Data Processing Addendum
Last updated: 2026-04-14
UK GDPR Article 28 — Controller to Processor Agreement
Receiptflow Ltd · Effective: 14 April 2026
- Basis: UK GDPR Art. 28 & DPA 2018
- Enterprise DPA: dpa@receiptflow.co
- Governing Law: England & Wales
How This DPA Works: By accepting the Receiptflow Terms of Service, you (the Customer) enter into this DPA automatically. Enterprise customers requiring a wet-ink or countersigned copy should contact dpa@receiptflow.co. This DPA is incorporated into and subject to the Terms of Service.
Parties
| Data Controller | The Customer — the entity or individual identified in the Receiptflow account. Determines the purposes and means of processing Customer Data. |
| Data Processor | Receiptflow Ltd — Company No. 15992753. Processes Customer Data only on the Controller's documented instructions for the purpose of providing the Platform. |
Clause 1 — Subject Matter, Duration & Scope
1.1 — Subject Matter
Receiptflow processes Customer Data solely to provide the automated data extraction and document management features described in the Terms of Service.
1.2 — Duration
This DPA remains in force for the duration of the Agreement and, solely with respect to deletion obligations, for the 30-day post-termination data retention period and any subsequent deletion confirmation period.
1.3 — Nature of Processing
Processing operations include: (a) receipt and ingestion of uploaded documents; (b) transmission of document images to OCR sub-processor; (c) receipt and structured storage of extracted data; (d) provision of structured data to the Customer via dashboard and API; (e) secure storage and backup of Customer Data. No profiling, automated decision-making with legal effect, or processing for Receiptflow's own commercial purposes is performed on Customer Data.
1.4 — Categories of Personal Data
Customer Data typically includes: names; postal and email addresses; VAT registration numbers; bank account references and sort codes; transaction amounts and dates; supplier and customer entity names; and employee names where appearing on payroll-related documents. It does not ordinarily include special category data (UK GDPR Art. 9). Customers must not upload special category data without prior written agreement with Receiptflow.
1.5 — Categories of Data Subjects
Suppliers, customers, clients, and employees of the Controller whose details appear on financial documents uploaded to the Platform.
Clause 2 — Processor Obligations (UK GDPR Art. 28(3))
Receiptflow shall:
2.1 — Instructions Only
Process Customer Data only on documented instructions from the Controller, as set out in the Agreement and this DPA. If UK law requires Receiptflow to process beyond those instructions, Receiptflow shall notify the Controller before such processing unless prohibited by law.
2.2 — Confidentiality
Ensure that all personnel authorised to process Customer Data are subject to appropriate confidentiality obligations, whether by contract or professional duty.
2.3 — Security
Implement and maintain the technical and organisational measures set out in Schedule 1 of this DPA, appropriate to the risk presented by the nature and scope of processing.
2.4 — Data Subject Rights
Assist the Controller, insofar as reasonably possible and having regard to the nature of processing, in fulfilling the Controller's obligations to respond to Data Subject requests under UK GDPR Chapter III (rights of access, rectification, erasure, restriction, portability, and objection).
2.5 — Compliance Assistance
Assist the Controller in ensuring compliance with UK GDPR Articles 32–36, taking into account the nature of processing and information available to Receiptflow. This includes: security obligations (Art. 32); breach notification (Arts. 33–34); data protection impact assessments (Art. 35); and prior consultation with the ICO (Art. 36).
2.6 — Deletion/Return on Termination
At the Controller's election, upon termination of the Agreement, delete or return all Customer Data in accordance with Clause 5 of this DPA, and delete existing copies, unless UK law requires continued storage.
2.7 — Records
Maintain a record of processing activities carried out on behalf of the Controller as required by UK GDPR Article 30(2), and make such records available to the ICO on request.
Clause 3 — Sub-processors
3.1 — General Authorisation
The Controller provides general written authorisation for Receiptflow to engage sub-processors. The current list of authorised sub-processors is available on request from dpa@receiptflow.co and is reproduced in Schedule 2 of this DPA as at the effective date.
3.2 — Change Notification
Receiptflow shall notify the Controller of any intended addition or replacement of sub-processors not less than 30 calendar days in advance, by email to the account holder's registered address or via in-platform notice. Notification shall include the sub-processor's name, location, purpose, and the categories of data to be processed.
3.3 — Right to Object
The Controller may object to a proposed new or replacement sub-processor within 15 calendar days of receiving notification, by written notice to dpa@receiptflow.co setting out the specific grounds for objection. If Receiptflow cannot accommodate the objection (for example, by proposing a commercially reasonable alternative), the Controller may terminate the Agreement on written notice without penalty for that termination, subject to payment of fees for the period of use.
3.4 — Sub-processor Obligations
Receiptflow imposes data processing obligations on each sub-processor that are no less protective than those in this DPA, pursuant to UK GDPR Article 28(4). Receiptflow remains fully liable to the Controller for the acts and omissions of its sub-processors to the extent that sub-processor fails to fulfil such obligations.
3.5 — OCR Sub-processor: Data Minimisation
In respect of OCR processing (currently Microsoft Azure Document Intelligence): document images are transmitted to the OCR sub-processor solely for the duration of each extraction call. Receiptflow has confirmed with Microsoft that Customer Data submitted via the Document Intelligence API is not retained by Microsoft after the call completes and is not used for model training, in accordance with Microsoft's Data Protection Addendum and Product Terms. Documentation is available from Receiptflow on request.
Clause 4 — Security & Breach Notification
4.1 — Security Measures
Receiptflow shall implement and maintain the technical and organisational security measures described in Schedule 1 of this DPA. Receiptflow will review these measures at least annually and update them as appropriate having regard to the state of the art and the risks presented by the processing.
