Data Processing Agreement – aligned.tax
Last updated: 8th March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the user ("Controller") and Abridged Ltd ("Processor", "we", "our") and governs the processing of personal data by the Processor on behalf of the Controller.
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
1. Definitions
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any regulations made under them, as amended from time to time.
"Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service, as further described in Schedule 1.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"Subprocessor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
Terms not defined in this DPA have the meanings given to them in the UK GDPR or the Terms of Service.
2. Roles of the Parties
Where the Controller uploads personal data of their clients or other third parties to the Service, the Controller is the data controller and the Processor processes that data as a data processor acting on the Controller's documented instructions.
For the avoidance of doubt, where a user uploads their own personal data for their own tax submissions, Abridged Ltd acts as a data controller for that data, and this DPA does not apply to that processing (which is governed by our Privacy Policy).
3. Subject Matter and Details of Processing
The details of the processing are set out in Schedule 1. In summary:
Subject matter: Processing of financial and personal data to enable the Controller to use the aligned.tax platform for Making Tax Digital submissions.
Duration: For the term of the Controller's use of the Service, plus any retention period required by law or specified in the Terms of Service.
Nature of processing: Collection, storage, organisation, structuring, retrieval, transmission (to HMRC), and erasure.
Purpose: To provide the Service including spreadsheet upload, data transformation, AI-assisted categorisation, preparation of financial summaries, and submission of data to HMRC.
4. Processor Obligations
The Processor shall:
4.1 Documented instructions
Process Personal Data only on the Controller's documented instructions, unless required to do so by applicable law. The Controller's instructions are documented in this DPA, the Terms of Service, and through the Controller's use of the Service's features and settings. If the Processor believes an instruction infringes Data Protection Laws, it shall inform the Controller without delay.
4.2 Confidentiality
Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
- Encryption of Personal Data in transit (TLS 1.2 or above) and at rest
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
- Access controls including role-based access, multi-factor authentication for administrative access, and principle of least privilege
- Audit logging of access to Personal Data and submission events
- Automatic redaction of personal identifiers (including National Insurance Numbers, email addresses, IP addresses, and phone numbers) in application logs
- Regular testing, assessment, and evaluation of the effectiveness of security measures
- A process for regularly reviewing and improving security measures
The specific measures are described in Schedule 3.
4.4 Subprocessors
Not engage another processor (Subprocessor) without the prior general written authorisation of the Controller. The Controller provides general authorisation for the Subprocessors listed in Schedule 2.
The Processor shall:
- Inform the Controller of any intended changes to Subprocessors, giving the Controller reasonable opportunity to object
- Impose on each Subprocessor data protection obligations equivalent to those in this DPA by way of a written contract
- Remain liable to the Controller for the performance of each Subprocessor's obligations
If the Controller objects to a new Subprocessor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the affected part of the Service.
4.5 Data subject rights
Assist the Controller, by appropriate technical and organisational measures and taking into account the nature of the processing, in fulfilling the Controller's obligations to respond to requests from data subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
If the Processor receives a request from a data subject directly, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by law.
4.6 Assistance with compliance
Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor, including:
- Security of processing (Article 32)
- Notification of Personal Data Breaches to the supervisory authority (Article 33)
- Communication of Personal Data Breaches to data subjects (Article 34)
- Data protection impact assessments (Article 35)
- Prior consultation with the ICO (Article 36)
4.7 Deletion and return
At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires storage.
Where the Controller requests return, the Processor shall provide the data in a structured, commonly used, machine-readable format.
Submission records and audit logs may be retained for up to 7 years from the date of submission where required for legal compliance, after which they will be securely deleted.
4.8 Audit and information
Make available to the Controller all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 of the UK GDPR.
Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and scope limitations to protect the Processor's confidential information and the security of other customers' data.
Audits shall be conducted no more than once per year unless a Personal Data Breach has occurred or the Controller is required to conduct an audit by a supervisory authority.
5. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for the processing of Personal Data and that all necessary consents or notices have been obtained or given
- Ensure that its instructions to the Processor comply with Data Protection Laws
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor
- Notify the Processor without undue delay of any data subject request it receives that requires the Processor's assistance
- Comply with its obligations as a data controller under Data Protection Laws
6. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
The notification shall include, to the extent available:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects
Where it is not possible to provide all information at the same time, information may be provided in phases without undue further delay.
The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
7. International Transfers
The Processor shall not transfer Personal Data outside the United Kingdom unless:
- The transfer is to a country covered by a UK adequacy decision
- Appropriate safeguards are in place, such as the UK International Data Transfer Agreement or the UK Addendum to EU Standard Contractual Clauses
- The data importer is certified under the UK Extension to the EU-US Data Privacy Framework
- The Controller has provided prior written consent to the transfer
Where a Subprocessor processes Personal Data outside the United Kingdom, the Processor shall ensure equivalent safeguards are in place. The specific safeguards for each Subprocessor are set out in Schedule 2.
8. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
Nothing in this DPA excludes or limits either party's liability for fraud, fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability that cannot be excluded by law.
9. Term and Termination
This DPA shall remain in effect for the duration of the Controller's use of the Service and shall automatically terminate when the Terms of Service terminate, subject to the Processor's obligations regarding deletion or return of Personal Data and any lawful retention periods.
The obligations in clauses 4.2 (Confidentiality), 4.7 (Deletion and return), 4.8 (Audit), 6 (Breach notification), 7 (International transfers), and 8 (Liability) shall survive termination.
10. General Provisions
This DPA is governed by the laws of England and Wales.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of matters relating to the processing of Personal Data.
If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.
Schedule 1: Details of Processing
| Item | Description |
|---|---|
| Subject matter of processing | Processing personal data to enable the Controller to use the aligned.tax platform for Making Tax Digital submissions to HMRC. |
| Duration of processing | For the term of the Controller's use of the Service, plus any lawful retention period. |
| Nature of processing | Collection, storage, organisation, structuring, retrieval, AI-assisted categorisation, transmission to HMRC, and erasure. |
| Purpose of processing | To provide the Service, including spreadsheet upload, financial data transformation, preparation of quarterly updates and final declarations, and submission to HMRC on the Controller's instructions. |
| Categories of data subjects | The Controller's clients, including individual taxpayers, sole traders, landlords, and other persons whose financial data is uploaded to the Service by the Controller. |
| Categories of personal data | Names, email addresses, phone numbers, Unique Taxpayer References (UTRs), National Insurance Numbers, business income and expense figures, property income figures, financial transaction data, bank account references, HMRC submission records, and audit logs. |
| Special category data | None anticipated. The Controller must not upload special category data unless agreed in writing. |
Schedule 2: Authorised Subprocessors
The following Subprocessors are authorised as at the date of this DPA:
| Subprocessor | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Railway (Railway Corporation) | Platform hosting, application deployment, and database hosting | All application data in transit and at rest during platform operation, including the PostgreSQL database containing user accounts, financial records, encrypted HMRC tokens, and audit logs | European Union | DPA in place |
| Amazon Web Services – S3 (Amazon Web Services, Inc.) | Cloud file storage for uploaded spreadsheets and documents | Uploaded financial files (Excel/CSV), file metadata, user identifiers | European Union | DPA in place; data remains in EU region |
| Stripe (Stripe, Inc.) | Subscription payment processing | Email addresses, subscription status, payment method tokens (card details handled directly by Stripe under PCI DSS — full card numbers are never received by the Processor) | United States | DPA in place; PCI DSS Level 1 certified; UK IDTA |
| Lemon Squeezy (Lemon Squeezy, LLC) | Alternative subscription payment processing | Email addresses, user identifiers, subscription and order information | United States | DPA in place; UK IDTA |
