Data Processing Addendum

1. Overview

This Data Processing Addendum ("DPA") forms part of the AdviserAlly Terms & Conditions and applies to the processing of Personal Data by AdviserAlly Limited ("Processor" or "AdviserAlly") on behalf of the Customer ("Controller") in connection with the AdviserAlly service.

This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definitions

Personal Data

Means any information relating to an identified or identifiable natural person processed through the AdviserAlly platform, including client names, email addresses, phone numbers, and conversation history.

Processing

Means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

Sub-processor

Means any third-party processor engaged by AdviserAlly to process Personal Data on behalf of the Controller.

3. Processing Instructions

AdviserAlly shall process Personal Data only:

• On documented instructions from the Controller;
• To provide the AdviserAlly service as described in the Terms & Conditions;
• To comply with applicable laws; and
• As necessary to maintain the security and integrity of the service.

4. Sub-processors

AdviserAlly engages the following sub-processors to provide the service. All sub-processors are bound by contractual obligations consistent with the UK GDPR:

Note: AdviserAlly will notify Customers of any changes to this sub-processor list with at least 30 days' notice via email. Customers may object to a new sub-processor within 14 days of notification.

5. Data Transfers

Where Personal Data is transferred outside the UK:

• EU/EEA transfers: Covered by the UK Addendum to EU Standard Contractual Clauses (SCCs);
• US transfers: Covered by the EU-US Data Privacy Framework with UK Extension (OpenAI) or UK Addendum to EU SCCs (other providers);
• Other transfers: Subject to appropriate safeguards as required by UK GDPR Article 46.

6. Security Measures

AdviserAlly implements technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256);
• Regular security testing and vulnerability scanning;
• Access controls and multi-factor authentication;
• Audit logging and monitoring;
• Business continuity and disaster recovery procedures;
• ISO 27001 alignment and annual penetration testing;
• Employee security training and confidentiality obligations.

7. Data Subject Rights

AdviserAlly will assist the Controller in responding to data subject rights requests, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to data portability (Article 20)
• Right to object to processing (Article 21)

Controllers can manage data subject requests through the AdviserAlly platform or by contacting [email protected].

8. Data Breach Notification

AdviserAlly will notify the Controller without undue delay (and where feasible within 48 hours) upon becoming aware of a Personal Data breach, providing:

• Description of the nature of the breach;
• Categories and approximate number of data subjects affected;
• Contact point for further information;
• Likely consequences of the breach; and
• Measures taken or proposed to address the breach.

9. Data Retention and Deletion

Upon termination of the AdviserAlly service, Personal Data will be:

• Retained for 90 days to allow data export and account recovery;
• Anonymised or deleted after 90 days in accordance with the Controller's preferences;
• Billing and payment records retained for 7 years for legal and accounting purposes.

Controllers can request immediate deletion by contacting [email protected].

10. Audit Rights

AdviserAlly will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits. Audit requests must be submitted in writing with reasonable notice (minimum 30 days).

11. Contact Information

For questions about this DPA or to exercise data subject rights: