Last updated: 2026-06-05 · Version 1.1

Data Processing Agreement

This Data Processing Agreement (DPA) sets out the terms under which Octillionsoft LIMITED (Vupiy) processes personal data on behalf of its customers. It is incorporated into our Terms of Service and applies automatically whenever you, as a Customer, act as a data controller of personal data uploaded into Vupiy.

Note: This DPA has been drafted with reference to UK GDPR Article 28, ICO guidance on controller-processor contracts, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, and the UK Extension to the EU-US Data Privacy Framework. It is reviewed periodically. For questions, contact [email protected].

Contents

  1. Definitions and Interpretation
  2. Scope, Roles and Order of Precedence
  3. Processing of Customer Personal Data
  4. Security
  5. Sub-processors
  6. Assistance to the Customer
  7. International Transfers
  8. Audit and Information Rights
  9. Return and Deletion of Customer Personal Data
  10. Liability and General
  11. Schedule 1 — Processing Details
  12. Schedule 2 — Technical and Organisational Measures
  13. Schedule 3 — Sub-processors

1. Definitions and Interpretation

1.1 Capitalised terms used but not defined in this DPA have the meaning given in the Vupiy Terms of Service or in the Data Protection Laws.

1.2 In this DPA:

  • "Agreement" means the Vupiy Terms of Service together with any order form, plan-specific addendum, and this DPA.
  • "Customer" means the legal entity or individual that has entered into the Agreement with Vupiy ("you", "your"). The Customer is the Controller for the purposes of this DPA.
  • "Customer Personal Data" means any Personal Data that Vupiy processes on the Customer's behalf in the course of providing the Vupiy Services, including data the Customer or its authorised users upload, generate, or transmit through the Vupiy Services.
  • "Data Protection Laws" means, as applicable: the UK GDPR; the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025); the Privacy and Electronic Communications Regulations 2003 (PECR); the EU GDPR (where it applies to processing of EEA personal data); and any binding ICO guidance.
  • "IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner under section 119A(1) of the DPA 2018.
  • "Personal Data", "Controller", "Processor", "Sub-processor", "Personal Data Breach", "Data Subject" have the meanings given in the UK GDPR.
  • "Restricted Transfer" means a transfer of Personal Data from the UK to a country outside the UK that is not the subject of UK adequacy regulations.
  • "SCCs" means the EU Standard Contractual Clauses for the transfer of personal data to processors established outside the EEA, in the form approved by Commission Implementing Decision (EU) 2021/914.
  • "TOMs" means the Technical and Organisational Measures set out in Schedule 2.
  • "UK Addendum" means the UK International Data Transfer Addendum to the EU Commission's Standard Contractual Clauses, in the form issued by the ICO under section 119A(1) DPA 2018 (template B.1.0 or its successor).
  • "Vupiy", "we", "us", "our" means Octillionsoft LIMITED, a company registered in England and Wales with company number 13312842, registered office at 295 Caledonian Road, Islington, London, N1 1EG, United Kingdom. Vupiy is the Processor for the purposes of this DPA.

2. Scope, Roles and Order of Precedence

2.1 Roles. In respect of Customer Personal Data, the Customer is the Controller and Vupiy is the Processor. Each party shall comply with its respective obligations under the Data Protection Laws.

2.2 Subject matter and duration. The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Schedule 1.

2.3 Order of precedence. In case of conflict between this DPA and the Agreement (including the Terms of Service or any order form) with respect to the processing of Personal Data, this DPA prevails. In case of conflict between this DPA and the IDTA, UK Addendum or EU SCCs forming part of it, the IDTA / UK Addendum / SCCs prevail.

2.4 Independent controllers. Where Customer instructs Vupiy to transmit Customer Personal Data to a third party that acts as an independent Controller (including HM Revenue & Customs, Companies House, the Customer's own Stripe account, Open Banking AISPs, and other government or third-party services the Customer connects), Vupiy's role as Processor ends upon successful transmission to that third party. Those third parties are not Vupiy Sub-processors, and Vupiy is not their Sub-processor.

3. Processing of Customer Personal Data

3.1 Documented instructions. Vupiy shall process Customer Personal Data only on the Customer's documented instructions. The Agreement, the use of the Vupiy Services in accordance with Vupiy's published documentation, and any further written instructions agreed between the parties constitute the Customer's documented instructions for the purposes of UK GDPR Article 28(3)(a).

