Data Processing Agreement

What this is: UK GDPR Article 28 requires a written agreement between a data controller (you, the bureau) and a data processor (PayPacket) whenever a processor handles personal data on the controller's behalf. This document is that agreement. It is incorporated into and forms part of your PayPacket Terms & Conditions.

Parties

This Data Processing Agreement ("DPA") is between:

Data Controller: The bureau or business that has accepted the PayPacket Terms & Conditions ("Controller", "you")
Data Processor: PayPacket Ltd, operating paypacket.io ("Processor", "PayPacket", "we")

By accepting the PayPacket Terms & Conditions, you enter into this DPA. This DPA comes into effect on the date you create your PayPacket account and remains in force for the duration of your subscription.

1. Definitions

In this DPA:

"Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any successor legislation.
"Personal Data", "Processing", "Data Subject", "Supervisory Authority" have the meanings given in Data Protection Laws.
"Controller Personal Data" means the Personal Data described in Schedule 1 that the Controller submits to the Service.
"Services" means the PayPacket payroll bureau software provided under the Terms & Conditions.
"Sub-processor" means any third party engaged by PayPacket to process Controller Personal Data.

2. Scope and Role

PayPacket processes Controller Personal Data only to provide the Services. The Controller determines the purposes and means of Processing; PayPacket acts solely as a Processor on the Controller's documented instructions.

Where the Controller is itself a processor for its own clients (the employers whose payroll is managed through the platform), the Controller warrants that it has appropriate authorisation from those clients to enter into this DPA and to sub-process to PayPacket.

3. PayPacket's Obligations

3.1 Instructions

PayPacket will process Controller Personal Data only on the documented instructions of the Controller, which are set out in this DPA and the Terms & Conditions. If PayPacket is required by law to process Controller Personal Data other than as instructed, it will notify the Controller before doing so (unless prohibited by law).

If PayPacket reasonably believes an instruction infringes Data Protection Laws, it will promptly inform the Controller.

3.2 Confidentiality

PayPacket will ensure that all persons authorised to process Controller Personal Data are subject to binding confidentiality obligations, whether by contract or statutory duty.

3.3 Security

PayPacket will implement and maintain the technical and organisational security measures set out in Schedule 3 of this DPA, appropriate to the risks presented by the Processing. PayPacket will take account of the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of individuals.

3.4 Sub-processors

The Controller provides general written authorisation to PayPacket to engage Sub-processors. The Sub-processors currently engaged are listed in Schedule 2.

PayPacket will:

Notify the Controller of any intended change to Sub-processors (additions or replacements) by updating Schedule 2 and giving at least 14 days' notice via email or in-app notification
Impose data protection obligations on Sub-processors equivalent to those in this DPA
Remain fully liable to the Controller for the acts and omissions of Sub-processors

The Controller may object to a new Sub-processor by notifying PayPacket within 14 days of notification. If PayPacket cannot accommodate the objection, the Controller may terminate the subscription without penalty on written notice.

3.5 Data Subject Rights

PayPacket will, taking into account the nature of the Processing, assist the Controller (by appropriate technical and organisational measures where possible) to fulfil the Controller's obligations to respond to Data Subject rights requests under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection.

If PayPacket receives a Data Subject rights request directly relating to Controller Personal Data, it will promptly forward it to the Controller without acting on it.

3.6 Security Incidents and Breach Notification

PayPacket will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller Personal Data. The notification will include (to the extent then known):

A description of the nature of the breach, including categories and approximate number of data subjects and records affected
Contact details of PayPacket's data protection point of contact
Description of likely consequences
Description of measures taken or proposed to address the breach

PayPacket will co-operate with and assist the Controller in its own obligations to notify the ICO and affected Data Subjects where required.

3.7 Data Protection Impact Assessments

PayPacket will, upon request, provide the Controller with reasonable assistance in conducting Data Protection Impact Assessments and in prior consultation with the ICO where required by Data Protection Laws, taking into account the nature of the Processing and the information available to PayPacket.

3.8 Deletion and Return of Data

On termination or expiry of the subscription, and upon written request by the Controller, PayPacket will:

Export and make available to the Controller all Controller Personal Data in a structured, commonly used, machine-readable format within 30 days; and
Securely delete or destroy all copies of Controller Personal Data within 90 days of the end of the retention period set out in the Privacy Policy

Where PayPacket is required by law to retain Controller Personal Data beyond the subscription period (for example, HMRC record-keeping obligations of 7 years), it will retain only the minimum necessary data and inform the Controller accordingly.

3.9 Audit Rights

PayPacket will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA, including making available relevant policies and security documentation on request.

PayPacket will allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, provided that:

The Controller gives at least 30 days' prior written notice
Audits are conducted at the Controller's expense during normal business hours
No more than one audit per 12-month period is requested except where there are reasonable grounds to suspect a breach
The auditor is subject to confidentiality obligations no less strict than those in this DPA

Where the Controller's request for information can be satisfied by PayPacket providing up-to-date security certifications or third-party audit reports, PayPacket may provide those in lieu of direct audit access.

