Data Processing Agreement

(A) Billingbooth provides cloud-based billing and subscription management services (the "Service") to customers who register for an account and accept its Terms of Service (the "Terms").

(B) In the course of providing the Service, Billingbooth will process personal data on behalf of the Customer. This DPA sets out the terms on which such processing takes place.

(C) This DPA is incorporated into, and forms part of, the Terms. By accepting the Terms, the Customer agrees to this DPA. No separate signature is required.

(D) Both parties intend this DPA to comply with the UK GDPR and the Data Protection Act 2018, as amended from time to time.

2.1 This DPA applies to all Customers who have accepted the Terms, regardless of whether a separate data processing agreement has been signed. Acceptance of the Terms constitutes acceptance of this DPA.

2.2 The Customer is the Controller of personal data processed through the Service. Billingbooth is the Processor of that data, acting only on the documented instructions of the Customer.

2.3 The subject matter, nature, purpose, duration, and categories of personal data and Data Subjects in respect of the processing under this DPA are set out in Schedule A (Processing Details).

2.4 In the event of a conflict between this DPA and the Terms on matters relating to data protection, this DPA shall prevail.

2.5 Where the Customer is an individual acting in a personal capacity (rather than as a business), references to "company number" and "ICO registration" in this DPA do not apply. However, all other obligations remain in full force.

3.1 The Customer warrants and represents that:

• it has a valid lawful basis for processing under the Data Protection Laws for each processing activity it instructs Billingbooth to carry out;
• all personal data submitted to the Service has been collected lawfully and fairly, and Data Subjects have been given appropriate privacy notices;
• it will not submit special category personal data (as defined in Article 9 UK GDPR) to the Service without first obtaining Billingbooth's written consent and establishing the necessary safeguards; and
• it will promptly notify Billingbooth of any changes to applicable Data Protection Laws that may materially affect the processing under this DPA.

3.2 The Customer is solely responsible for the accuracy, quality, and legality of the personal data it submits to the Service, and for the means by which it acquires that data.

4.1 Billingbooth shall process personal data only:

• on the documented instructions of the Customer, including those set out in this DPA and the Terms; and
• as required by applicable law, in which case Billingbooth shall, to the extent permitted by law, notify the Customer before such processing.

4.2 Billingbooth shall promptly inform the Customer if, in its reasonable opinion, an instruction from the Customer infringes the Data Protection Laws.

4.3 Billingbooth shall ensure that all persons authorised to process personal data are subject to appropriate obligations of confidentiality, whether by contract or professional obligation.

4.4 Billingbooth shall, at the Customer's reasonable written request and cost, provide assistance to enable the Customer to comply with its own obligations under the Data Protection Laws, including in connection with security, breach notification, data protection impact assessments, and consultations with the ICO.

4.5 Billingbooth shall maintain records of processing activities carried out on behalf of Customers in accordance with Article 30 UK GDPR, and shall make such records available to the Customer or the ICO upon written request.

5.1 Billingbooth shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature, scope, context, and purposes of the processing and the risks to Data Subjects. These measures shall include, at minimum:

• encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• role-based access controls and the principle of least privilege;
• multi-factor authentication for all staff accessing systems that process personal data;
• regular penetration testing and vulnerability scanning (at least annually);
• business continuity and disaster recovery plans, tested at least annually; and
• mandatory data protection and security training for all staff, conducted at least annually.

5.2 A summary of Billingbooth's current technical and organisational measures is set out in Schedule C. Billingbooth will review and update these measures periodically and will notify Customers of any material reductions in their protective effect.

6.1 By accepting this DPA, the Customer grants Billingbooth general written authorisation to engage the Sub-processors listed in Schedule B (Approved Sub-processors).

6.2 Billingbooth shall:

• enter into a written data processing agreement with each Sub-processor that imposes obligations no less protective than those in this DPA;
• remain fully liable to the Customer for the acts and omissions of each Sub-processor as if they were Billingbooth's own; and
• make its current Sub-processor list available to Customers at any time via billingbooth.com/legal/dpa.

6.3 Before appointing a new Sub-processor or materially changing an existing Sub-processor's role, Billingbooth shall give Customers at least thirty (30) days' prior notice by email or via an in-product notification. Customers who object to such a change on reasonable data protection grounds may notify Billingbooth in writing within fourteen (14) days. If the parties cannot resolve the objection, the Customer may terminate their subscription without penalty on thirty (30) days' written notice.

7.1 Billingbooth shall not transfer personal data to a country outside the United Kingdom unless:

• the ICO has determined that the destination country provides an adequate level of protection;
• appropriate safeguards are in place in accordance with Article 46 UK GDPR, such as the IDTA or the UK Addendum to the EU SCCs; or
• an exemption under Article 49 UK GDPR applies.

