Template — review with counsel before execution

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and AITA ("Processor") for use of the AITA platform (the "Service"). To execute a counter-signed copy, email privacy@aita.tax.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK GDPR and Data Protection Act 2018.

2. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller solely to provide the Service for the duration of the underlying subscription. Processing ends when the subscription terminates, subject to deletion timelines below.

3. Nature and purpose of processing

The Processor processes Personal Data to host, secure, support, and deliver the features of the Service, including tax research, compliance calendars, e-invoicing mapping, vendor selection, and workspace collaboration.

4. Categories of Personal Data and Data Subjects

Data Subjects are the Controller's personnel and any individuals identifiable in content the Controller uploads.

5. Processor obligations

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed at /trust. The Processor will give the Controller at least 30 days' prior notice before adding a new sub-processor affecting the Controller's data; the Controller may terminate the affected Service on reasonable grounds if it objects within that period.

7. International transfers

Where Personal Data is transferred outside the EEA or UK to a country without an adequacy decision, the Parties rely on the EU Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated by reference.

8. Data Subject rights

The Processor provides workspace tooling enabling the Controller to access, correct, export, and delete Personal Data held within the Service. For requests requiring Processor assistance, contact privacy@aita.tax.

9. Security

The Processor maintains the technical and organisational measures summarised at /trust. The Processor's compliance roadmap (including SOC 2 Type I and Type II) is set out on the same page.

10. Audits

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA, including, when issued, third-party audit reports. On-site audits may be conducted no more than once per year, on reasonable prior notice, during business hours, and subject to confidentiality.

11. Deletion and return

On termination, the Controller may export workspace data through the Service for 30 days. Thereafter the Processor will delete Personal Data from production systems within a further 30 days, except where retention is required by law. Backup copies expire automatically within the provider's point-in-time recovery window (currently 7 days).

12. Liability

Each Party's liability under this DPA is subject to the limitations of liability agreed in the underlying subscription agreement.

13. Governing law

This DPA is governed by the law of the jurisdiction specified in the underlying subscription agreement; in the absence of such specification, the laws of England and Wales apply.


This template reflects AITA's standard terms as of 2026-07-10 and may be updated. Customers requiring a counter-signed copy or redlines should contact privacy@aita.tax.