Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between Invatax Ltd ("Processor", "Invatax", "we", "our") and the customer using the Invatax platform ("Controller", "Customer", "you").

This DPA applies where Invatax processes Personal Data on behalf of the Customer in connection with the Invatax services.

Where Invatax acts as an independent controller, for example for account administration, billing, security, and product operation, our Privacy Policy also applies.

1. Definitions

For the purposes of this DPA:

• "UK GDPR" means the UK General Data Protection Regulation.
• "Personal Data" has the meaning given under UK GDPR.
• "Controller" means the entity determining the purposes and means of processing personal data.
• "Processor" means the entity processing personal data on behalf of the Controller.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data.
• "Data Subject" means the identified or identifiable individual to whom Personal Data relates.

2. Scope

This DPA applies to all Personal Data processed by Invatax on behalf of the Customer through use of the Invatax platform.

3. Nature and Purpose of Processing

Invatax processes Personal Data solely for the purpose of:

• Providing VAT threshold monitoring services
• Providing turnover calculations
• Delivering alerts and notifications
• Providing accounting software integrations
• Managing subscriptions and support
• Maintaining and securing the platform
• Creating reports and exports requested by the Customer

Invatax is a VAT threshold tracking tool. It does not provide tax, legal, accounting, or financial advice.

Outputs generated by Invatax are based on the data available to the platform. The Customer remains responsible for reviewing that data and confirming VAT registration requirements with an accountant, tax adviser, or HMRC before acting.

4. Categories of Personal Data

Personal Data processed may include:

• Names
• Email addresses
• Business information
• VAT registration information
• Turnover figures
• Financial summaries
• User account information
• IP addresses
• Device/browser metadata

Invatax does not intentionally process special category data.

5. Categories of Data Subjects

Data Subjects may include:

• Sole traders
• Company directors
• Employees
• Customers of the Customer
• Authorised platform users

6. Controller Obligations

The Customer confirms that:

• It has all necessary rights and permissions to provide Personal Data to Invatax
• It complies with UK GDPR
• It has provided appropriate privacy notices where required
• Instructions given to Invatax are lawful

The Customer remains responsible for determining the legal basis for processing Personal Data.

7. Processor Obligations

Invatax shall:

• Process Personal Data only on documented instructions from the Customer
• Ensure authorised personnel are subject to confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist the Customer with GDPR obligations where reasonably possible
• Notify the Customer without undue delay after becoming aware of a Personal Data breach
• Maintain appropriate security protections

8. Security Measures

Invatax implements reasonable security measures including:

• HTTPS encryption
• Access controls
• Authentication protections
• Encrypted API tokens
• Database security controls
• Row Level Security (RLS)
• Secure cloud hosting
• Monitoring and logging

No system can be guaranteed 100% secure.

Invatax does not guarantee uninterrupted availability. Accounting integrations, payment services, hosting, email delivery, and monitoring providers may fail, be delayed, or be temporarily unavailable.

Customers must also protect their own login details, limit account access to authorised users, and review any exported reports before sharing them.

9. Sub-processors

The Customer authorises Invatax to use sub-processors where necessary to provide the services.

Current sub-processors may include:

• Supabase
• Stripe
• Netlify
• Resend
• Sentry
• Xero
• QuickBooks
• Google Analytics (if enabled)

Invatax shall ensure sub-processors are subject to appropriate contractual obligations.

Invatax may update sub-processors from time to time.

An up-to-date list shall be maintained at:
/subprocessors

10. International Transfers

Where Personal Data is transferred outside the UK, Invatax shall ensure appropriate safeguards are implemented, including adequacy regulations or approved contractual protections where required.

11. Data Subject Rights

Taking into account the nature of the processing, Invatax shall reasonably assist the Customer in responding to requests relating to:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection requests

12. Data Breach Notification

Invatax shall notify the Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data.

Notifications may include:

• Nature of the breach
• Categories of data affected
• Likely consequences
• Mitigation measures taken

13. Audit Rights

Invatax shall provide reasonable information necessary to demonstrate compliance with this DPA upon reasonable written request.

Audit requests must:

• Be reasonable
• Not compromise security
• Not interfere with operations
• Be limited to once per year unless legally required

14. Retention and Deletion

Upon account deletion or termination:

• Operational Customer data will be deleted or anonymised within a reasonable period, normally within 30 days of a confirmed deletion request
• Backup retention may continue for up to 90 days
• Certain billing, audit, security, dispute, or legal records may be retained where legally required or where necessary to protect the service

Cancellation of a subscription does not automatically delete Customer data. Deletion must be requested separately through the app or by contacting Invatax.

15. Liability

Each party remains responsible for its own compliance with UK GDPR.

Nothing in this DPA excludes liability where prohibited by law.

To the maximum extent permitted by law, Invatax's liability under this DPA shall be limited in accordance with the Terms & Conditions.

16. Termination

This DPA automatically terminates upon termination of the Customer's use of Invatax services.

17. Governing Law

This DPA shall be governed by the laws of England and Wales.

18. Contact

Questions regarding this DPA may be sent to:

info@invatax.co.uk

Legal note: This DPA is written in plain English for launch readiness. Final legal review is recommended before public launch.