Book a demo
Version:

Data Processing Addendum

The statement was last updated: March 23, 2026

1. Roles of the Parties

  1. In connection with the Services, we are processing Personal Data on your behalf.
  2. Each Party agrees to comply with the Data Protection Law in the Processing of Transferred Data.

2. Processing of Personal Data

  1. You instruct us to process Transferred Data in accordance with this Data Processing Addendum (including in accordance with Attachment A).
  2. We agree not to process Transferred Data other than on your documented instructions.

3. Security

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we agree to implement appropriate technical and organisational measures in relation to the Transferred Data to ensure a level of security appropriate to that risk in accordance with the Data Protection Law.
  2. In assessing the appropriate level of security, we agree to take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

4. Sub-Processing

  1. You authorise our engagement of the Sub-Processors already engaged by us at the Commencement Date, which are set out in Attachment B.
  2. Where we wish to engage a new Sub-Processor, we agree to provide written notice to you of the details of the engagement of the Sub-Processor at least 14 days’ prior to engaging the new Sub-Processor (including details of the processing it will perform). You may object in writing to our appointment of a new Sub-Processor within 7 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss such concerns in good faith with a view to achieving resolution. If the Parties are not able to achieve resolution, we may, at our election:
    1. not appoint the proposed Sub-Processor;
    2. not disclose any Transferred Data we process on your behalf to the proposed Sub-Processor; or
    3. terminate the Services (and the Terms) for convenience, in which case, clause 9.5 of the Terms will apply.
  3. You agree that the remedies described above are the only outcomes available if you object to our engagement of any proposed Sub-Processor.
  4. Where we engage a Sub-Processor to process Transferred Data, we agree to enter into a written agreement with the Sub-Processor containing data protection obligations no less protective that those in this Data Processing Addendum with respect to the Transferred Data, and to remain responsible to you for the performance of such Sub-Processor’s data protection obligations under such terms.
  5. Where the transfer of Transferred Data from us to a Sub-Processor is a Restricted Transfer, it will be subject to the UK Transfer Mechanism (and documents or legislation referred to within it), which shall be deemed to be incorporated into this Data Processing Addendum, and the UK Transfer Mechanism is considered an appropriate safeguard.

5. Data Subject Rights

  1. Taking into account the nature of the Processing, we agree to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests from Data Subject to exercise their rights under the Data Protection Law.
  2. We agree to:
    1. promptly notify you if we receive a request from a Data Subject under the Data Protection Law in respect of Transferred Data; and
    2. ensure that we do not respond to that request except on your documented instructions or as required by the Data Protection Law, in which case we shall, to the extent permitted by the Data Protection Law, inform you of that legal requirement before we (or our Sub-Processor) respond to the request.

6. Personal Data Breach

  1. We agree to notify you without undue delay upon becoming aware of a Personal Data Breach affecting Transferred Data, and to provide you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Law.
  2. We agree to co-operate with you and take reasonable commercial steps as directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
  3. If you decide to notify a Supervisory Authority, Data Subjects or the public of a Personal Data Breach, you agree to provide us with advance copies of the proposed notices and, subject to the Data Protection Law (including any mandated deadlines under it), allow us an opportunity to provide any clarifications or corrections to those notices.

7. Data Protection Impact Assessment and Prior Consultation

  1. We agree to provide reasonable assistance to you, at your cost (to be charged on a reasonable time and materials basis), with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which you reasonably consider to be required by the Data Protection Law or any other data protection laws.

8. Deletion or Return of Personal Data

  1. Subject to any document retention requirements at law, we agree to promptly and in any event within 60 business days of the date of cessation of any Services involving the Processing of Transferred Data, delete and procure the deletion of all copies of those Transferred Data.

