Data Processing Agreement

Last updated: 18 January 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between you ("Customer", "Controller") and Numerint Limited ("Numerint", "Processor") for the use of Numerint's services.

1. Definitions and Interpretation

Applicable Data Protection Law means all applicable data protection and privacy legislation, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018, and all applicable guidance and codes of practice issued by relevant supervisory authorities.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, and Supervisory Authority have the meanings given in Applicable Data Protection Law.

Services means the data export and storage services provided by Numerint as described in the Terms and Conditions.

Sub-processor means any third party engaged by Numerint to Process Personal Data on behalf of the Customer.

Terms and Conditions means Numerint's standard terms available at https://numerint.com/terms

Other capitalised terms not defined herein have the meanings given in the Terms and Conditions.

2. Scope and Roles
2.1 Relationship of the Parties

The parties acknowledge that for the purposes of Applicable Data Protection Law:

  • Customer is the Controller of Personal Data
  • Numerint is the Processor acting on behalf of the Customer
  • This DPA sets out the terms on which Numerint will Process Personal Data
2.2 Duration and Subject Matter

This DPA governs the Processing of Personal Data for the duration of the Services and as specified in Schedule 1 (Details of Processing).

3. Numerint's Processing Obligations
3.1 Processing Instructions

Numerint shall:

  • Process Personal Data only on documented instructions from the Customer (as set out in this DPA and the Terms and Conditions)
  • Not Process Personal Data for any purpose other than providing the Services
  • Immediately inform the Customer if, in Numerint's opinion, an instruction infringes Applicable Data Protection Law
3.2 Confidentiality

Numerint shall ensure that persons authorised to Process Personal Data:

  • Are subject to appropriate confidentiality obligations
  • Receive adequate training on data protection requirements
  • Process Personal Data only as necessary to provide the Services
3.3 Compliance with Law

If Numerint is required by law to Process Personal Data in a manner not instructed by the Customer, Numerint shall inform the Customer of that legal requirement before Processing (unless prohibited by law from doing so).

4. Security Measures
4.1 Technical and Organisational Measures

Numerint shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Schedule 2 (Security Measures).

4.2 Security Standards

The security measures shall take into account:

  • The state of the art
  • The costs of implementation
  • The nature, scope, context and purposes of Processing
  • The risks to the rights and freedoms of Data Subjects
5. Sub-processing
5.1 Authorised Sub-processors

The Customer authorises Numerint to engage the Sub-processors listed in Schedule 3 (Sub-processors).

5.2 Changes to Sub-processors

Numerint shall notify the Customer at least 30 days in advance by email of any intended changes to Sub-processors, including addition or replacement of Sub-processors.

5.3 Objection Rights

The Customer may object to a new Sub-processor on reasonable data protection grounds by notifying Numerint within 14 days of receiving notice. If the parties cannot resolve the objection within 30 days, either party may terminate the affected Services without penalty.

5.4 Sub-processor Obligations

Numerint shall:

  • Impose data protection obligations on Sub-processors that are no less protective than those in this DPA
  • Remain fully liable for the acts and omissions of Sub-processors
6. Data Subject Rights
6.1 Assistance with Data Subject Requests

Numerint shall, taking into account the nature of the Processing, provide reasonable assistance to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.

6.2 Forwarding Requests

If Numerint receives a request directly from a Data Subject, Numerint shall promptly forward it to the Customer and shall not respond to the request without the Customer's prior written authorisation.

7. Personal Data Breaches
7.1 Notification

Numerint shall notify the Customer without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach affecting the Customer's Personal Data.

7.2 Information Provided

The notification shall include, to the extent known:

  • The nature of the Personal Data Breach
  • The categories and approximate number of Data Subjects and Personal Data records concerned
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
7.3 Cooperation

Numerint shall:

  • Cooperate with the Customer in investigating the breach
  • Provide such information as the Customer reasonably requires
  • Take reasonable steps to mitigate the effects of the breach
  • Not inform third parties of the breach except as required by law or with the Customer's prior consent
8. Data Protection Impact Assessments and Consultations

Numerint shall provide reasonable assistance to the Customer (at the Customer's expense) with:

  • Data protection impact assessments
  • Prior consultations with Supervisory Authorities
  • Other compliance activities under Applicable Data Protection Law

Such assistance may be subject to additional fees for extensive work.

9. International Transfers
9.1 Location of Processing

Numerint Processes Personal Data in the locations specified in Schedule 3 (Sub-processors).

9.2 Transfer Mechanisms

Where Personal Data is transferred outside the UK or EEA to a jurisdiction that does not provide an adequate level of protection, the parties shall implement appropriate safeguards in accordance with Applicable Data Protection Law, including Standard Contractual Clauses where necessary.

