Data Processing Agreement (DPA)
| THE SERVICE PROVIDER (Data Processor) | |
|---|---|
| Company Name | GTC Investments Limited (trading as Inflow Systems) |
| Registered Address | 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ |
| Company Number | 14255013 |
| Contact | Gareth Clark | info@inflowsystems.co |
The Client (Data Controller) is the company or individual named on the Inflow Systems quotation or order confirmation. The effective date and project reference are as stated on that document.
1. Background and Purpose
The Controller has engaged the Processor to provide certain services (the "Services") as detailed in the Statement of Work, project proposal, or engagement letter agreed between the parties (the "Project"). In the course of providing those Services, the Processor may process Personal Data on behalf of the Controller.
This Data Processing Agreement ("Agreement") sets out the terms on which the Processor will process Personal Data on behalf of the Controller in connection with the Project, and reflects the parties' obligations under UK GDPR and the Data Protection Act 2018.
This Agreement is a standalone document and does not require a separate Non-Disclosure Agreement to be operative. Where the parties have also executed a Mutual Non-Disclosure Agreement, this Agreement is incorporated into and forms part of that agreement; in the event of any conflict between this Agreement and that agreement on matters relating to data protection, this Agreement shall prevail.
2. Definitions
In this Agreement, the following terms have the meanings given below:
| Controller | The Client named above, who determines the purposes and means of processing Personal Data. |
| Processor | The Service Provider named above, who processes Personal Data on behalf of the Controller. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1). |
| Special Category Data | Personal data revealing racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. |
| Processing | Any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, deletion, or destruction. |
| Data Subject | An identified or identifiable natural person to whom the Personal Data relates. |
| UK GDPR | The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended. |
| DPA 2018 | The Data Protection Act 2018. |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
| Sub-processor | Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. |
| Services | The project services provided by the Processor to the Controller as described in Schedule A. |
| Supervisory Authority | The Information Commissioner's Office (ICO) in the United Kingdom. |
3. Roles of the Parties
The parties acknowledge that, for the purposes of this Agreement and UK GDPR:
- The Controller determines the purposes and means of processing Personal Data in connection with the Project and bears primary responsibility for compliance with UK GDPR as Controller.
- The Processor processes Personal Data solely on the documented instructions of the Controller and for no other purpose, except where required to do so by applicable UK law.
- The Controller warrants that it has a valid lawful basis for processing the Personal Data under UK GDPR Article 6 (and Article 9 where Special Category Data is involved), and that its instructions to the Processor are lawful.
4. Processor Obligations
4.1 Processing on Instructions Only
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by UK law, in which case the Processor shall notify the Controller of that legal requirement before processing (unless prohibited by law from doing so on grounds of public interest).
4.2 Confidentiality
The Processor shall ensure that all personnel authorised to process Personal Data are subject to binding obligations of confidentiality (whether contractual or statutory) and are informed of their obligations under this Agreement and applicable data protection law.
4.3 Security
The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account:
- the state of the art and the costs of implementation
- the nature, scope, context, and purposes of processing
- the risk of varying likelihood and severity for the rights and freedoms of natural persons
The security measures in place are set out in Schedule C. The Processor shall keep these measures under review and update them as appropriate.
4.4 Sub-processing
The Processor shall not engage any Sub-processor to carry out processing activities covered by this Agreement without the prior written consent of the Controller. Where the Controller grants general written authorisation, the Processor shall notify the Controller of any intended additions or replacements to Sub-processors, giving the Controller the opportunity to object.
Where Sub-processors are engaged, the Processor shall impose data protection obligations on them that are equivalent to those in this Agreement. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations.
The Processor's current authorised Sub-processors are listed in Schedule B. The Controller's execution of this Agreement constitutes prior written consent to the use of those Sub-processors.
4.5 Assisting the Controller — Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organisational measures to enable the Controller to respond to requests from Data Subjects exercising their rights under UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Upon receiving any direct request from a Data Subject in connection with the Project, the Processor shall promptly forward it to the Controller and shall not respond to the Data Subject directly without the Controller's prior written consent.
