Data Processing Addendum (DPA)

Version: 2.0

Last Updated: 23rd February 2026

This Data Processing Addendum (“DPA”) forms part of the BizHub365 Terms of Service between Tweed Tyne Technologies Ltd (“Processor”, “we”, “us”, “our”) and the customer or organisation using BizHub365 (“Controller”, “you”). This DPA applies to the extent we Process Personal Data on your behalf in connection with the Service.

Important: This DPA applies to business users. Consumer use is governed by the Privacy Policy and Terms of Service.

1. Definitions

  • “Data Protection Laws” means UK GDPR, the Data Protection Act 2018, and (where applicable) EU GDPR.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” has the meaning given under Data Protection Laws.
  • “Sub-processor” means any third party engaged by us to Process Personal Data on your behalf.
  • “Customer Content” means data uploaded to or generated within the Service by you.

2. Roles of the Parties

  • You are the Controller of Personal Data within Customer Content.
  • We act as Processor solely on your documented instructions.
  • We may act as independent Controller for account administration, billing, fraud prevention, and compliance logging.
  • Where you enable AI-assisted features, limited Processing may be performed by OpenAI, LLC via the OpenAI API strictly for the purpose of delivering those features.

3. Scope of Processing

Subject matter: Provision of BizHub365 accounting, reporting, and HMRC-related services.

Duration: Term of the Services plus applicable retention periods.

Nature and purpose: Hosting, storage, retrieval, analysis, reporting, AI-assisted document interpretation (where enabled), support, and security operations necessary to provide the Service.

Categories of data subjects: Your staff, contractors, customers, suppliers, and individuals whose data you input into the Service.

Categories of Personal Data

  • Identity and contact data;
  • Financial and accounting records;
  • Invoices, transaction records, and tax-related information;
  • Financial statements and uploaded business documents (where AI features are used);
  • Technical and audit log data.

4. Controller Obligations

  • You confirm you have a lawful basis for Processing.
  • You are responsible for accuracy and legality of Personal Data.
  • You will not upload unlawful or prohibited content.

5. Processor Obligations

  • Process only on documented instructions;
  • Ensure confidentiality of authorised personnel;
  • Implement appropriate technical and organisational measures;
  • Assist with data subject rights requests where required.

6. Sub-processors

You grant general authorisation for use of Sub-processors listed below.

Sub-processor Purpose Data Potentially Processed
Heroku (Salesforce, Inc.) Cloud hosting infrastructure and managed PostgreSQL database environment Customer Content and Personal Data stored within the BizHub365 production environment, including financial records and related metadata
OpenAI, LLC (OpenAI API) AI-assisted financial statement analysis and document interpretation (where enabled) Financial statements, uploaded documents, and associated business data submitted for analysis
Stripe Payment processing Billing information and payment metadata
SMTP2GO Email delivery Email addresses and necessary message content
GitHub, Inc. (Microsoft) Source code hosting and version control (development environment) Application source code and configuration files; no intentional storage of production customer databases

Sub-processors may change as the Service evolves. Where required by law, we will provide notice and opportunity to object to material changes.

7. International Transfers

Where Personal Data is transferred outside the UK or EEA, appropriate safeguards such as UK IDTA, SCCs, or adequacy decisions will be implemented.

8. Security Measures

  • Encryption in transit (TLS);
  • Encryption at rest within managed database storage;
  • Role-based access controls;
  • Audit logging and monitoring;
  • Secure development and change management practices.
No system can guarantee absolute security.

9. Personal Data Breach

We will notify you without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA.

10. Deletion and Return

Upon termination, Personal Data will be deleted or returned subject to legal retention obligations and backup cycles.

11. Audits

  • Limited to once per 12 months (unless regulator required);
  • Subject to confidentiality;
  • Reasonable notice required.

12. Liability

Liability under this DPA is subject to the Terms of Service.

13. Order of Precedence

In the event of conflict, this DPA prevails regarding Personal Data Processing.

14. Contact

Privacy enquiries: https://bizhub365.com/support