Data Processing Agreement (DPA)

Parties

Data Controller ("Business User")

The trade business or entity that has subscribed to TradeAlly services and whose customers' data is processed through our platform.

Data Processor ("TradeAlly")

TradeAlly Ltd
Registered Address: 41 Sixty Acres Road, Prestwood, HP16 0PE, England, United Kingdom
Company Number: 16608057
DPO Email: dpo@tradeally.co.uk

1. Definitions

1.1 "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any successor legislation.

1.2 "Personal Data" means any information relating to an identified or identifiable natural person.

1.3 "Processing" means any operation performed on Personal Data.

1.4 "End Customer" means customers of the Business User whose data is processed via the Services.

1.5 "Services" means the AI-powered phone answering, SMS handling, and customer management services provided by TradeAlly.

1.6 "Sub-processor" means any third party engaged by TradeAlly to process Personal Data.

1.7 "Expense Data" means receipt images, documents (including PDFs), and any structured data extracted from them, including merchant details, dates, line items, VAT amounts, totals, and job linkage.

1.8 "Derived Data" means data generated from Expense Data through automated processing (including OCR extraction, categorisation, aggregation, and anonymisation) that does not identify an individual.

1.9 "OCR Processing" means the automated analysis of receipt images or documents using machine learning models to extract structured information.

2. Roles and Responsibilities

2.1 Data Controller (Business User)

The Business User acts as Data Controller and is responsible for:

• Determining the purposes and means of processing End Customer data
• Ensuring a valid lawful basis exists for processing
• Providing privacy notices to End Customers
• Responding to data subject rights requests
• Reporting data breaches to the ICO where required

2.2 Data Processor (TradeAlly)

TradeAlly acts as Data Processor and shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process have committed to confidentiality
• Take appropriate technical and organizational security measures
• Assist the Controller with data subject rights requests
• Delete or return Personal Data at the end of the agreement
• Make available information necessary to demonstrate compliance
• Process Expense Data and perform OCR Processing solely to provide expense tracking, job costing, and related features, in accordance with the Business User's instructions

3. Subject Matter and Scope

3.1 Purpose of Processing

TradeAlly processes Personal Data to provide the following services:

• Answer inbound phone calls using AI voice technology
• Receive and classify SMS messages
• Create and manage lead records
• Send notifications and confirmations
• Facilitate appointment booking and quote management
• Receive, store, and process receipt images and documents uploaded by the Business User
• Perform OCR Processing on receipts to extract structured expense information
• Associate expenses with jobs, bookings, or general business records
• Generate job profitability views and cost summaries
• Create anonymised or aggregated Derived Data for service improvement and benchmarking

3.2 Categories of Data Subjects

• End Customers contacting the Business User
• Business User staff (if team features enabled)

3.3 Categories of Personal Data

Category	Examples
Contact Information	Name, phone number, email address
Location Data	Address, postcode, service area
Communication Content	SMS messages (voice processed in real-time, not stored)
Service Information	Type of service requested, urgency level
Interaction History	Call times, message timestamps
Expense and Receipt Data	Receipt images, PDFs, merchant names, transaction dates, line items, VAT amounts, totals, payment method

Note: Receipt images may incidentally contain personal data relating to suppliers, sole traders, or third parties. TradeAlly does not intentionally process special category data via receipts.

3.4 Duration of Processing

Processing shall continue for the duration of the service agreement, plus:

• 90 days after account closure for operational wind-down
• 7 years for financial/legal records as required by UK law

4. Security Measures

4.1 Technical Measures

TradeAlly implements the following technical security measures:

Measure	Implementation
Encryption at rest	AES-256 for stored data
Encryption in transit	TLS 1.3 minimum
Access control	Role-based, principle of least privilege
Authentication	Multi-factor for admin access
Audit logging	All data access logged
Backup & recovery	Daily backups, tested recovery

4.2 Organizational Measures

• Staff confidentiality agreements
• Regular security awareness training
• Incident response procedures
• Vendor security assessments
• Annual security audits

4.3 Pseudonymization

• Phone numbers partially masked in logs (last 4 digits visible)
• Email addresses masked in non-production environments
• PII automatically scrubbed from application logs

5. Sub-processors

5.1 Authorized Sub-processors

The Business User authorizes the following sub-processors:

Sub-processor	Purpose	Location
Telnyx	Voice & SMS delivery	USA/EU
Stripe	Payment processing	USA/EU
ElevenLabs	AI voice technology (zero retention)	USA
OpenAI	SMS classification; OCR and text extraction from receipt images	USA
Heroku (Salesforce)	Cloud hosting	USA/EU
Cloudflare R2	Secure storage of receipt images, documents, and derivative assets (thumbnails)	EU/UK
Cloudinary	Business logo and general file storage	USA

Clarification: Cloudflare R2 is the sole system of record for receipt and expense document storage. Cloudinary is used for general file storage (such as business logos) and does not process receipt or expense data.