9.3 Standard Contractual Clauses

Where required, the Standard Contractual Clauses set out in Schedule 4 (International Transfer Provisions) shall apply.

10. Audit Rights
10.1 Demonstration of Compliance

Numerint shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including:

  • Documentation of security measures
  • Relevant policies and procedures
  • Copies of audit reports or certifications (if available)
10.2 Audits

The Customer may, upon reasonable written notice and no more than once per year (unless required by law or in response to a suspected breach), conduct an audit of Numerint's compliance with this DPA. Any audit shall:

  • Be conducted during normal business hours
  • Not unreasonably interfere with Numerint's operations
  • Be subject to reasonable confidentiality obligations
10.3 Audit Costs

The Customer shall bear the costs of any audit, except where the audit reveals a material breach by Numerint, in which case Numerint shall reimburse the Customer's reasonable audit costs.

11. Return and Deletion of Personal Data
11.1 Upon Termination

Upon termination of the Services, Numerint shall (at the Customer's option):

  • Make all Personal Data available for download by the Customer in the format provided by the Services; or
  • Securely delete all Personal Data in accordance with the Customer's deletion instructions
11.2 Customer-Controlled Deletion

The Customer may delete their Personal Data at any time using the "Disconnect" function in the Services, which provides three options:

  1. Instant deletion: Data deleted within minutes of confirmation
  2. Deletion after 2-week grace period: Data deleted after 2 weeks unless the Customer reconnects
  3. Deletion after 1 year of inactivity: Data retained for regular re-exports but automatically deleted after 12 months of inactivity
11.3 Automatic Disconnection and Deletion
  • After 2 weeks of inactivity, Numerint will automatically disconnect the Customer's accounting system connection
  • After 12 months of inactivity, Numerint will automatically delete the Customer's Personal Data

For more details about data deletion options, see: https://numerint.com/faq#security

11.4 Legal Retention

If Numerint is required by law to retain Personal Data, it shall:

  • Inform the Customer of the legal requirement
  • Isolate and protect the Personal Data from further Processing
  • Delete the Personal Data when the retention period expires
11.5 Certification

Upon request, Numerint shall certify in writing that it has complied with its deletion obligations.

11.6 Retention of Business Records

This Section 11 applies to the Customer's exported accounting data (the data exported from the Customer's accounting system and made available for download). It does not apply to Numerint's own business records, which include:

  • Customer account information (company name, email address, contact details)
  • Transaction records (invoices, payment records, order history)
  • Service usage logs and audit trails

Numerint retains these business records as a data controller (not as a data processor) for the following purposes:

  • Compliance with legal obligations (including UK tax law requiring retention of accounting records for 6 years)
  • Establishment, exercise, or defence of legal claims
  • Fraud prevention and detection

These business records are retained in accordance with Numerint's Privacy Policy (https://numerint.com/privacy) and are subject to different retention periods than the Customer's exported data.

12. Records and Documentation

Numerint shall maintain records of all Processing activities carried out on behalf of the Customer, including:

  • The categories of Processing
  • Transfers to third countries (if any)
  • A general description of technical and organisational security measures
13. Liability and Indemnity
13.1 Liability Cap

Numerint's liability under this DPA shall be subject to the limitations set out in the Terms and Conditions, except where such limitations are prohibited by Applicable Data Protection Law.

13.2 Indemnity

Each party shall indemnify the other against losses, damages, costs and expenses (including reasonable legal fees) arising from breach of its obligations under this DPA or Applicable Data Protection Law, to the extent caused by the indemnifying party's acts or omissions.

14. Term and Termination
14.1 Term

This DPA shall remain in effect for so long as Numerint Processes Personal Data on behalf of the Customer.

14.2 Termination for Breach

The Customer may terminate this DPA (and the Terms and Conditions) immediately upon written notice if Numerint materially breaches this DPA and fails to remedy the breach within 14 days.

14.3 Survival

Provisions that by their nature should survive termination (including obligations relating to return/deletion of Personal Data, confidentiality, and liability) shall continue in effect.

15. General Provisions
15.1 Conflict

In the event of conflict between this DPA and the Terms and Conditions, this DPA shall prevail to the extent of the conflict.

15.2 Changes to this DPA

Numerint may update this DPA from time to time to reflect:

  • Changes in Applicable Data Protection Law
  • Changes in Numerint's data processing practices
  • Guidance from Supervisory Authorities

Numerint shall notify Customers of material changes by email at least 30 days in advance. Continued use of the Services after such changes constitutes acceptance.