3.2 Compliance with law. Vupiy shall inform the Customer if, in its opinion, an instruction from the Customer infringes Data Protection Laws. Vupiy may, where required by UK or EU law to which it is subject, process Customer Personal Data otherwise than on documented instructions; in that case, Vupiy shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.3 Confidentiality. Vupiy shall ensure that persons authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality of indefinite duration, whether by contract or statutory duty.

3.4 Customer warranties. The Customer warrants that: (a) it has all necessary rights, consents, and lawful bases under Data Protection Laws to provide Customer Personal Data to Vupiy and to instruct Vupiy to process that data; (b) it has, where relevant, provided the privacy information required by UK GDPR Articles 13–14 to the Data Subjects concerned; and (c) its instructions to Vupiy comply with applicable laws.

4. Security

4.1 Technical and Organisational Measures. Vupiy shall implement and maintain the Technical and Organisational Measures set out in Schedule 2 to ensure a level of security appropriate to the risk, in line with UK GDPR Article 32. Vupiy may update the TOMs from time to time, provided that any update does not materially reduce the overall level of security.

4.2 Personnel access. Vupiy shall ensure that access to Customer Personal Data is limited to those personnel who need access to perform the Agreement, on a need-to-know basis, and that all such personnel are subject to appropriate confidentiality obligations.

4.3 Personal Data Breach. Vupiy shall notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and, in any event, within forty-eight (48) hours of Vupiy becoming aware of the breach. The notification shall include, to the extent then known to Vupiy:

  • the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects and records concerned;
  • the name and contact details of Vupiy's privacy contact from whom more information can be obtained;
  • the likely consequences of the Personal Data Breach;
  • the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

4.4 No determination of notifiability. Vupiy's notification under clause 4.3 does not amount to an acknowledgement that Vupiy is at fault or liable, nor a determination by Vupiy of whether the Customer is required to notify the ICO or affected Data Subjects under Articles 33–34 UK GDPR — that determination is the Customer's responsibility, with Vupiy's reasonable assistance.

5. Sub-processors

5.1 General authorisation. The Customer grants Vupiy general written authorisation to engage Sub-processors to process Customer Personal Data, subject to this clause 5.

5.2 List and notification. Vupiy shall maintain a current list of Sub-processors at vupiy.co.uk/legal/subprocessors. Vupiy shall give the Customer at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor, by:

  • updating the public Sub-processors list;
  • emailing the Customer's nominated data protection contact; and
  • displaying an in-app banner to Customer administrators.

5.3 Objection right. The Customer may object to the addition or replacement of a Sub-processor on reasonable, documented data protection grounds within the 30-day notice period by emailing [email protected]. If the parties cannot agree on a resolution (such as Vupiy routing the Customer's data to a different sub-processor or implementing additional safeguards), the Customer may terminate the affected Service with a pro-rata refund of pre-paid unused fees.

5.4 Same obligations. Vupiy shall enter into a written agreement with each Sub-processor that imposes data protection obligations that are, in substance, the same as those imposed on Vupiy under this DPA, including Article 32 security obligations. Vupiy shall make such agreements available to the Customer on written request, subject to appropriate confidentiality protections.

5.5 Vupiy's liability. Vupiy remains fully liable to the Customer for the performance of each Sub-processor's obligations.

6. Assistance to the Customer

6.1 Data Subject Requests. Taking into account the nature of the processing, Vupiy shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests for exercising Data Subject rights under Chapter III of the UK GDPR (access, rectification, erasure, restriction, portability, objection, automated decisions). Vupiy provides self-service export, deletion, and rectification tools in the Vupiy application that the Customer can use to satisfy most such requests directly.

6.2 DPIA and prior consultation. Vupiy shall provide reasonable assistance to the Customer with Data Protection Impact Assessments under UK GDPR Article 35 and prior consultations with the ICO under Article 36, taking into account the nature of processing and the information available to Vupiy.

6.3 Articles 32–36 generally. Vupiy shall assist the Customer in ensuring compliance with UK GDPR Articles 32 to 36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to Vupiy.

6.4 Reasonable costs. Where assistance under this clause 6 imposes more than minimal additional cost on Vupiy (for example, large-scale forensic work for a Personal Data Breach not caused by Vupiy), the parties shall agree a reasonable charge for that additional work in good faith.

7. International Transfers

7.1 Default position. Vupiy hosts Customer Personal Data in the United Kingdom and the European Economic Area (EEA). The current location of Customer Personal Data and any Sub-processor location is set out at vupiy.co.uk/legal/subprocessors.