4. Controller's Obligations

The Controller:

Warrants that it has a lawful basis under Data Protection Laws to process the Controller Personal Data and to instruct PayPacket to process it
Is responsible for the accuracy, legality, and quality of the Controller Personal Data it provides to PayPacket
Will comply with Data Protection Laws in its own use of the Services, including providing appropriate privacy notices to Data Subjects
Will ensure that any instructions given to PayPacket comply with Data Protection Laws
Is responsible for its own employees' and agents' use of the Services

5. International Transfers

PayPacket stores and primarily processes Controller Personal Data in the United Kingdom. Where Controller Personal Data is transferred to Sub-processors outside the UK or EEA (see Schedule 2), PayPacket will ensure an appropriate transfer mechanism is in place, including:

UK International Data Transfer Agreements (IDTAs) or UK Addenda to Standard Contractual Clauses
Adequacy decisions recognised by the UK ICO

6. Liability

Each party's liability to the other under or in connection with this DPA is subject to the limitations set out in the Terms & Conditions, except that nothing in this DPA or the Terms & Conditions limits either party's liability for:

Death or personal injury caused by negligence
Fraud or fraudulent misrepresentation
Any liability that cannot be excluded or limited by applicable law

7. Precedence

In the event of a conflict between this DPA and the Terms & Conditions in relation to data protection matters, this DPA shall prevail to the extent of the conflict.

8. Changes to this DPA

PayPacket may update this DPA to reflect changes in Data Protection Laws or Sub-processors. Material changes will be notified to the Controller with at least 14 days' notice. Continued use of the Services after the effective date of changes constitutes acceptance.

9. Governing Law

This DPA is governed by the laws of England and Wales. Disputes arising under it are subject to the exclusive jurisdiction of the courts of England and Wales.

10. Contact

For data protection enquiries: privacy@paypacket.io

Schedule 1 — Details of Processing

Subject matter

The processing of UK payroll data to enable the Controller to calculate and submit payroll for the employers it manages.

Duration

For the term of the subscription, and thereafter in accordance with the retention periods set out in the Privacy Policy (minimum 7 years from end of relevant tax year as required by HMRC).

Nature of processing

Collection, storage, retrieval, calculation, formatting, and output generation of payroll data; transmission of RTI submissions to HMRC; generation of payslip, P60, and P45 PDFs; application of statistical checks via AI features (with anonymisation applied as described in the Privacy Policy).

Purpose of processing

To provide payroll bureau software services enabling the Controller to: calculate and run payroll for client companies; submit Full Payment Submissions (FPS) and Employer Payment Summaries (EPS) to HMRC; generate statutory payroll documents; manage employee records and pay schedules.

Types of personal data

Names (first name, last name)
Dates of birth
Gender
National Insurance numbers (encrypted at rest)
Tax codes and PAYE reference data
Salary and pay element details (gross pay, deductions, net pay)
Bank account details — sort code, account number, account name (encrypted at rest)
Employment start and leaving dates
Works numbers and employee identifiers
Statutory payment records (SSP, SMP, SPP, SAP, ShPP)
Pension contribution details and auto-enrolment status
Student loan plan types
Previous employment pay and tax figures

Categories of data subjects

Employees (and former employees) of the client companies whose payroll is managed through the PayPacket platform by the Controller.

Schedule 2 — Approved Sub-processors

Sub-processor	Location	Purpose	Data processed	Transfer mechanism
HMRC Government Gateway	United Kingdom	RTI submissions (FPS/EPS) as required by law	Employee payroll data as required for PAYE RTI	No transfer — UK domestic
Anthropic PBC	United States	AI features: payslip validation, payroll assistant, CSV import mapping	Anonymised payroll figures only — employee names and NINOs are never transmitted. See Privacy Policy Section 5.	UK IDTA / Anthropic DPA
Stripe, Inc.	United States	Subscription billing and payment processing	Bureau billing data only (not employee payroll data)	UK IDTA / Stripe DPA
Cloud hosting provider	United Kingdom	Application hosting, database storage	All Controller Personal Data (encrypted at rest)	No transfer — UK domestic
Email service provider	United States	Transactional emails (pay run alerts, submission notifications)	Bureau operator email addresses; no employee payroll data	UK IDTA / provider DPA

PayPacket will notify the Controller of any changes to this schedule with at least 14 days' notice.

Schedule 3 — Technical and Organisational Security Measures

PayPacket implements and maintains the following security measures, consistent with Article 32 of UK GDPR:

Encryption

Field-level AES-256-GCM encryption for National Insurance numbers and bank account details at rest. These fields are encrypted before database write and decrypted only when required for payroll calculation or submission.
TLS 1.2 or higher for all data in transit between clients and the application, and between the application and Sub-processors.
Encrypted database volumes at the infrastructure layer.

Access control

Role-based access control (RBAC): Bureau Owner, Bureau Admin, Payroll Operator, Viewer. Each role has defined, minimum-necessary permissions.
Authentication managed via Keycloak identity provider with support for strong passwords and multi-factor authentication.
Tenant isolation enforced at the database query level — operators cannot access data belonging to other bureaux.
All access to client company data is scoped to the bureau that created it.

Audit trail

Append-only audit log recording all data creation, modification, and deletion events, including the user responsible, timestamp, and change detail.
Audit records cannot be deleted or modified by application users.

AI feature data minimisation

Before any data is transmitted to Anthropic for AI processing, identifying fields (names, NINOs) are replaced with opaque aliases or removed entirely.
Bank details are never transmitted to any AI sub-processor under any circumstances.

Incident response

Personal data breach notification to the Controller within 72 hours of discovery.
Internal incident response procedures including breach classification, containment, and post-incident review.

Availability and resilience

Regular database backups with tested restore procedures.
Monitoring and alerting for application availability and errors.

Vendor security

Sub-processors are subject to due diligence before engagement and are required to maintain security standards at least equivalent to those in this Schedule.