logo

Data Processing Agreement (DPA)

Last updated: February 2026

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions for WpAccPac and applies where personal data is processed on behalf of a user.

1. Roles of the parties

The user (typically an accounting firm) acts as the data controller, determining the purposes and means of processing personal data.

WpAccPac acts as a data processor, processing personal data solely on behalf of the controller in order to provide the service.

2. Nature and purpose of processing

WpAccPac provides a platform for accounts preparation and working papers. Processing may include:

  • Storing and organising working papers and schedules
  • Storing client-related data entered by the user
  • Storing supporting documentation, including uploaded files (such as PDFs and images) and references (links) to external documents
  • Providing access to authorised users within the organisation

3. Types of personal data

The types of personal data processed are determined by the user and may include:

  • Names and contact details
  • Client identifiers and financial information
  • Any personal data contained within uploaded documents

4. Obligations of WpAccPac (Processor)

  • Process personal data only on documented instructions from the controller
  • Ensure appropriate technical and organisational security measures
  • Restrict access to authorised users within each organisation
  • Assist the controller, where reasonably possible, in responding to data subject requests
  • Notify the controller of any personal data breach where required by law

5. Obligations of the user (Controller)

  • Ensure that personal data is collected and processed lawfully
  • Ensure that you have the right to upload or link any data stored in WpAccPac
  • Ensure that appropriate notices are provided to data subjects where required
  • Use the service in compliance with applicable data protection laws

6. Sub-processors

WpAccPac may use trusted third-party providers (such as cloud hosting and storage services) to deliver the platform.

These providers act as sub-processors and are selected to ensure appropriate security and data protection standards.

7. International data transfers

Where data is processed outside the UK, appropriate safeguards are applied in accordance with UK data protection law.

8. Data retention and deletion

Personal data is retained only for as long as required to provide the service.

Upon account closure or request, data will be deleted in line with the Privacy Policy, unless retention is required by law.

9. Security

WpAccPac applies appropriate technical and organisational measures to protect personal data, including access controls and secure storage.

10. Contact

For data protection queries, contact us at admin@wpaccpac.org.