Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is entered into between the data controller ("the Firm") and StatutorySync Limited ("the Processor"), a data processor operating under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Purpose of Processing

The Processor shall process personal data solely for the purpose of providing identity verification services under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), including biometric identity checks, Companies House Personal Code retrieval and secure storage, and director compliance tracking.

3. Categories of Data

4. Data Residency

All personal data is stored exclusively within Amazon Web Services (AWS) UK data centres located in the eu-west-2 (London) region. No personal data is transferred outside the United Kingdom. Infrastructure is secured using AWS encryption at rest (AES-256) and in transit (TLS 1.2+).

5. Retention Policy

In accordance with the Economic Crime and Corporate Transparency Act 2023, identity verification records and associated evidence shall be retained for a minimum period of seven (7) years from the date of verification. After this retention period, all personal data shall be securely deleted using industry-standard data destruction methods. The data controller may request early deletion subject to applicable regulatory requirements.

6. Security Measures

7. Sub-processors

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15–22 of the UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

9. Termination

Upon termination of the service agreement, the Processor shall, at the choice of the Controller, delete or return all personal data and certify that it has done so, unless retention is required by applicable law or regulation (including the 7-year ECCTA retention requirement).