9. Audit Rights

  1. Subject to this clause 9, where required by the Data Protection Law, we shall make available to you on request all information reasonably necessary to demonstrate compliance with this Data Processing Addendum, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of Transferred Personal Data by us.
  2. Where clause 9.1 applies, any audit (or inspection):
    1. must be conducted during our regular business hours, with reasonable advance notice (which shall not be less than 30 business days);
    2. will be subject to our reasonable confidentiality procedures;
    3. must be limited in scope to matters specific to you and agreed in advance with us;
    4. must not require us to disclose to you any information that could cause us to breach any of our obligations under the Data Protection Law;
    5. to the extent we need to expend time to assist you with the audit (or inspection), this will be funded by you, in accordance with pre-agreed rates; and
    6. may only be requested by you a maximum of one time per year, except where required by a competent Supervisory Authority or where there has been a Personal Data Breach in relation to Transferred Personal Data, caused by us.

10. Definitions

In this Data Processing Addendum, capitalised terms have the meaning given to them in the main body of the Terms, and as follows:

Data Protection Law means the United Kingdom Data Protection Act 2018 and the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

Quote means the document to which these Terms are attached or incorporated.

Restricted Transfer means a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to the Data Protection Law.

Transferred Data means any Personal Data that is Processed by us on your behalf in connection with the Services.

UK Transfer Mechanism means the legal methods and safeguards permitted under the Data Protection Law for dealing with Restricted Transfers, including adequacy decisions, standard contractual clauses, binding corporate rules, and other appropriate safeguards as recognised under the Data Protection Law.

The terms, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” (including “Processed”) and “Sub-Processor” shall have the same meaning as in the Data Protection Law.

ATTACHMENT A – DESCRIPTION OF TRANSFER

Categories and Treatment of Personal Data
Personal Data Transferred

Select all that apply:

Basic identifying information:

☒ First name

☒ Middle name

☒ Last name

☐ Maiden name

☐ Date of birth

☐ Sex

☐ Gender

☐ Nationality

☐ Home address

☒ Email address

☒ Phone number

Educational information:

☐ Qualifications

☐ Academic records

☐ Training certificates

Employment information:

☒ Job title and position

☐ Employer details

☐ Employment history

☐ Salary information

☐ Performance reviews

Family information:

☐ Marital status

☐ Dependents' details

☐ Emergency contact information

Financial information:

☐ Bank account details

☐ Credit card information

☐ Income details

☐ Tax records

☐ Superannuation or pension details

Identification information:

☐ Tax numbers

☐ Driver's license number

☐ Passport number

☐ Government identifier

Lifestyle and preferences:

☐ Hobbies and interests

☐ Dietary preferences

Online identifiers:

☒ IP address

☒ Cookie data

☒ Device IDs

☒ Location data

Professional information:

☐ Professional memberships

☐ Licenses and certifications

Social media data:

☐ Social media profiles

☐ Posts and interactions

☐ Friends and connections

Audio-visual data:

☐ Photographs

☐ Video recordings

☐ Voice recordings

Customer interaction data:

☐ Purchase history

☐ Customer service records

☐ Feedback and complaints

Other: ________________________________________________________

Special Categories of Personal Data and Criminal Convictions and Offences

Select one:

☒ Special Categories of Data will not be processed.

☐ The transferred data includes data relating to:

☐ racial or ethnic origin

☐ political opinions

☐ religious or philosophical beliefs

☐ trade union membership

☐ genetic data

☐ biometric data for the purpose of uniquely identifying a natural person

☐ physical or mental health

☐ sex life or sexual orientation

☐ criminal convictions and offences

Relevant Data Subjects

Select all that apply:

☒ Anyone about whom Personal Data is input into the Services.

☒ Authorised users of the Services.

☐ Business contact representatives.

☐ Employees, contractors and other Personnel.

☐ Other: ________________________________

Frequency of the TransferContinuous.
Nature of the TransferTo provide the Services or as required by Law.
Purpose of the ProcessingIn connection with the provision of the Services.
Duration of the ProcessingThe term of the Services and for a period of 30 days after the time the Services have stopped being supplied.

ATTACHMENT B – LIST OF SUB-PROCESSORS

Available at: https://onetouchleasing.co.uk/legal/sub-processors/