| SendGrid (Twilio Inc.) | Transactional email delivery (account notifications, submission confirmations, password resets) | Email addresses, message content and metadata | United States | DPA in place; UK IDTA |
| Twilio (Twilio Inc.) | SMS-based phone verification for two-factor authentication | Phone numbers, verification codes | United States | DPA in place; UK IDTA |
| Anthropic (Anthropic PBC) | AI-powered smart column mapping and tax categorisation suggestions | Spreadsheet column names, transaction descriptions, income/expense category labels. No National Insurance Numbers, names, or other direct personal identifiers are transmitted. | United States | DPA in place; UK IDTA; data not used for model training |
| OpenAI (OpenAI, LLC) | Text embeddings for semantic search and transaction categorisation | Transaction descriptions, category labels. No National Insurance Numbers, names, or other direct personal identifiers are transmitted. | United States | DPA in place; UK IDTA; data not used for model training (API terms) |
| Sentry (Functional Software, Inc.) | Error monitoring and application performance tracking | Error stack traces, user ID, email address. Automatic PII redaction is applied before transmission — National Insurance Numbers are hashed, authorisation headers and cookies are stripped. | United States | DPA in place; UK IDTA |
| Google Analytics (Google LLC) | Website usage analytics (consent-based; only activated if the data subject consents via cookie banner) | Page views, traffic sources, device information, IP address (anonymised by Google) | United States | DPA in place; UK IDTA; IP anonymisation enabled |
| Plausible Analytics (Plausible Insights OÜ) | Privacy-focused website analytics | Page views, traffic sources, visitor counts. No cookies or personal identifiers are collected. | European Union (Estonia) | DPA in place; data processed in EU; no personal data collected |
The Processor shall maintain an up-to-date list of Subprocessors and make it available to the Controller upon request. Material changes to this list will be notified to the Controller in advance, giving the Controller reasonable opportunity to object in accordance with clause 4.4.
Schedule 3: Technical and Organisational Measures
The Processor implements the following measures to protect Personal Data:
Encryption
- All data in transit encrypted using TLS 1.2 or above
- HMRC OAuth tokens encrypted at rest using AES-256
- HMRC API communications secured via HTTPS with certificate validation
- Uploaded files stored in encrypted S3 buckets
Access Control
- Role-based access control with six-tier permission hierarchy (Reviewer, Bookkeeper, Preparer, Supporting Agent, Main Agent, Client Owner)
- Multi-factor authentication available via SMS verification (Twilio)
- Principle of least privilege applied to all system access — operations enforce minimum role requirements (e.g., HMRC submissions require Supporting Agent or above; read-only access requires Reviewer)
- Centralised access control module preventing direct user-ID comparisons and enforcing tenant isolation
- Regular review of access permissions
Audit and Monitoring
- Centralised audit logging of all user actions, data access events, and HMRC submissions with timestamps and user identifiers
- Automatic PII redaction in all application logs — National Insurance Numbers, email addresses, IP addresses, phone numbers, and sensitive fields (passwords, tokens, secrets) are masked before logging
- IP addresses hashed before storage in user activity records
- Error monitoring via Sentry with automatic stripping of authorisation headers, cookies, and NINO hashing
- Logging of all HMRC submission events including timestamps, taxpayer context, and user confirmations
Data Minimisation
- AI providers (Anthropic, OpenAI) receive only transaction descriptions and category labels — no National Insurance Numbers, names, or direct personal identifiers are transmitted
- Analytics providers receive anonymised or aggregated data only
- Payment processors receive only the minimum data required for billing (email and subscription identifiers)
Availability and Resilience
- Regular backups of application data
- Disaster recovery procedures
- Infrastructure hosted with providers offering high-availability guarantees
- Rate limiting and abuse prevention on API endpoints
Incident Response
- Documented incident response procedure
- Defined escalation and notification process for Personal Data Breaches in accordance with clause 6
- Post-incident review and remediation
Organisational Measures
- Confidentiality obligations for all personnel with access to Personal Data
- Data protection awareness as part of onboarding (where applicable)
- Regular review and update of security practices and dependency monitoring
Contact
Processor: Abridged Ltd Address: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF Email: hello@aligned.tax