Data Processing Addendum
Last updated: 14 May 2026 · Effective: 14 May 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Controller") and Scarborough BC Ltd trading as CashflowOS(the "Processor") and applies whenever we process personal data on your behalf in the course of providing the service.
It is designed to satisfy Article 28 of the UK GDPR. If you are an accountant, bookkeeper or finance team using CashflowOS for clients other than yourself, this DPA governs how we handle that client data.
1. Definitions
Terms used here have the meanings given in the UK GDPR. "Customer Data" means any personal data the Controller submits to the service. "Sub-processor" means any third party engaged by us to process Customer Data.
2. Roles
The Controller decides the purposes and means of processing Customer Data. The Processor processes Customer Data only on documented instructions from the Controller, namely the use of the service in accordance with the Terms of Service.
3. Subject matter, duration, nature and purpose
- Subject matter: processing Customer Data to provide the cashflow management service.
- Duration: for as long as the Controller has an active subscription, plus the retention periods set out in our Privacy Policy.
- Nature: hosting, structuring, organising, analysing, displaying, exporting and deleting Customer Data on the Controller's instructions.
- Purpose: providing cashflow forecasting, transaction categorisation, pattern detection, AI-assisted advisory, and reporting features.
4. Categories of data subjects and personal data
Data subjects: the Controller, members of the Controller's workspace (employees, accountants, finance staff), and any individuals identified in transaction descriptions, counterparties, or payee fields.
Personal data categories:
- Account data: name, email, role within workspace
- Financial transaction data: dates, amounts, descriptions, counterparties, categories, tags
- Bank account metadata: last four digits, sort code last four digits, bank name
- Recurring item rules, inter-entity loan records
- Uploaded statement files (CSV / PDF)
- Communications: support tickets and replies
- Technical data: IP address, user agent, timestamps
5. Sub-processors
The Controller authorises us to engage the following sub-processors:
| Sub-processor | Purpose | Region | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting + database hosting | European Union (Germany / Finland) | EU/EEA — covered by UK adequacy regulations |
| TrueLayer Limited | UK Open Banking — pulls transactions, balances and account info from your bank with your explicit consent | United Kingdom | UK — FCA-regulated AISP. We never see your bank login credentials. |
| Anthropic, PBC | AI categorisation of bank transactions, can-I-spend forecasting, pattern labelling | United States | UK GDPR Article 46 — Standard Contractual Clauses (SCCs) with Anthropic. Anthropic does not train its models on API requests. |
| Stripe Payments UK Ltd | Subscription billing + card payments | United Kingdom + United States | UK GDPR Article 46 — SCCs with Stripe. PCI DSS Level 1. |
| Sendinblue / Brevo | Transactional email (welcome, shortage alerts, support replies) | European Union (France) | EU — covered by UK adequacy regulations |
| Cloudflare, Inc. | DNS + CDN (when enabled) | Global edge — UK / EU points of presence for our region | UK GDPR Article 46 — SCCs |
We will give Controller at least 14 days' advance notice of any addition or replacement of a sub-processor (by email and in-app banner). Controller may object on reasonable data protection grounds within that period and, if we cannot accommodate the objection, may terminate the affected service with a pro-rata refund.
6. International data transfers
Most data stays in the United Kingdom or the European Economic Area. Where data is transferred outside the UK / EEA (currently to Anthropic in the United States for AI features and Stripe for payment processing), we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (UK Addendum) as the safeguard under UK GDPR Article 46.
Customer can disable AI features in workspace settings to prevent any data transfer to Anthropic.
7. Security measures
Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, we implement the following technical and organisational measures (Article 32):
- Encryption in transit: TLS 1.2+ for all connections.
- Encryption at rest: disk-level encryption on database and file storage volumes.
- Authentication: bcrypt password hashing (cost factor 11), HMAC-signed session cookies. Optional MFA for paid tiers.
- Access control: per-workspace row-level isolation. Role-based access (OWNER / ADMIN / EDITOR / VIEWER). Audit log of every write to financial data.
- Backup and recovery: daily database dumps with 30 daily / 12 weekly / 12 monthly retention. Test restores monthly. RPO 24h, RTO 4h.
- Network: firewalled VPS; no public database access; private internal networks for sub-processor calls.
- Secrets management: API keys held in encrypted settings, never in code.
- Staff access: minimum-privilege. Admin actions audited. No production DB access without justification.
- Pen testing and updates: regular dependency upgrades; reasonable response to disclosed CVEs.
8. Personal data breach
We will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Customer Data, providing:
- The nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned;
- The likely consequences;
- The measures taken or proposed to address it and mitigate its possible adverse effects.
Report a security incident to us at security@cashflowos.app.
9. Assistance to Controller
We will assist Controller, taking into account the nature of the processing:
- To respond to data subject rights requests under UK GDPR Articles 12–22 (we provide self-service data export and deletion tools to make this efficient).
- To comply with Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation), where reasonably required.
10. Audit rights
We will make available to Controller all information necessary to demonstrate compliance with this DPA and, on reasonable written request, allow audits — including inspections — by Controller or a mandated auditor. To minimise disruption, audits are limited to once per 12-month period (unless required following a breach), must be at Controller's cost, and may rely on third-party audit reports (e.g. SOC 2) where available.
11. Return and deletion of data
On termination, Controller may export all Customer Data via the in-app export tool. We will retain backups for up to 30 days as a safety net, then permanently delete. Some data may be retained longer where required by law (see Privacy Policy §6).
12. Liability
Each party's liability under this DPA is subject to the same limitations set out in the Terms of Service. We do not exclude or limit liability that cannot be excluded under UK law.
13. Conflicts and governing law
Where this DPA conflicts with the Terms of Service, this DPA prevails for matters relating to the processing of Customer Data. This DPA is governed by the laws of England and Wales.
14. Contact
Data protection enquiries: privacy@cashflowos.app.