Template — review with counsel before execution
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and AITA ("Processor") for use of the AITA platform (the "Service"). To execute a counter-signed copy, email privacy@aita.tax.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR and Data Protection Act 2018.
2. Subject matter and duration
The Processor processes Personal Data on behalf of the Controller solely to provide the Service for the duration of the underlying subscription. Processing ends when the subscription terminates, subject to deletion timelines below.
3. Nature and purpose of processing
The Processor processes Personal Data to host, secure, support, and deliver the features of the Service, including tax research, compliance calendars, e-invoicing mapping, vendor selection, and workspace collaboration.
4. Categories of Personal Data and Data Subjects
- Workspace user identifiers: name, business email, role, authentication metadata.
- Content uploaded by the Controller: tax documents, transaction extracts, vendor information, free-text notes.
- Usage telemetry: session timestamps, feature events, error logs.
Data Subjects are the Controller's personnel and any individuals identifiable in content the Controller uploads.
5. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel are bound by confidentiality.
- Implement the technical and organisational measures described at /trust, including encryption in transit and at rest, role-based access, audit logging, MFA for administrators, and incident response.
- Assist the Controller with Data Subject requests, Data Protection Impact Assessments, and Supervisory Authority engagement, taking the nature of processing into account.
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's data.
6. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed at /trust. The Processor will give the Controller at least 30 days' prior notice before adding a new sub-processor affecting the Controller's data; the Controller may terminate the affected Service on reasonable grounds if it objects within that period.
7. International transfers
Where Personal Data is transferred outside the EEA or UK to a country without an adequacy decision, the Parties rely on the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated by reference.
8. Data Subject rights
The Processor provides workspace tooling enabling the Controller to access, correct, export, and delete Personal Data held within the Service. For requests requiring Processor assistance, contact privacy@aita.tax.
9. Security
The Processor maintains the technical and organisational measures summarised at /trust. The Processor's compliance roadmap (including SOC 2 Type I and Type II) is set out on the same page.
10. Audits
The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA, including, when issued, third-party audit reports. On-site audits may be conducted no more than once per year, on reasonable prior notice, during business hours, and subject to confidentiality.
11. Deletion and return
On termination, the Controller may export workspace data through the Service for 30 days. Thereafter the Processor will delete Personal Data from production systems within a further 30 days, except where retention is required by law. Backup copies expire automatically within the provider's point-in-time recovery window (currently 7 days).
12. Liability
Each Party's liability under this DPA is subject to the limitations of liability agreed in the underlying subscription agreement.
13. Governing law
This DPA is governed by the law of the jurisdiction specified in the underlying subscription agreement; in the absence of such specification, the laws of England and Wales apply.
This template reflects AITA's standard terms as of 2026-07-10 and may be updated. Customers requiring a counter-signed copy or redlines should contact privacy@aita.tax.