4.6 Assisting the Controller — Compliance
The Processor shall assist the Controller in ensuring compliance with its obligations under UK GDPR Articles 32–36, including:
- security of processing (Article 32)
- notification of Personal Data Breaches to the Supervisory Authority (Article 33)
- communication of Personal Data Breaches to Data Subjects (Article 34)
- Data Protection Impact Assessments (Article 35)
- prior consultation with the Supervisory Authority (Article 36)
4.7 Deletion or Return of Personal Data
Upon termination or expiry of this Agreement, or upon written request by the Controller at any time, the Processor shall, at the Controller's election:
- securely delete all Personal Data processed under this Agreement (including all copies held by Sub-processors); or
- return all Personal Data to the Controller in a commonly used, machine-readable format.
The Processor shall provide written confirmation of deletion or return within 30 calendar days of the request, unless retention is required under UK law, in which case the Processor shall notify the Controller accordingly.
4.8 Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and shall permit and contribute to audits and inspections carried out by the Controller or its appointed auditor, on reasonable notice (not less than 30 days, except in the event of a suspected breach). The cost of any audit shall be borne by the Controller unless the audit reveals a material breach, in which case the Processor shall bear reasonable audit costs.
4.9 Notification of Unlawful Instructions
If the Processor considers that any instruction from the Controller infringes UK GDPR, the DPA 2018, or other applicable data protection law, it shall promptly notify the Controller in writing and may suspend processing of the relevant data until the Controller confirms or modifies the instruction.
5. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement. Such notification shall include, to the extent then available:
- a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
- the name and contact details of the Processor's data protection contact point
- a description of the likely consequences of the breach
- a description of measures taken or proposed to address the breach and, where possible, to mitigate its effects
Where all the above information cannot be provided simultaneously, the Processor may provide it in phases, without undue further delay. The Processor shall document all Personal Data Breaches and shall cooperate fully with the Controller and, where required, with the Supervisory Authority.
ℹ Note: The Controller is responsible for determining whether a breach requires notification to the ICO (within 72 hours under UK GDPR Article 33) or to affected Data Subjects (Article 34). The Processor's 24-hour notification obligation is designed to give the Controller sufficient time to meet its own reporting deadlines.
6. International Data Transfers
The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area (EEA) without the prior specific written consent of the Controller.
Where such a transfer is consented to, it shall only take place if one of the following conditions is met:
- the country of destination has been assessed by the UK Government as providing an adequate level of protection (an "adequacy decision")
- appropriate safeguards are in place, including the use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
- a derogation under UK GDPR Article 49 applies
The Processor shall document the basis for any international transfer and provide this to the Controller on request.
The Controller's execution of this Agreement, including Schedule B, constitutes prior written consent to the international transfers described therein. Any transfers to additional countries or Sub-processors not listed in Schedule B shall require separate prior written consent.
7. Controller Obligations
The Controller agrees to:
- ensure it has a valid lawful basis for processing Personal Data under UK GDPR before instructing the Processor
- provide clear, documented, and lawful instructions to the Processor regarding the processing
- ensure Data Subjects are informed of the processing in accordance with UK GDPR Articles 13 and 14 (privacy notices)
- not instruct the Processor to process Personal Data in a manner that would violate applicable data protection law
- promptly notify the Processor of any Data Subject requests or regulatory enquiries it receives that relate to processing carried out by the Processor
- maintain its own records of processing activities in accordance with UK GDPR Article 30
7A. Use of AI and Automated Processing Tools
The Processor may use artificial intelligence tools and automated processing systems (including large language models) as part of its service delivery, for purposes including but not limited to: data extraction, document analysis, meeting summarisation, task management, and workflow automation.
No automated decision with legal or similarly significant effects on a Data Subject shall be made solely by automated means without the Controller's prior written consent and appropriate safeguards under UK GDPR Article 22.
AI service providers used by the Processor are listed as Sub-processors in Schedule B and are subject to the same data protection obligations.
The Processor shall, on request, provide the Controller with a summary of the AI tools in use and the categories of Personal Data they process.
8. Liability and Indemnity
8.1 General Liability
Each party shall be liable for damage caused by processing that infringes UK GDPR or this Agreement where it is responsible for that infringement. A Processor shall be exempt from liability under this clause if it proves that it is not in any way responsible for the event giving rise to the damage.
8.2 Processor Liability Cap
Subject to clauses 8.3 and 8.4, the total aggregate liability of the Processor to the Controller under or in connection with this Agreement, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the greater of:
- the total fees paid or payable by the Controller to the Processor in the twelve (12) months immediately preceding the event giving rise to the claim; or
- £10,000.
