This Data Processing Addendum (“DPA”) is signed between ANYSCRIPT LTD (“Processor”) and the Customer identified in the Subscription Plan (“Controller”) as part of the Terms of Service agreement. This DPA applies to all personal data processed by Processor on behalf of Controller.
1. Definitions
1.1 “GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and its local implementations (Cyprus Law 125(I)/201) as these may be amended and/or supplemented from time to time.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person provided by Controller or its end-users.
1.3 “Processing” has the meaning given in Article 4(2) GDPR.
1.4 “Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.
1.5 “Data Subject Request” or “DSR” means any request from a data subject to exercise rights under Articles 15–22 GDPR.
2. Roles and Scope
2.1 The parties agree that Controller is the data controller and Processor is the data processor under Article 4 (7)–(8) GDPR.
2.2 Processor shall process Personal Data only on documented instructions of Controller, as further specified in Section 3.
3. Subject Matter, Duration, Purpose and Data Types
3.1 Subject Matter & Duration. Subject to the Agreement term, Processor will process Personal Data for the duration necessary to provide the Services.
3.2 Purposes. Processing is limited to:
- Provision of bookkeeping and payroll services;
- Bank-feed integration and transaction categorisation;
- Any additional services ordered under the Agreement.
3.3 Data Categories & Subjects.
Data Categories: contact information, financial transactions, payroll data (including special categories: national identifiers, salary details), usage logs.
Data Subjects: Controller’s employees, end-clients’ employees, business contacts, and website visitors (for cookies/data-as-controller sections).
4. Controller Instructions
Processor shall process Personal Data only on Controller’s documented instructions. Controller instructs Processor to:
Collect, store, retrieve, analyze, and delete Personal Data as necessary to deliver the Services.
Transfer or disclose Personal Data only to authorised Sub-processors listed in Section 6.
5. Processor Obligations
5.1 Confidentiality. Processor’s personnel with access to Personal Data shall be under binding confidentiality obligations.
5.2 Security Measures. Processor shall implement and maintain appropriate technical and organisational measures per Article 32 GDPR, including:
- Encryption at rest and in transit;
- Access controls and role-based permissions;
- MFA for administrative access;
- Audit logging and regular security testing.
5.3 Data Subject Rights. Processor shall assist Controller with DSRs within 15 business days, providing relevant information and completing actions (access, rectification, erasure, portability).
5.4 Breach Notification. Processor will notify Controller without undue delay—and in no event later than 24 hours—after becoming aware of a Personal Data breach, providing details to enable Controller’s regulatory notifications.
5.5 Deletion & Return. Upon termination or expiration, Processor shall, at Controller’s choice, return all Personal Data in a machine-readable format or securely delete all copies, and certifying completion of all actions within 30 days.
6. Sub-processing
6.1 Authorization. Controller authorizes Processor to engage Sub-processors listed in the Sub-processor Registry (Schedule 1 of the DPA).
6.2 Notice. Processor will inform Controller at least 30 days before adding or replacing any Sub-processor. Controller may object in writing on reasonable grounds.
6.3 Flow-down. Processor shall impose equivalent data-protection obligations on each Sub-processor.
7. International Transfers
7.1 Personal Data transferred outside the EEA shall be protected by appropriate safeguards, including:
- Execution of the EU Standard Contractual Clauses (Controller–Processor) for each transfer;
- Supplementary measures (e.g. encryption key separation) as required by the Schrems II framework.
8. Audit and Inspection
8.1 Controller (or its appointed auditor) may, upon at least 30 days’ notice and no more than once annually, audit Processor’s compliance with this DPA, including onsite inspections and review of policies and logs, subject to confidentiality obligations.
9. Liability and Indemnity
9.1 Nothing in this DPA limits Processor’s statutory liability under Articles 82–83 GDPR. For other liabilities arising from breach of this DPA, Processor’s aggregate liability shall not exceed the fees paid by Controller in the 12 months preceding the claim.
10. Data Protection Impact Assessments
10.1 If Processor’s processing (including new AI features) requires a DPIA under Article 35 GDPR, Processor will conduct the DPIA and share its report with Controller before deployment.
11. Miscellaneous
11.1 In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to Personal Data processing.
11.2 This DPA may be amended only by written agreement between the parties.
11.3 Terms defined in the Agreement have the same meaning when used herein.
Schedule 1 - Sub-processor Registry
This Schedule forms part of this Data Processing Addendum (DPA) and lists all authorised Sub-processors engaged by the Processor for the Processing of Personal Data on behalf of the Controller.
.gif)