7.2 Restricted Transfers. Where Vupiy makes a Restricted Transfer of Customer Personal Data (for example, when a Sub-processor is located outside the UK / EEA and the destination is not covered by UK adequacy regulations), the transfer shall be made under one of the following safeguards:

  • UK adequacy regulations — where the destination country is listed by the UK Government as providing adequate protection (including the EEA, Switzerland, and other listed countries);
  • UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") — where the recipient in the United States is self-certified under the UK Extension;
  • UK IDTA or EU SCCs (2021/914) + UK Addendum — for other Restricted Transfers, supplemented by Transfer Risk Assessments retained internally and available on request.

7.3 SCCs and IDTA module. Where the EU SCCs apply, the parties incorporate Module 2 (controller-to-processor) and complete the optional annexes via Schedules 1 and 2 to this DPA. Where the UK Addendum applies, the parties incorporate the Addendum in the form issued by the ICO.

7.4 Invalidation of safeguards. If the transfer mechanism under clause 7.2 is invalidated (for example, by a Schrems-style court decision) and no replacement is available, either party may, on written notice, suspend or terminate the affected transfers and the affected Services.

8. Audit and Information Rights

8.1 Certifications and reports. Vupiy shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing on written request its then-current independent third-party security audit reports (such as SOC 2 Type II or ISO 27001 certification where held), subject to appropriate confidentiality obligations.

8.2 On-site audit. The Customer may, no more than once per twelve (12) month period, request an on-site audit of Vupiy's processing of Customer Personal Data on at least thirty (30) days' prior written notice. Audits shall be conducted during business hours, subject to mutually agreed scope and an appropriate confidentiality agreement, in a manner that does not unreasonably disrupt Vupiy's operations.

8.3 Costs. The Customer shall bear its own and Vupiy's reasonable costs of any audit, except where the audit reveals a material breach of this DPA by Vupiy, in which case Vupiy shall bear reasonable costs.

8.4 Ad-hoc audit. The frequency limit in clause 8.2 does not apply where the Customer has a reasonable, documented suspicion of a material breach of this DPA by Vupiy or its Sub-processors.

8.5 Third-party auditors. Audits may be conducted by Customer personnel or by an independent third-party auditor selected by the Customer and reasonably acceptable to Vupiy. The auditor shall not be a competitor of Vupiy.

9. Return and Deletion of Customer Personal Data

9.1 Self-service export. On expiry or termination of the Agreement, the Customer may export all Customer Personal Data using the self-service export functionality within the Vupiy application for thirty (30) days following termination.

9.2 Deletion. Following the 30-day export period, Vupiy shall delete Customer Personal Data from its active production systems within six (6) months and from its routine backups within a further three (3) months, save to the extent retention is required by applicable law (including the Companies Act 2006, the VAT Act 1994, and HMRC VAT Notice 700/22 — which require certain records to be retained for six years).

9.3 Statutory audit logs. Vupiy shall retain audit records of submissions made to HMRC, Companies House, and similar statutory authorities for the minimum statutory period (six years for VAT records under VAT Notice 700/22; equivalent rules for other regimes), notwithstanding clauses 9.1 and 9.2. The Customer will lose interactive access to those records on termination, but they will be retained by Vupiy to meet our and the Customer's legal obligations.

9.4 Certification. Vupiy shall certify deletion of Customer Personal Data on the Customer's written request, subject to clause 9.3.

10. Liability and General

10.1 Liability. Each party's liability under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. The exclusions in clause 9.1 of the Terms of Service (non-excludable liability for death/personal injury, fraud, etc.) apply unchanged.

10.2 Regulatory fines. Each party shall bear any administrative fine imposed on it directly by the ICO or another competent supervisory authority for its own breach of Data Protection Laws. Nothing in this clause excludes a party's obligation to indemnify the other for losses caused by its breach of this DPA, subject to clause 10.1.

10.3 Term. This DPA takes effect on the effective date of the Agreement and continues for as long as Vupiy processes Customer Personal Data on the Customer's behalf, plus the retention periods set out in clause 9.

10.4 Updates. Vupiy may update this DPA from time to time. If we make material changes, we will give the Customer at least 30 days' prior notice by email and via an in-app banner, and the Customer may terminate the affected Service before the change takes effect (with pro-rata refund of pre-paid unused fees) if the Customer does not accept the change. Non-material changes (clarifications, formatting, contact details) take effect on publication.

10.5 Governing law. This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales, save that where the IDTA, UK Addendum or EU SCCs specify a different governing law for the transfer mechanism itself, that specification prevails for the relevant transfer.

