Version: 1.1 (draft) · Last Updated: 3 July 2026
Status: pre-launch template — pending independent legal review. We publish this DPA so prospective customers can review the terms we intend to sign before AIONA takes on its first clients. It has no binding effect until incorporated into a signed order form or accepted in-product. The sub-processor register and security annex are maintained to reflect the live system.
This Data Processing Agreement ("DPA") is entered into between the customer identified in the applicable order ("Customer", the controller) and AIONA Ltd (trading as AIONA), a company registered in England and Wales with company number 16606520, registered office 128 City Road, London, United Kingdom, EC1V 2NX ("AIONA", the processor), and forms part of the Terms of Service. It is made under Article 28 of the UK GDPR.
AIONA processes personal data contained in the accounting records, source documents and contact data the Customer uploads to or generates in the Service, for as long as the Customer holds an account plus the retention period in §7.
| Data subjects | Personal data categories |
|---|---|
| The Customer's staff and account users | Names, business email addresses, roles, authentication records, actions taken (audit trail) |
| The Customer's suppliers, customers and contacts | Names, business contact details, bank details appearing on invoices, transaction descriptions and amounts |
| Employees (where payroll features are used) | Names, National Insurance numbers, pay and deduction figures required for RTI submissions |
No special-category data is required by the Service; the Customer agrees not to upload it except where it incidentally appears in source documents.
AIONA shall:
The Customer is responsible for the lawfulness of the personal data it uploads or connects (including having a lawful basis and giving any required privacy notices to its own staff, suppliers, customers and contacts), for the accuracy and legality of its instructions, and for managing its users' access rights. The Customer warrants that its instructions to AIONA will comply with UK GDPR.
The Customer gives general written authorisation for the sub-processors listed in the Privacy Policy §5 (hosting, document AI, LLM assistant, email, billing, identity verification, bank feeds, error monitoring). AIONA will update that register and give at least 14 days' prior notice by email before adding or replacing a sub-processor; the Customer may object on reasonable data-protection grounds within that 14-day window, in which case the parties will discuss in good faith and, if no resolution is found, the Customer may terminate the affected feature or — where the sub-processor is integral to the Service (such as hosting or document storage) — terminate the affected Services and receive a pro-rata refund of prepaid fees. AIONA remains fully liable for its sub-processors' performance.
On account closure or written request, AIONA deletes personal data within 30 days, except that accounting records and their source documents are retained for the statutory 6-year UK retention period where the Customer has posted them to the ledger, as described in the Terms of Service. Right-to-erasure requests for contact data are honoured by redaction that preserves the arithmetic integrity of the ledger, including removal from learned-preference stores.
AIONA will make available, on request and no more than once per 12-month period (unless a breach has occurred), the information reasonably necessary to demonstrate compliance with this DPA — including summaries of security measures, sub-processor terms and relevant certifications. Where this is insufficient, the Customer may conduct (at its own cost, on 30 days' notice, without access to other customers' data) an audit through an independent auditor bound by confidentiality.
Primary hosting and document storage are in the United Kingdom/EU (London-region hosting; UK/EU-region cloud storage; EU-region document AI). Where a sub-processor processes personal data outside the UK/EEA — currently Anthropic, Resend, Postmark, Stripe, Sentry, and certain AWS services, in the United States (see Privacy Policy §9) — the transfer is protected by the UK Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement entered into with that sub-processor, or by UK adequacy regulations (including the UK Extension to the EU–U.S. Data Privacy Framework where the recipient is certified).
Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms, this DPA prevails for data-protection matters.
To put this DPA in place, email support@aionatech.com with "DPA" in the subject line and your company details, or accept it in-product where offered. We will return a countersigned copy.