15.3 Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales.

15.4 Notices

All notices under this DPA shall be sent to:

  • Numerint: info@numerint.com
  • Customer: The email address provided during registration
15.5 Severability

If any provision of this DPA is found to be unenforceable, the remaining provisions shall remain in full force and effect.

Schedule 1: Details of Processing

Subject Matter

Access to Personal Data within the Customer's accounting system (currently Xero) for the purpose of exporting and storing accounting data.

Duration

For the duration of the Customer's use of the Services. Personal Data is automatically deleted:

  • Immediately upon Customer request via the "Disconnect" function
  • After 2 weeks if the Customer selects the grace period option
  • After 12 months of account inactivity (default retention option)
Nature and Purpose of Processing

Numerint provides data export and archival services. The Processing involves:

  • Reading accounting data and files from the Customer's accounting system via API (OAuth 2.0 read-only access)
  • Temporarily storing data on ephemeral infrastructure (AWS Lambda and ECS Fargate) during the export process
  • Durably storing the exported data in object storage (Amazon S3) for the retention period chosen by the Customer
  • Making the aggregated data available for download by the Customer via secure TLS-encrypted connection
  • Retaining data according to the Customer's chosen retention period (configurable via the "Disconnect" function)
  • Automatic disconnection after 2 weeks of inactivity
  • Automatic deletion after 12 months of inactivity (unless Customer specifies earlier deletion)
Categories of Data Subjects
  • The Customer's customers, suppliers, and business partners
  • Employees and contractors of the Customer and its business contacts
Types of Personal Data

Numerint exports all accounting data from the Customer's accounting system as detailed at https://numerint.com/#what_is_included. This data may include Personal Data within the following categories:

  • Contact information: Names, business addresses, email addresses, phone numbers
  • Financial information: Bank account details, VAT/tax numbers, payment information
  • Professional information: Job titles, company names, business relationships
  • Transaction data: Invoice details, payment records, purchase orders, expense claims
  • Banking data: Bank transactions, account details, reconciliation data
  • Attachments and files: Any files attached to accounting records (PDFs, images, receipts, contracts, etc.) which may contain Personal Data depending on their content

Not all data exported by Numerint will necessarily contain Personal Data (e.g., product catalogues, general ledger codes, tax rates). However, where Personal Data is present within any of the exported accounting data or attached files, it will be Processed in accordance with this DPA.

Sensitive Data

Numerint does not intentionally Process special categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data). If such data is inadvertently included in the Customer's accounting data, it shall be Processed subject to the same protections as other Personal Data.

Schedule 2: Security Measures

Numerint implements the following technical and organisational measures:

1. Infrastructure Security
  • Cloud Provider: Amazon Web Services (AWS) operating in the Ireland (eu-west-1) region
  • Physical Security: AWS data centres with ISO 27001 certification and SOC 2 Type II compliance
  • Network Security: All data transfer occurs over TLS-encrypted connections
  • Infrastructure as Code: Automated deployment processes to ensure consistent security configurations
2. Data Security

Encryption at Rest: All Personal Data stored in:

  • AWS Lambda ephemeral storage (AES-256 encryption)
  • AWS ECS Fargate ephemeral storage (AES-256 encryption)
  • Amazon S3 object storage (server-side encryption with AWS-managed keys)
  • Encryption in Transit: All data transfers use TLS 1.2 or higher
  • Data Minimisation: Numerint does not transform or copy Personal Data unnecessarily
3. Access Controls

Authentication:

  • Customers authenticate using their existing accounting system credentials (OAuth 2.0)
  • Numerint administrators use multi-factor authentication (hardware MFA devices)

Authorisation:

  • Customers grant Numerint read-only access to their accounting data via OAuth 2.0
  • Access can be revoked by the Customer at any time through:
    • The "Disconnect" function in Numerint's Services
    • The accounting system's "Disconnect Connected Apps" feature (e.g., in Xero)
  • When disconnected, Numerint can no longer access the Customer's accounting system
  • Principle of Least Privilege: Access to systems and data is restricted to what is necessary for job functions
4. System Availability and Resilience
  • High Availability: Use of AWS services with built-in redundancy and fault tolerance
  • Data Durability: Amazon S3 Standard storage class with 99.999999999% durability
  • Backup: Source data remains in the Customer's accounting system (Numerint is not the system of record)
5. Operational Security
  • Logging: Security-relevant events are logged and monitored
  • Vulnerability Management: Regular updates and security patches applied to systems
  • Incident Response: Documented procedures for detecting and responding to security incidents
6. Personnel Security
  • Background Checks: Where required and permitted by law, background checks on personnel with access to Personal Data
  • Confidentiality: All personnel with access to Personal Data are bound by confidentiality obligations
  • Training: Regular training on data protection and security requirements
7. Development Security
  • Secure Development: Security considerations integrated into the software development lifecycle
  • Code Review: Code changes reviewed before deployment
  • Testing: Security testing of systems and applications
8. Monitoring and Testing
  • Security Monitoring: Continuous monitoring of security events and anomalies
  • Regular Reviews: Periodic review and update of security measures
9. Data Segregation
  • Customer Isolation: Each Customer's data is logically segregated using unique identifiers
  • No Cross-Customer Access: Technical controls prevent one Customer from accessing another Customer's data
10. Limitations

