Policies
Last updated: 11 July 2026
Data Processing Agreement
Parties and roles
This DPA applies between Calceum Limited (“Calceum”), company number 17240312, registered at Red Gables, West Common, Harpenden, AL5 2JQ (ICO registration ZC156359), acting as processor, and the Customer identified in the Services and Software Agreement (the “Agreement”), acting as controller. It is incorporated into the Agreement by reference and records the parties’ agreement, under Article 28 of the UK GDPR, on Calceum’s processing of personal data on the Customer’s behalf. Where the Customer is itself a processor acting for its own clients, Calceum acts as a sub-processor and these terms apply accordingly.
1. Definitions
“UK GDPR”, “controller”, “processor”, “sub-processor”, “data subject”, “personal data”, “special category data”, “processing”, and “personal data breach” have the meanings given in the UK GDPR and the Data Protection Act 2018. “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other applicable data protection law in force in the United Kingdom, in each case as amended or replaced.
2. Roles and scope of processing
The Customer is the controller and Calceum is the processor in respect of the personal data described in Annex 1 (Details of Processing). Where the Customer is itself a processor acting on behalf of its own client, Calceum acts as a sub-processor to the Customer; the obligations in this DPA apply equally in that case.
Calceum processes personal data only to provide and support the platform (the practice application, the client portal, and the Making Tax Digital application) and any related services described in the Agreement, and only in accordance with this DPA and the Customer’s documented instructions.
3. Processor obligations
Calceum shall:
- process the personal data only on the Customer’s documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by law (in which case Calceum will, where legally permitted, inform the Customer first);
- ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations;
- implement and maintain the technical and organisational measures set out in Annex 3 (Technical and Organisational Measures) and as required by Article 32 of the UK GDPR;
- not engage a sub-processor except in accordance with Section 5;
- taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the UK GDPR;
- assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Calceum;
- at the Customer’s election, delete or return all personal data on termination of the services, and delete existing copies unless retention is required by law (see Section 9);
- make available to the Customer all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits in accordance with Section 8; and
- immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws.
4. Controller obligations and instructions
The Customer warrants that:
- it has a valid lawful basis for the processing it instructs Calceum to carry out, and (where relevant) has provided appropriate privacy information to, and obtained any necessary consent from, the relevant data subjects;
- its instructions to Calceum will comply with the Data Protection Laws; and
- its own privacy notice to its clients accurately describes that Calceum (and its sub-processors) processes personal data on the Customer’s behalf as its processor.
The Customer’s complete and final instructions are set out in the Agreement and this DPA. Additional instructions must be agreed in writing.
5. Sub-processors
The Customer gives Calceum general written authorisation to engage sub-processors to process personal data, subject to this Section. The sub-processors engaged as at the date of this DPA are listed in the Sub-Processor List, which is maintained as the single source of truth and published at calceum.com/policies/sub-processors.
Calceum shall:
- impose on each sub-processor, by written contract, data protection obligations equivalent to those in this DPA;
- remain fully liable to the Customer for the performance of each sub-processor’s obligations; and
- give the Customer at least 14 days’ notice of any intended addition or replacement of a sub-processor (by email and by updating the published list), so as to give the Customer the opportunity to object.
If the Customer reasonably objects to a new sub-processor on legitimate data protection grounds within the notice period, the parties will work in good faith to resolve the concern; if they cannot, the Customer may terminate the affected services.
User-connected integrations and statutory recipients that the Customer or its clients choose to connect (for example HMRC, Companies House, FreeAgent, Stripe Connect, and Google) act as independent controllers or as the Customer’s own data sources and are not Calceum’s sub-processors. These are identified in the Sub-Processor List for transparency.
6. International transfers
Personal data is hosted in the United Kingdom (AWS eu-west-2, London). Where a sub-processor processes personal data outside the UK, Calceum ensures the transfer is subject to an appropriate safeguard under the Data Protection Laws, namely UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework where the importer is certified. The applicable mechanism for each sub-processor is shown in the Sub-Processor List.
