← Back to AIONA

Data Processing Agreement

Version: 1.1 (draft) · Last Updated: 3 July 2026

Status: pre-launch template — pending independent legal review. We publish this DPA so prospective customers can review the terms we intend to sign before AIONA takes on its first clients. It has no binding effect until incorporated into a signed order form or accepted in-product. The sub-processor register and security annex are maintained to reflect the live system.

This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable order ("Customer", the controller) and AIONA Ltd (trading as AIONA), a company registered in England and Wales with company number 16606520, registered office 128 City Road, London, United Kingdom, EC1V 2NX ("AIONA", the processor), and forms part of the Terms of Service. It is made under Article 28 of the UK GDPR.

1. Subject matter and duration

AIONA processes personal data contained in the accounting records, source documents and contact data the Customer uploads to or generates in the Service, for as long as the Customer holds an account plus the retention period in §7.

2. Nature and purpose of processing

3. Categories of data and data subjects

Data subjectsPersonal data categories
The Customer's staff and account usersNames, business email addresses, roles, authentication records, actions taken (audit trail)
The Customer's suppliers, customers and contactsNames, business contact details, bank details appearing on invoices, transaction descriptions and amounts
Employees (where payroll features are used)Names, National Insurance numbers, pay and deduction figures required for RTI submissions

No special-category data is required by the Service; the Customer agrees not to upload it except where it incidentally appears in source documents.

4. AIONA's obligations

AIONA shall:

  1. process personal data only on the Customer's documented instructions — including with regard to transfers of personal data outside the United Kingdom (§9) — the Customer's use of the Service constituting its instruction; where UK law requires AIONA to process otherwise, AIONA will inform the Customer of that legal requirement before processing, unless that law prohibits it on important grounds of public interest;
  2. ensure persons authorised to process the data are bound by confidentiality;
  3. implement the technical and organisational measures in §6;
  4. engage sub-processors only under §5;
  5. assist the Customer with data-subject requests (Articles 12–23) and with Articles 32–36 obligations, taking into account the nature of the processing;
  6. notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's personal data, and provide — as the information becomes available — the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point, so the Customer can meet its own notification obligations to the ICO and data subjects; AIONA will not notify regulators or data subjects on the Customer's behalf unless legally required or instructed;
  7. at the Customer's choice, delete or return the personal data at the end of the engagement, subject to statutory retention duties (§7);
  8. make available information necessary to demonstrate compliance and allow audits as set out in §8;
  9. immediately inform the Customer if, in AIONA's opinion, an instruction from the Customer infringes the UK GDPR or other applicable UK data-protection law.

4A. Customer's obligations

The Customer is responsible for the lawfulness of the personal data it uploads or connects (including having a lawful basis and giving any required privacy notices to its own staff, suppliers, customers and contacts), for the accuracy and legality of its instructions, and for managing its users' access rights. The Customer warrants that its instructions to AIONA will comply with UK GDPR.

5. Sub-processors

The Customer gives general written authorisation for the sub-processors listed in the Privacy Policy §5 (hosting, document AI, LLM assistant, email, billing, identity verification, bank feeds, error monitoring). AIONA will update that register and give at least 14 days' prior notice by email before adding or replacing a sub-processor; the Customer may object on reasonable data-protection grounds within that 14-day window, in which case the parties will discuss in good faith and, if no resolution is found, the Customer may terminate the affected feature or — where the sub-processor is integral to the Service (such as hosting or document storage) — terminate the affected Services and receive a pro-rata refund of prepaid fees. AIONA remains fully liable for its sub-processors' performance.

6. Security measures (Article 32)

7. Deletion and retention

On account closure or written request, AIONA deletes personal data within 30 days, except that accounting records and their source documents are retained for the statutory 6-year UK retention period where the Customer has posted them to the ledger, as described in the Terms of Service. Right-to-erasure requests for contact data are honoured by redaction that preserves the arithmetic integrity of the ledger, including removal from learned-preference stores.

8. Audit

AIONA will make available, on request and no more than once per 12-month period (unless a breach has occurred), the information reasonably necessary to demonstrate compliance with this DPA — including summaries of security measures, sub-processor terms and relevant certifications. Where this is insufficient, the Customer may conduct (at its own cost, on 30 days' notice, without access to other customers' data) an audit through an independent auditor bound by confidentiality.

9. International transfers

Primary hosting and document storage are in the United Kingdom/EU (London-region hosting; UK/EU-region cloud storage; EU-region document AI). Where a sub-processor processes personal data outside the UK/EEA — currently Anthropic, Resend, Postmark, Stripe, Sentry, and certain AWS services, in the United States (see Privacy Policy §9) — the transfer is protected by the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement entered into with that sub-processor, or by UK adequacy regulations (including the UK Extension to the EU–U.S. Data Privacy Framework where the recipient is certified).

10. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms, this DPA prevails for data-protection matters.

Execution

To put this DPA in place, email support@aionatech.com with "DPA" in the subject line and your company details, or accept it in-product where offered. We will return a countersigned copy.