Numerint does not transform or mask Personal Data. If the Customer requires data minimisation, pseudonymisation, or anonymisation, these measures must be implemented within the Customer's accounting system before export.

Schedule 3: Sub-processors

Authorised Sub-processors
Sub-processor Services Provided Location of Processing Additional Information
Amazon Web Services EMEA SARL Cloud infrastructure services (compute, storage, networking) Ireland (eu-west-1 region) AWS Data Processing Agreement applies. Details: https://aws.amazon.com/service-terms/
Sub-processor Data Protection

AWS provides the infrastructure for all Numerint services. AWS complies with:

  • EU-US Data Privacy Framework
  • Standard Contractual Clauses
  • ISO 27001, SOC 2 Type II, and other international security standards

For full details of AWS data protection measures, see:

Changes to Sub-processors

Numerint shall provide at least 30 days' notice before engaging additional Sub-processors or making material changes to existing Sub-processor arrangements.

Schedule 4: International Transfer Provisions

Data Location

All Personal Data is stored in the Ireland (EU/EEA) region using AWS infrastructure (eu-west-1).

Administrative Access

Numerint administrators, who are based in the United Kingdom, may access Personal Data stored in Ireland for the following purposes:

  • Technical support and fault diagnosis
  • Security incident response
  • Analysis at the Customer's request

Such access does not constitute a "transfer" of Personal Data to the UK, as the data remains stored in Ireland. Administrators access the data remotely via secure, encrypted connections.

Transfers Within Adequate Jurisdictions

As both Ireland (EEA) and the United Kingdom have adequate data protection frameworks:

  • Ireland is within the EEA and subject to the EU GDPR
  • The United Kingdom has adequacy decisions covering transfers from the EEA
  • No additional transfer mechanisms beyond standard contractual safeguards are required for access between these jurisdictions
Transfers Outside the UK/EEA

Numerint does not transfer Personal Data to any jurisdiction outside the UK or EEA, except as follows:

Sub-processor Transfers

Personal Data may be transferred to Sub-processors as listed in Schedule 3. Currently:

  • Amazon Web Services (AWS) processes data in the Ireland region (eu-west-1), which is within the EEA
  • AWS may provide support services that involve access from other jurisdictions, governed by AWS's Data Processing Agreement and Standard Contractual Clauses

Transfer Mechanisms for AWS

Where AWS accesses data from jurisdictions outside the EEA/UK:

  • AWS Data Processing Agreement applies (incorporating EU Standard Contractual Clauses)
  • AWS UK GDPR Addendum applies where required
  • AWS maintains certifications including ISO 27001, SOC 2 Type II
  • Full details: https://aws.amazon.com/compliance/
Standard Contractual Clauses

Where required by Applicable Data Protection Law, the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) shall apply, with the following specifications:

  • Module 2 (Controller to Processor) applies
  • Customer is the data exporter
  • Numerint is the data importer (where applicable)
  • Clause 7 (Docking Clause): Available for use
  • Clause 9(a): General authorisation for Sub-processors (as per Section 5 of this DPA)
  • Governing Law: Laws of England and Wales
  • Forum: Courts of England and Wales
  • Annexes: Schedules 1, 2, and 3 of this DPA constitute the Annexes to the Standard Contractual Clauses
UK Transfers

For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), as issued by the UK Information Commissioner's Office, shall apply where required by law.

Changes to Data Location

Numerint shall notify the Customer at least 30 days in advance of any changes to the regions where Personal Data is stored or any changes to applicable transfer mechanisms.

Acceptance

By accepting the Terms and Conditions or by using the Services, the Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement.

For questions about this DPA, please contact Numerint at info@numerint.com.

Numerint Limited
9 Kingswell Road
Bournemouth, England
BH10 5DF
United Kingdom
Company Number: 14386813

Other Versions

This DPA is effective from 2026-01-18. Previous versions:

2023-02-23