8.3 Exclusion of Consequential Loss
Neither party shall be liable to the other for any indirect, special, incidental, or consequential loss or damage, including loss of profits, revenue, business, anticipated savings, data, or goodwill, howsoever arising, even if that party has been advised of the possibility of such loss.
8.4 Exceptions — Uncappable Liability
Nothing in this Agreement limits or excludes either party's liability for:
- death or personal injury caused by negligence
- fraud or fraudulent misrepresentation
- any other liability that cannot be excluded or limited by law
8.5 Controller Indemnity
The Controller shall indemnify and hold harmless the Processor against any claims, fines, penalties, costs, and expenses (including reasonable legal fees) arising from:
- the Controller's breach of UK GDPR or this Agreement
- the Controller providing unlawful instructions to the Processor
- the Controller's failure to ensure a valid lawful basis for processing
8.6 ICO Fines and Regulatory Action
Where a fine or other regulatory action is imposed on either party by the ICO or another supervisory authority as a result of a breach caused solely by the other party's failure to comply with its obligations under UK GDPR or this Agreement, the defaulting party shall indemnify the non-defaulting party against that fine or action.
9. Term and Termination
This Agreement shall come into force on the Effective Date and shall continue until the Services under the Project are completed and all Personal Data has been returned or deleted in accordance with clause 4.7, unless terminated earlier in accordance with this clause.
Either party may terminate this Agreement immediately on written notice if:
- the other party commits a material breach of this Agreement that is incapable of remedy
- the other party commits a material breach that is capable of remedy but fails to remedy it within 30 days of written notice requiring it to do so
- the other party becomes insolvent, enters administration, or ceases to trade
Clauses 4.7 (deletion/return), 5 (breach notification as to pre-termination incidents), 8 (liability), 10 (governing law), and the obligations of confidentiality shall survive termination.
The obligations of the Processor under this Agreement shall continue for so long as the Processor (or any Sub-processor) retains any Personal Data processed under this Agreement, and shall in any event survive termination for a period of 12 months following written confirmation of deletion or return under clause 4.7.
10. General
Entire Agreement: This Agreement, together with its Schedules, constitutes the entire agreement between the parties relating to the processing of Personal Data.
Variation: This Agreement may not be amended except by a written instrument signed by both parties. Changes to Sub-processors (Schedule B) may be made by the Processor on 30 days' written notice, subject to the Controller's right to object.
Severance: If any provision of this Agreement is found by a court of competent jurisdiction to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
Assignment: Neither party may assign its rights or obligations under this Agreement without the prior written consent of the other party, except that the Processor may assign to a successor entity in connection with a merger, acquisition, or sale of substantially all of its assets.
Notices: Any notice under this Agreement shall be in writing and delivered by email to the contact addresses set out in the Parties section of this page, or by recorded delivery to the registered addresses stated therein.
11. Governing Law and Jurisdiction
This Agreement is governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising under or in connection with this Agreement.
SCHEDULE A — Details of Processing
These details apply to all client engagements. The project name, effective date, and reference are as stated on your Inflow Systems quotation or order confirmation.