7. Personal data breach
Calceum shall notify the Customer without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting the Customer’s personal data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Calceum will cooperate with the Customer and the Information Commissioner’s Office as required. See Data Breach Response Procedure and Incident Response Policy.
8. Audits and information
Calceum will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. The Customer may audit Calceum’s compliance once per year on reasonable prior written notice (and at any time following a personal data breach), subject to confidentiality and to not disrupting Calceum’s operations. Where available, Calceum may satisfy an audit request by providing current third-party certifications or assessment reports.
9. Deletion and return on termination
On termination or expiry of the services, Calceum will, at the Customer’s election, delete or return all personal data and delete existing copies within 30 days, except where retention is required by law. Tax and submission records subject to the HMRC statutory retention period will be retained for the required period and then deleted. Calceum will confirm completion of deletion in writing on request.
10. Liability, precedence and governing law
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the law of England and Wales and the parties submit to the exclusive jurisdiction of its courts. In the event of conflict, this DPA prevails over the rest of the Agreement on data protection matters.
Annex 1 - Details of Processing
| Element | Detail |
|---|---|
| Subject matter | Provision of the Calceum practice-management platform (practice application, client portal, and Making Tax Digital application) enabling the Customer to deliver accounting, tax, compliance, and onboarding services to its clients |
| Duration | For the term of the Agreement, plus any statutory retention period for tax and submission records |
| Nature of processing | Collection, storage, organisation, retrieval, display, transmission (including to HMRC and other systems on the Customer’s instruction), and deletion of personal data |
| Purpose | Enabling the Customer to manage its client relationships and to meet its professional and HMRC obligations on behalf of its clients |
| Data subjects | The Customer’s clients and prospective clients (sole traders, landlords, and self-assessment taxpayers); directors, officers, shareholders, and persons with significant control of the Customer’s entity clients; and the Customer’s own staff users of the platform |
| Categories of personal data | Identity and contact data (name, email, phone, address, date of birth); tax identifiers (NINO, UTR); financial, income, and accounting data; bank account and transaction data (via open banking); HMRC submission and tax calculation records; Companies House officer data; and documents uploaded to the portal |
| Special category / sensitive data | Biometric data (special category, UK GDPR Art 9) and identity-document data are processed as standard. Identity verification is a core feature of the platform: clients are verified using document and biometric (face-match/liveness) checks via the verification sub-processor (Didit). The Customer, as controller, relies on an Article 9 condition (substantial public interest - preventing or detecting unlawful acts, DPA 2018 Sch 1 para 10) backed by its MLR 2017 duty, and must maintain an Appropriate Policy Document and a DPIA. Calceum processes this data only on the Customer’s instructions. |
Annex 2 - Approved Sub-processors
The approved sub-processors are set out in the Sub-Processor List (published at calceum.com/policies/sub-processors), which forms part of this DPA.
Annex 3 - Technical and Organisational Measures
Calceum maintains, at a minimum, the following measures (further detail in the Information Security Policy and related policies):
- Encryption at rest: AES-256-GCM applied to personal data, including NINO, UTR, and HMRC credentials, at application level.
- Encryption in transit: TLS 1.2 or above on all data transmission.
- Access control: role-based access control with multi-factor authentication on production systems; least-privilege database roles. See Access Control Policy.
- Infrastructure: AWS eu-west-2 (London) - ECS Fargate, RDS PostgreSQL with automated encrypted backups, Secrets Manager.
- Logging and monitoring: Datadog application performance monitoring, logging, and alerting (configured to avoid capturing personal data). See Logging and Monitoring Policy.
- Resilience: automated backups and documented recovery procedures. See Backup and Recovery Policy and Business Continuity Plan.
- Secure development: secure development lifecycle, dependency and vulnerability management, and change control. See Secure Development Policy.