10.6 Notices. Notices under this DPA shall be in writing and sent: to Vupiy at [email protected] or by post to Octillionsoft LIMITED, Privacy Team, 295 Caledonian Road, Islington, London, N1 1EG; and to the Customer at the email and postal address registered for the Customer's administrative contact in Vupiy.

10.7 Severability and survival. If any provision of this DPA is held to be unenforceable, the remaining provisions remain in effect. Clauses that by their nature should survive termination (including 4.3, 5.4, 5.5, 8, 9, 10.1 and 10.2) will survive.

Schedule 1 — Processing Details

Subject matter of processingProvision of cloud accounting / invoicing / Making Tax Digital-compliant tax filing software (the Vupiy Services), as described in the Agreement.
Duration of processingTerm of the Agreement, plus the 30-day export window in clause 9.1 and the deletion windows in clause 9.2, save for statutory retention under clause 9.3.
Nature and purposeHosting and processing of accounting records to enable bookkeeping, invoicing, expense management, scheduling, VAT / ITSA / Self Assessment / Corporation Tax submissions to HMRC, payment processing via the Customer's connected Stripe account, and ancillary features. Vupiy acts as a processor in respect of Customer-uploaded data.
Categories of Data Subjects
  • Customer's authorised users (account owners, employees, accountants)
  • Customer's customers (invoice recipients)
  • Customer's suppliers (bill recipients)
  • Customer's employees (payroll, expenses, schedule)
  • Customer's directors / officers (Companies House features)
Categories of Personal Data
  • Identification: name, business / personal address, email, phone, photo
  • Financial: bank account details, payment card last 4 + brand (via Stripe tokenisation; Vupiy does not store PANs), invoice and payment amounts, VAT numbers, UTRs
  • Employment: NI Number, salary and tax codes if payroll features used
  • Tax: HMRC VRN, MTD obligations data, returns content, submission audit records
  • Device & usage: IP, user agent, timestamps, audit log entries
  • Communications: support tickets, in-app messages, notification logs
Special category dataVupiy is not designed for, and does not intentionally collect, special category Personal Data under Article 9 UK GDPR. The Customer is responsible if it nevertheless inputs such data and shall agree additional written terms with Vupiy in advance for any structured processing of special category data.
Frequency of processingContinuous during the term of the Agreement.
Obligations and rights of the ControllerAs set out in the UK GDPR, the Agreement and this DPA.

Marketplace integration data (when Customer authorises a marketplace connector)

The following applies when the Customer connects an authorised third-party marketplace (such as Amazon Selling Partner API, or, in future, Etsy / Shopify / eBay) to the Vupiy Services and grants Vupiy OAuth access to retrieve marketplace data on the Customer's behalf.

Categories of Data SubjectsEnd buyers / customers of the Customer's marketplace business (for Amazon: Amazon buyers).
Categories of Personal DataBuyer name; buyer email address; buyer shipping address; order metadata (order ID, dates, items, prices, taxes). For Amazon, buyer Personally Identifiable Information is retrieved only via Amazon's Restricted Data Token (RDT) system, on-demand, when required to generate a UK-VAT-compliant tax invoice for that specific order.
Nature and purpose of processingGeneration of UK-VAT-compliant tax invoices on behalf of the Customer (the marketplace seller); reconciliation of marketplace settlements; preparation of HMRC Making Tax Digital returns; maintenance of statutory audit records.
Duration of processingFor the duration of the Agreement plus six (6) years from the end of the UK tax year in which the related VAT return was submitted, as required by VAT Act 1994 s.69, VAT Regulations 1995 reg. 31 and Companies Act 2006 s.388.
Source of Personal DataAuthorised marketplace API under the Customer's explicit OAuth grant (Amazon Selling Partner API for Amazon; future integrations: Etsy Open API, Shopify Admin API, eBay Sell API).
Lawful basis (Customer's basis for sharing with Vupiy)UK GDPR Article 6(1)(c) — legal obligation (the Customer is legally required to issue VAT-compliant tax invoices and submit Making Tax Digital returns under UK tax law). The Customer is the data controller for this purpose.
RestrictionsVupiy will not use marketplace Personal Data for analytics about other customers, for advertising, for profiling, for training machine-learning models, for resale, or for any purpose unrelated to the Customer's authorised tax compliance use case. Vupiy will comply with Amazon's Data Protection Policy in respect of Amazon Information.

Independent controllers — clarifier

The Customer acknowledges that when Customer Personal Data is transmitted from the Vupiy Services to HM Revenue & Customs (HMRC), Companies House, or other UK statutory authorities as part of a tax filing, statutory return, or comparable submission initiated by the Customer or its authorised users, those authorities act as independent Controllers in respect of that data, and Vupiy's role as Processor ends upon successful transmission. Vupiy is not a Sub-processor of HMRC and HMRC is not a Sub-processor of Vupiy. The Customer's own connected Stripe account and Open Banking AISPs are also independent Controllers of the data they process; see Section 5 of the Sub-processors list.

Equally, third-party marketplaces from which Vupiy retrieves data under the Customer's OAuth grant — including Amazon Services Europe S.à r.l. and its affiliates, and, in future, Etsy Inc., Shopify Inc., and eBay Inc. — are independent Controllers of their own platforms. They are not Vupiy Sub-processors. They process the marketplace data they hold (and that Vupiy retrieves on the Customer's behalf) under their own published policies (e.g. Amazon Privacy Policy and Amazon Data Protection Policy). See Sub-processors list, Section 5 — Independent controllers.

Schedule 2 — Technical and Organisational Measures

Vupiy implements and maintains the following TOMs to ensure a level of security appropriate to the risk, in line with UK GDPR Article 32. Vupiy may update the TOMs from time to time, provided the overall level of security is not materially reduced.

DomainMeasures
1. EncryptionTLS 1.2+ in transit (HSTS enforced on customer-facing domains); AES-256 encryption at rest for databases and backups; field-level encryption (AES-256-GCM) for sensitive secrets including HMRC OAuth tokens, Stripe API keys, 2FA secrets, NI Numbers and UTRs; key management via cloud provider KMS.
2. ConfidentialityRole-based access control on least-privilege basis; mandatory multi-factor authentication (MFA) for all staff with production access; named-user admin accounts only (no shared credentials); staff confidentiality agreements of indefinite duration; access revoked within one business day of leaver.
3. IntegritySHA-256 file integrity checks on uploaded documents; database transaction integrity; signed audit logs for HMRC submissions; code review and protected-branch policies in source control.
4. Availability and resilienceMulti-AZ infrastructure (cloud provider); automated daily backups retained 30 days; tested restore procedures (quarterly); documented Business Continuity / Disaster Recovery plan; load-balanced architecture; RTO target ≤ 24 hours; RPO target ≤ 24 hours.
5. Testing and evaluationAnnual third-party penetration test; quarterly internal vulnerability scans; SAST / DAST in CI; published vulnerability disclosure policy at /security/disclosure-policy.html; security.txt at /.well-known/security.txt.
6. User access managementSSO support (Google, Microsoft); MFA available to end users; password complexity and breached-password checks; configurable session timeout; admin actions audit-logged.
7. Network securityWeb Application Firewall and DDoS protection; IP allow-listing for administrative interfaces; secure DNS and TLS configuration; email authentication (SPF, DKIM, DMARC).
8. Physical securityHosted in cloud provider data centres certified to ISO 27001 and SOC 2 Type II. Vupiy does not operate its own data centre.
9. PersonnelBackground checks for staff with production access; mandatory annual security and privacy training; offboarding access revocation within one business day.
10. Supplier managementDocumented sub-processor due diligence; written Article 28 Data Processing Agreements with all sub-processors; public sub-processor list maintained at vupiy.co.uk/legal/subprocessors.
11. Incident responseDocumented incident response plan; internal escalation target 24 hours; Customer notification within 48 hours of a confirmed Personal Data Breach (clause 4.3); ICO breach notification process documented for the Customer to use.
12. Data minimisation and retentionDocumented retention schedules aligned with the Privacy Policy and statutory minimums (Companies Act 2006 s.388, VAT Act 1994, HMRC VAT Notice 700/22 — six years); automated deletion workflows on termination subject to statutory retention.

Schedule 3 — Sub-processors

The current list of Sub-processors is maintained at vupiy.co.uk/legal/subprocessors, which is incorporated into this DPA by reference. That page sets out, for each Sub-processor: the legal entity name, the role / purpose, the location of processing, and the transfer mechanism (where applicable).

Changes to the Sub-processor list are notified to the Customer in accordance with clause 5.2, with the right to object set out in clause 5.3.

This DPA is signed and accepted electronically by the Customer's acceptance of the Vupiy Terms of Service. No separate signature is required, but a counter-signed PDF copy of this DPA is available on written request to [email protected] for the Customer's records.