5.2 Sub-processor Changes

TradeAlly shall:

• Maintain a current list of sub-processors at: tradeally.co.uk/sub-processors
• Notify Business Users of new sub-processors 30 days in advance
• Provide Business Users opportunity to object to new sub-processors
• Ensure sub-processors are bound by equivalent data protection obligations

5.3 Sub-processor Liability

TradeAlly remains fully liable for the acts and omissions of its sub-processors.

6. International Transfers

6.1 Transfer Mechanisms

Personal Data may be transferred to the USA. Such transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Sub-processor-specific DPAs incorporating SCCs
• Additional safeguards where required

6.2 Transfer Impact Assessment

TradeAlly has assessed that US transfers do not undermine data protection due to:

• Nature of data (business contact information, not sensitive categories)
• Technical measures (encryption, access controls)
• Contractual safeguards (DPAs with sub-processors)
• OCR Processing via OpenAI involves transient processing of receipt images for text extraction, subject to contractual safeguards, and without use of such data for model training

7. Data Subject Rights

7.1 Assistance with Requests

TradeAlly shall assist the Business User in responding to:

• Access requests (Article 15)
• Rectification requests (Article 16)
• Erasure requests (Article 17)
• Restriction requests (Article 18)
• Portability requests (Article 20)
• Objection requests (Article 21)

7.2 Response Procedures

Upon receiving a data subject request:

1. TradeAlly will notify Business User within 48 hours
2. Provide data export within 10 business days
3. Execute deletion within 30 days of confirmation
4. Log all actions for audit purposes

Where Expense Data is subject to statutory retention requirements, including UK tax and accounting laws, deletion or erasure requests may be lawfully restricted and the Business User will be informed accordingly.

7.3 Direct Requests

If TradeAlly receives a request directly from an End Customer:

• Inform the End Customer to contact the Business User
• Notify the Business User of the request
• Not respond directly unless legally required

8. Data Breach Notification

8.1 Processor Obligations

Upon becoming aware of a Personal Data breach, TradeAlly shall:

• Notify the Business User without undue delay (within 24 hours)
• Provide details: nature, categories, approximate numbers, consequences, mitigation
• Assist with ICO notification where required
• Document the breach and response actions

8.2 Breach Response Cooperation

TradeAlly shall cooperate with the Business User to:

• Investigate the breach
• Mitigate adverse effects
• Prepare regulatory notifications
• Communicate with affected data subjects if required

9. Audit Rights

9.1 Controller Audit Rights

The Business User may:

• Request security documentation and certifications
• Conduct audits with 30 days' written notice
• Appoint a third-party auditor (subject to confidentiality)

9.2 Audit Scope

Audits may cover:

• Technical security measures
• Organizational security measures
• Sub-processor management
• Data retention compliance
• Incident response procedures

9.3 Audit Costs

• Documentation requests: No charge
• On-site audits: Reasonable costs shared
• Third-party audits: Business User's expense

10. Data Retention and Deletion

10.1 Retention Periods

Data Type	Retention Period
Active lead data	Duration of service + 90 days
Completed job records	2 years
Expense and financial records (including receipt images)	In accordance with UK tax law: at least 5 years after the relevant tax submission deadline for sole traders and partnerships; at least 6 years from the end of the financial year for limited companies; up to 7 years where required
Communication logs	2 years (then anonymized)
Session data	48 hours
Call audio	Not retained (zero retention mode)

10.2 Deletion on Termination

Upon termination of services:

• Export data provided within 30 days of request
• Personal Data deleted within 90 days
• Anonymized data may be retained for analytics
• Legal retention requirements honored
• Expense and receipt data subject to legal retention obligations will be retained until such obligations expire, after which deletion or anonymisation will occur

10.3 Deletion Verification

Upon request, TradeAlly will provide written confirmation of deletion.

10.4 Derived and Anonymised Data

TradeAlly may retain anonymised or aggregated Derived Data created from Expense Data for analytics, benchmarking, and service improvement purposes. Such data does not identify individuals and is not subject to deletion upon termination.

11. Liability

11.1 Processor Liability

TradeAlly shall be liable for damages caused by processing that:

• Violates Data Protection Laws
• Breaches this DPA
• Acts outside or contrary to Controller instructions

11.2 Limitation

Liability under this DPA is subject to the limitations in the main service agreement (Terms of Service), except where prohibited by law.

12. Term and Termination

12.1 Effective Date

This DPA is effective from the date of the main service agreement (when you subscribe to TradeAlly).

12.2 Survival

Sections 7 (Data Subject Rights), 8 (Breach Notification), 9 (Audit Rights), and 10 (Deletion) survive termination.

13. Governing Law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.