7.2 Current international transfers are identified in Schedule B.

8.1 Billingbooth shall provide the Customer with reasonable technical assistance to enable the Customer to respond to requests from Data Subjects exercising rights under the Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 If Billingbooth receives a Data Subject request that relates to personal data processed on behalf of a Customer, it shall promptly forward that request to the Customer and shall not respond substantively without the Customer's prior written authorisation (except to acknowledge receipt).

8.3 Where technically feasible, Billingbooth shall provide data portability exports in a commonly used, machine-readable format within thirty (30) days of a validated request from the Customer.

9.1 Billingbooth shall retain personal data only for as long as necessary to provide the Service or as required by applicable law.

9.2 On termination or expiry of a Customer's subscription (for any reason), Billingbooth shall, within sixty (60) days, securely delete or destroy all personal data relating to that Customer.

9.3 Billingbooth shall provide written confirmation to the Customer once deletion or return is complete. Where Billingbooth is required by law to retain personal data beyond this period, it shall inform the Customer of the legal basis and limit its processing of such data to that required by law.

9.4 Customers may export their personal data at any time during their subscription using the self-service export tools within the Service.

10.1 Billingbooth shall notify affected Customers without undue delay, and in any event within forty-eight (48) hours of becoming aware of, any Security Incident affecting personal data processed under this DPA.

10.2 Such notification shall include, to the extent then known:

• the nature of the Security Incident, including the categories and approximate number of Data Subjects and personal data records affected;
• the contact details of Billingbooth's data protection contact;
• the likely consequences of the Security Incident; and
• the measures taken or proposed to address the Security Incident and mitigate its effects.

10.3 Billingbooth shall cooperate fully with affected Customers in investigating and remediating any Security Incident and shall provide further information as it becomes available.

10.4 Billingbooth shall not make any public disclosure about a Security Incident, or notify the ICO, in a manner that identifies a specific Customer, without that Customer's prior written consent, unless required to do so by law.

11.1 Billingbooth shall, upon written request, make available to the Customer (or an auditor mandated by the Customer) information reasonably necessary to demonstrate compliance with this DPA.

11.2 The Customer shall give Billingbooth at least thirty (30) Business Days' prior written notice of any audit request, unless a shorter period is required by a supervisory authority. Audits must be conducted during normal business hours in a manner that minimises disruption to Billingbooth's operations.

11.3 The costs of any audit requested by the Customer (other than audits arising directly from a Security Incident or Billingbooth's breach of this DPA) shall be borne by the Customer.

12.1 Each party's liability under this DPA shall be subject to the same limitations and exclusions that apply under the Terms, except to the extent that such limitations are prohibited by applicable law, including the Data Protection Laws.

12.2 Nothing in this DPA shall limit or exclude either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot lawfully be excluded.

12.3 Billingbooth shall not be liable for any processing of personal data carried out by the Customer in breach of the Data Protection Laws or this DPA.

13.1 This DPA is effective from the date the Customer accepts the Terms and remains in force for the duration of the Customer's subscription, unless terminated earlier in accordance with Clause 6.3.

13.2 Termination of the Terms automatically terminates this DPA, subject to any obligations that survive by their nature or by the express terms of this DPA.

13.3 Clauses 9 (Retention and Deletion), 12 (Liability), and 15 (Governing Law) shall survive termination or expiry of this DPA.

14.1 Billingbooth's lead supervisory authority is the Information Commissioner's Office (ICO), United Kingdom.

14.2 Customers who are established in the UK are responsible for their own ICO registration (where required) and compliance with the Data Protection Laws in their jurisdiction.

14.3 Nothing in this DPA prevents either party from lodging a complaint with, or seeking assistance from, the ICO or any other competent supervisory authority.

15.1 Governing Law. This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales.

15.2 Updates to this DPA. Billingbooth may update this DPA from time to time to reflect changes in Data Protection Laws, its processing activities, or its services. Billingbooth will notify Customers of any material changes at least thirty (30) days before they take effect, by email or in-product notice. Continued use of the Service after that period constitutes acceptance of the updated DPA. Customers who do not accept a material change may terminate their subscription without penalty before the change takes effect, by giving written notice to [email protected].

15.3 Severability. If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

15.4 No Waiver. A failure or delay by either party to exercise any right under this DPA shall not constitute a waiver of that right.

15.5 Entire Agreement. This DPA (together with its Schedules and the Terms) constitutes the entire agreement between the parties with respect to the processing of personal data through the Service, and supersedes all prior representations, discussions, and agreements on that subject.

15.6 Notices. Notices to Billingbooth under this DPA shall be sent to [email protected]. Notices to the Customer shall be sent to the email address registered on the Customer's account. Notices are effective on the next business day after sending.

15.7 Third Party Rights. This DPA does not confer any rights on any third party under the Contracts (Rights of Third Parties) Act 1999.