Data Processing Agreement

"Controller" means the Customer. "Processor" means Appslab Ltd trading as Finovo. "Personal Data", "Data Subject", "Processing", "Supervisory Authority" have the meanings given in the GDPR.

Subject matter: Provision of cloud accounting and finance management services via the Finovo platform.

Duration: For the term of the Customer's subscription plus any statutory retention period thereafter.

Nature and purpose: Storage, organisation, retrieval, and transmission of financial records, invoices, expense data, payroll records, and tax-related data to enable the Customer to manage their business finances.

Types of personal data: Contact details (name, email, address), financial transaction data, payroll and employment data, bank account details, VAT registration numbers, tax file references.

Categories of data subjects: Customer's employees, contractors, clients, suppliers, and other individuals whose data the Customer uploads to the platform.

• Process Personal Data only on documented instructions from the Controller (including those set out in this DPA and the Terms of Service), unless required to do so by applicable law.
• Ensure persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organisational security measures as set out in Section 6 below.
• Not engage a sub-processor without prior written authorisation from the Controller (a general authorisation is given via acceptance of this DPA for the sub-processors listed in the Annex).
• Assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
• Delete or return all Personal Data upon termination of the agreement, and delete existing copies unless applicable law requires storage.
• Make available all information necessary to demonstrate compliance and allow for and contribute to audits.

The Controller grants general authorisation for the Processor to engage the following sub-processors. The Processor shall notify the Controller of any intended changes to this list with at least 14 days' notice, giving the Controller the opportunity to object.

The Processor will provide reasonable assistance to enable the Controller to fulfil data subject requests (access, rectification, erasure, portability, restriction, objection) within the timescales required by applicable law. The Processor will forward any data subject request it receives directly from a data subject to the Controller without undue delay.

The Processor maintains the following technical and organisational security measures:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
• Role-based access controls and principle of least privilege for all staff.
• Regular automated backups with point-in-time recovery.
• Continuous security monitoring and intrusion detection.
• Annual penetration testing by an independent third party.
• SOC 2 Type II controls aligned with the platform infrastructure.

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach (insofar as this is feasible). Notification will include the information required under Article 33(3) GDPR to the extent available at the time.

Where Personal Data is transferred to a country outside the UK or EEA that does not benefit from an adequacy decision, the transfer will be made on the basis of Standard Contractual Clauses (UK Addendum / EU SCCs) or another lawful transfer mechanism.

The Controller may, upon reasonable prior written notice of at least 30 days and no more than once per calendar year, conduct an audit of the Processor's processing activities covered by this DPA. The Processor may satisfy this right by providing its most recent independent audit report (e.g. SOC 2 report).

This DPA is co-terminus with the agreement between the parties. Upon termination, the Processor will, at the Controller's election, delete or return all Personal Data within 90 days, unless applicable law requires the Processor to retain the data.

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales, subject to mandatory data protection laws in the Controller's jurisdiction.

For questions about this DPA or to exercise audit rights, contact our privacy team at privacy@getfinovo.com.