Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ClarityFP Ltd ("Processor") and the customer ("Controller") and governs the processing of personal data by ClarityFP on behalf of the customer. This DPA is particularly relevant for Advisor accounts where personal data of third parties (the advisor's clients) is processed.

5.1 Definitions

• "Controller" means the ClarityFP customer who determines the purposes and means of processing personal data (typically the Advisor or Business Owner)
• "Processor" means ClarityFP Ltd, which processes personal data on behalf of the Controller
• "Personal Data" has the meaning given in UK GDPR
• "Processing" has the meaning given in UK GDPR
• "Data Subject" means the individuals whose personal data is processed (e.g., company directors, employees whose payroll data appears in financial records, customers whose names appear on invoices)

5.2 Nature and Purpose of Processing

ClarityFP processes personal data on behalf of the Controller for the following purposes:

• Displaying financial data connected from the Controller's accounting software
• Generating financial analysis, reports, and insights
• Storing management accounts and commentary
• Sending alerts and notifications to authorised users
• Providing the advisor portal and multi-client management features

5.3 Types of Personal Data Processed

• Names and email addresses of company directors and authorised users
• Names of customers and suppliers as they appear in accounting records
• Financial transaction data (invoice amounts, payment dates, account balances)
• Bank account information (account names, transaction descriptions)

5.4 Processor Obligations

ClarityFP agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure that all staff with access to personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist the Controller in responding to Data Subject rights requests
• Delete or return all personal data on termination of the agreement
• Make available all information necessary to demonstrate compliance with this DPA
• Not engage sub-processors without the Controller's prior authorisation (sub-processors are listed at useclarityfp.com/sub-processors)

5.5 Controller Obligations

The Controller agrees to:

• Ensure they have a lawful basis for processing personal data before connecting it to ClarityFP
• Ensure they have provided appropriate privacy notices to Data Subjects whose data is processed
• Ensure that connecting client data to ClarityFP (in the case of Advisors) is covered by their engagement terms with those clients
• Notify ClarityFP promptly if they become aware of any data breach or security incident

5.6 Sub-Processors

ClarityFP uses the following sub-processors. By accepting these terms, the Controller authorises their use:

For transfers to the United States (Anthropic, Resend, Stripe), we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office under the UK GDPR international transfer framework.

5.7 Data Breach Notification

In the event of a personal data breach, ClarityFP will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information to allow the Controller to meet their own notification obligations to the ICO and to affected Data Subjects where required.

5.8 Governing Law

This DPA is governed by the laws of England and Wales and is subject to UK GDPR as retained in UK law by the European Union (Withdrawal) Act 2018.