| Field | Details |
|---|---|
| Subject matter of processing | Personal data processed in connection with the implementation, configuration, customisation, migration, training, and ongoing support of the client's Odoo ERP system |
| Duration of processing | For the duration of the project engagement, as defined in the Statement of Work or contract, plus any post-go-live support period |
| Nature of processing | Access, storage, configuration, migration, testing, analysis, and display of personal data within the Odoo ERP environment; may include data import/export during migration and system testing |
| Purpose of processing | To configure, implement, customise, and support the client's Odoo ERP system, including setting up modules such as CRM, Accounting, Inventory, HR, and Sales as required by the engagement |
| Types of Personal Data | Names, email addresses, phone numbers, job titles, company names, postal addresses; financial/transaction data (invoices, purchase orders); employee/HR records (where HR module is in scope); customer and supplier contact records |
| Special Category Data? | No — unless the Healthcare & Pharmaceuticals module is in scope, in which case: Yes — health data (Article 9(2)(h) provision of health or social care, subject to client confirmation of lawful basis) |
| Categories of Data Subjects | The Controller's employees, customers, suppliers, and business contacts whose records are held within or migrated into the Odoo system |
| Approximate number of Data Subjects | Varies by client — typically 50 to 10,000 records depending on engagement scope (to be confirmed per project) |
| Frequency of processing | Ongoing during the project engagement; one-off bulk processing during data migration; periodic access during support and maintenance phases |
| Location(s) of processing | United Kingdom (legal domicile); European Union / Germany (cloud infrastructure — Hetzner, Odoo.sh); United States (cloud services — Google Workspace, Slack, Calendly, Anthropic); and other countries where authorised subcontractors are engaged, subject to the safeguards set out in clause 6 and Schedule B. |
| Retention period | Personal data retained for the duration of the engagement plus 30 days post-completion, unless a longer period is required by UK law or agreed in writing with the Controller |
| Return / deletion method | Upon project completion or client request: all client data exported in a standard machine-readable format (CSV/XLSX) and returned to the Controller, followed by secure deletion from Inflow Systems' systems and any test environments within 30 days. Written confirmation provided. |
SCHEDULE B — Authorised Sub-processors
The following Sub-processors are authorised as at the Effective Date.
| Sub-processor Name | Processing Activity | Location / Safeguards |
|---|---|---|
| Odoo S.A. | ERP platform hosting, data storage, and processing within the Odoo environment (Odoo.sh) | Belgium (EU) — UK adequacy decision covers EU; Odoo DPA available |
| Google Cloud Platform | Infrastructure underpinning Odoo.sh; cloud hosting of client ERP data | EU/US — SCCs and UK IDTA in place |
| Google Workspace | Internal email, document storage, video calls, and project collaboration | US — SCCs and UK IDTA in place |
| Slack Technologies LLC | Internal team communication; may reference client project information | US — SCCs and UK IDTA in place |
| Calendly | Scheduling and booking of client meetings | US — SCCs and UK IDTA in place |
| Anthropic (Claude) | AI-assisted service delivery: data extraction, document analysis, meeting summarisation, task management, and workflow automation | US — SCCs and UK IDTA in place |
| Hetzner Online GmbH | Cloud infrastructure hosting internal automation, project tooling, and team platform | Germany (EU) — UK adequacy decision covers EU |
| FreeAgent Central Ltd | Accounting and invoicing platform; may process client-related billing data | UK — domestic processing |
| Authorised third-party subcontractors | ERP implementation, configuration, customisation, and support delivery on a per-project basis | Various third countries — all subcontractors are bound by written data handling obligations equivalent to those in this Agreement prior to engagement |
SCHEDULE C — Technical and Organisational Security Measures (TOMs)
The Processor has implemented and shall maintain the following technical and organisational security measures.
| Access Control | Role-based access controls (RBAC) ensuring least-privilege access. Multi-factor authentication (MFA) required for all systems holding Personal Data. |
| Encryption in Transit | All Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher. |
| Encryption at Rest | Personal Data stored on servers or portable devices is encrypted using industry-standard encryption (AES-256 or equivalent). |
| Pseudonymisation | Where technically feasible and appropriate, Personal Data is pseudonymised to reduce risk of re-identification. |
| Patch Management | Operating systems, software, and security tools are kept up to date with security patches applied in a timely manner. |
| Vulnerability Management | Regular internal and/or third-party security assessments and penetration tests are conducted on systems that process Personal Data. |
| Incident Response | A documented Personal Data Breach response procedure is in place, including identification, containment, notification, and review steps. |
| Staff Training | All personnel with access to Personal Data receive data protection and information security training at onboarding and annually thereafter. |
| Physical Security | Where Personal Data is processed on-site, physical access controls restrict access to authorised personnel only. Clean-desk and clear-screen policies apply. |
| Business Continuity | Backup and disaster recovery procedures are in place to ensure the availability and integrity of Personal Data in the event of an incident. |
| Third-Party Risk | Sub-processors and suppliers with access to Personal Data are assessed for data security compliance before engagement and periodically reviewed. |
| Data Minimisation | Only Personal Data that is necessary for the specified purpose is collected and processed. Retention limits are applied and enforced. |
Additional project-specific measures: where applicable, any supplementary technical measures agreed in writing for a specific project will be appended to the order confirmation or Statement of Work for that engagement.