers

Addlify stores and processes Controller data on servers located within the EU/EEA. Where any sub-processor operates outside the EU/EEA, Addlify ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms under UK GDPR.

7. Liability and indemnification

Each party shall be liable for damages caused by its own breach of GDPR obligations. Where both parties are responsible for damage, each party's liability shall be proportionate to its degree of responsibility. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.

8. Governing law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless the Controller is located in the EU, in which case local mandatory consumer protection laws may also apply.

9. Updates to this DPA

Addlify may update this DPA to reflect changes in law or service. Material changes will be notified by email at least 14 days before they take effect. Continued use of Addlify Finance after the effective date constitutes acceptance. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For questions about this DPA, data subject requests, or security concerns:

Email: legal@addlify.uk
Website: addlify.uk

For complaints, you may also contact your national supervisory authority:

UK: Information Commissioner's Office — ico.org.uk
Romania: ANSPDCP — dataprotection.ro
Other EU: edpb.europa.eu

Annex 1 — List of sub-processors

The authoritative list of sub-processors engaged by Addlify — together with their role, the data shared, their location and the applicable transfer safeguards — is set out in clause 4.4 of this DPA. That list is exhaustive and is kept up to date; the "Last updated" date at the top of this page reflects the most recent change. The procedure for adding or replacing a sub-processor, and the Controller's right to object, are described in clause 4.4.

Annex 2 — Technical and organisational measures (Article 32 GDPR)

This Annex sets out the technical and organisational measures (TOMs) implemented and maintained by Addlify as Processor, in accordance with Article 32 of the UK GDPR and EU GDPR. It forms an integral part of this DPA and is referenced by clause 4.3.

A2.1 Encryption and pseudonymisation

TLS 1.2+ for all data in transit, with HSTS enforced.
Encryption at rest for the production database, with encrypted daily backups.
AES-256 encryption of HMRC and ANAF OAuth tokens and other sensitive identity fields.
Bcrypt/argon2 hashing of passwords and sensitive identifiers; data minimisation and pseudonymisation of identifiers where the cleartext value is not required.

A2.2 Access control

Least-privilege, role-based access control (RBAC); access granted on a strict need-to-know basis.
Two-factor authentication (TOTP) on all administrator and processor accounts.
Parameterised SQL queries, output encoding, and CSRF protection on state-changing endpoints.
Logical separation of production, staging and development environments.

A2.3 Confidentiality, integrity, availability and resilience

Web Application Firewall, DDoS protection and rate limiting (Cloudflare); secure HTTP response headers and Content-Security-Policy.
Hosting on providers operating to ISO 27001 / SOC 2 standards.
Centralised logging, monitoring and anomaly detection.
Regular patching, dependency scanning and security reviews.

A2.4 Incident response

Documented data-breach response procedure with defined roles and escalation paths.
Notification to the Controller without undue delay and no later than 48 hours after Addlify becomes aware of a breach affecting Controller data (clause 4.6).
Where Addlify acts as controller of its own data, notification to the competent supervisory authority (ICO / ANSPDCP) within 72 hours.

A2.5 Business continuity

Encrypted daily backups with a 90-day rolling retention and periodic restore tests.
Ability to restore the availability of, and access to, personal data in a timely manner after a physical or technical incident.
A process for regularly testing, assessing and evaluating the effectiveness of these measures.

A2.6 Endpoint devices

Devices used to administer the service are protected by full-disk encryption, a strong PIN/password and automatic screen lock.