4.2 — Breach Notification
Receiptflow shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data. This obligation applies whether the breach occurs within Receiptflow's own systems or is reported to Receiptflow by a sub-processor. Notification shall include, to the extent then known:
- The nature of the breach;
- Categories and approximate number of data subjects and personal data records affected;
- The likely consequences of the breach;
- Measures taken or proposed to address the breach and mitigate its effects.
Where all information is not available within 72 hours, Receiptflow shall provide the available information and supplement this in subsequent notifications as further information becomes available.
4.3 — Breach Notification Does Not Constitute Admission
Receiptflow's notification of a personal data breach to the Controller does not constitute an admission of fault, liability, or breach of this DPA or the Agreement.
Clause 5 — Data Retention & Deletion
5.1 — Active Subscription
Customer Data is retained in live systems for the duration of the active Subscription.
5.2 — Post-Termination Export Window
Following termination or expiry of the Agreement, Customer Data remains accessible for export for 30 calendar days. Export is available in CSV and JSON formats via the platform dashboard and API.
5.3 — Deletion Schedule
| System Type | Deletion Triggered | Completed Within |
|---|---|---|
| Live / production systems | End of Export Window | 14 calendar days |
| Database backups | End of Export Window | 90 calendar days |
| OCR sub-processor (Azure) | End of each API call | Immediate (call-by-call) |
| Audit logs | Not deleted | Retained 12 months for security |
5.4 — Deletion Confirmation
Receiptflow shall, upon written request received during or within 14 days of the Export Window, provide written confirmation that Customer Data has been deleted from live systems. Confirmation of backup deletion will follow the applicable 90-day schedule.
Clause 6 — Data Transfers
6.1 Primary processing and storage of Customer Data takes place within the United Kingdom (AWS eu-west-2, London Region).
6.2 Where sub-processor processing involves a transfer of personal data outside the UK, Receiptflow ensures appropriate safeguards are in place under UK GDPR Chapter V, including UK International Data Transfer Agreements (IDTAs) or reliance on adequacy regulations, as applicable. Details of transfer mechanisms for each sub-processor are available from dpa@receiptflow.co on request.
Clause 7 — Controller Warranties
The Controller warrants and represents that:
- (a) It has and will maintain a lawful basis under UK GDPR Article 6 for instructing Receiptflow to process Customer Data;
- (b) It has provided all required notices to, and obtained all required consents from, data subjects whose personal data is included in Customer Data;
- (c) Customer Data does not include special category data (UK GDPR Art. 9) or criminal conviction data (Art. 10) unless separately agreed in writing with Receiptflow;
- (d) Its instructions to Receiptflow comply with applicable law.
Clause 8 — Audit Rights
8.1 — Information Provision
Receiptflow shall make available to the Controller all information reasonably necessary to demonstrate compliance with its obligations under this DPA and UK GDPR Article 28.
8.2 — Third-Party Reports
Receiptflow may satisfy its audit obligations under this clause by providing the Controller with reports from independent third-party security assessors (including penetration test summaries and security certifications), where available. The Controller agrees to rely on such reports in the first instance before requesting a direct audit.
8.3 — Direct Audits
Where the Controller requires a direct audit, such audit shall be subject to: (a) not less than 30 days' prior written notice; (b) execution of a confidentiality agreement acceptable to Receiptflow; (c) the audit being conducted during normal business hours with minimum disruption; and (d) the audit being at the Controller's cost unless the audit reveals a material breach of this DPA.
Clause 9 — Governing Law
This DPA is governed by the laws of England and Wales. In the event of conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to the processing of personal data.
Schedule 1 — Technical & Organisational Security Measures
| Control | Measure | Status |
|---|---|---|
| Encryption at Rest | AES-256 encryption for all stored Customer Data | Implemented |
| Encryption in Transit | TLS 1.3 minimum for all data in transit | Implemented |
| Access Control | Role-based access control (RBAC); principle of least privilege; MFA required for all administrative access | Implemented |
| Vulnerability Management | Automated dependency scanning; annual penetration test by qualified third party | Scanning active |
| Incident Response | Documented incident response plan; 72-hour breach notification commitment | Implemented |
| Employee Training | Annual data protection training for all personnel with access to Customer Data | Implemented |
| Sub-processor Oversight | Contractual data processing obligations imposed on all sub-processors per UK GDPR Art. 28(4) | Implemented |
| Audit Logging | Access and administrative action logs retained for 12 months | Implemented |
Schedule 2 — Authorised Sub-processors
As at effective date. Current version available on request from dpa@receiptflow.co
| Provider | Entity & Jurisdiction | Purpose | Data Categories | Location | Transfer Mechanism | DPA Reference |
|---|---|---|---|---|---|---|
| Amazon Web Services | AWS EMEA SARL (Luxembourg) | Cloud infrastructure, storage, compute | All Customer Data | UK (eu-west-2) | UK IDTA | aws.amazon.com/compliance/gdpr-center |
| Supabase Inc. | USA (data via AWS eu-west-2) | Database & authentication | Account & structured extraction data | EU/UK (AWS) | UK IDTA / SCCs | supabase.com/privacy |
| Microsoft Azure | Microsoft Ireland Operations Ltd | OCR / Document Intelligence (no retention) | Document images only — not retained post-call | EU (North Europe) | UK IDTA | microsoft.com/licensing/terms |
| Stripe Inc. | Stripe Payments Europe Ltd (Ireland) | Payment processing | Billing data only — no Customer document data | EU / UK | UK IDTA | stripe.com/gb/privacy |
Version 1.0
