Data Processing Agreement (DPA)

Last updated: 26 June 2026 · Version: 1.0

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Suraj Kishor Patel, trading as Sciro ("Processor", "we"), and the business customer agreeing to those Terms ("Controller", "you"). It applies where we process personal data on your behalf in providing the Services.

If there is any conflict between this DPA and the Terms on the subject of data protection, this DPA prevails.

1. Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "personal data breach" have the meanings given in the UK GDPR and the Data Protection Act 2018 ("Data Protection Laws").

2. Roles

For the personal data described in Annex 1, you are the Controller and we are the Processor.

As Controller, you:

1. determine the purposes and means of the processing and give us your instructions through the Services and this DPA;
2. warrant that you have a valid lawful basis to provide the personal data to us, and that you have given any privacy notices and obtained any consents required for us and our sub-processors to process it as described in this DPA;
3. are responsible for the accuracy, quality, and lawfulness of the personal data and of the instructions you give us; and
4. have the right to give documented instructions, to obtain the deletion or return of the personal data, and to verify our compliance as set out in this DPA.

You must not instruct us to process personal data in a way that breaches Data Protection Laws.

3. Our obligations as Processor

We will:

1. Instructions. Process the personal data only on your documented instructions, including the instructions set out in the Terms and this DPA, unless required to do otherwise by law (in which case we will inform you, unless legally prohibited).
2. Confidentiality. Ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality.
3. Security. Implement appropriate technical and organisational measures to protect the personal data, as described in Annex 2.
4. Sub-processors. Engage sub-processors only as set out in Section 4.
5. Data subject requests. Taking into account the nature of the processing, assist you by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights.
6. Assistance. Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the information available to us.
7. Breach notification. Notify you without undue delay after becoming aware of a personal data breach affecting your personal data.
8. Deletion or return. On termination of the Services, delete or return the personal data as set out in Section 6.
9. Audit. Make available to you the information necessary to demonstrate compliance with our obligations under Article 28 of the UK GDPR and allow for and contribute to audits, subject to reasonable confidentiality and security conditions.
10. Infringing instructions. Immediately inform you if, in our opinion, an instruction you give us infringes the UK GDPR or other applicable Data Protection Laws. We are not obliged to actively monitor for or seek out such infringements.

4. Sub-processors

You provide general authorisation for us to engage the sub-processors listed in Annex 3 to provide the Services. We will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give you reasonable notice of any intended addition or replacement of a sub-processor, giving you the opportunity to object on reasonable data protection grounds.

5. International transfers

Where we or our sub-processors transfer personal data outside the UK, we will ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision.

6. Deletion and return

On termination of the Services, or on your written request, we will delete the personal data within a reasonable period, except to the extent we are required to retain it by law. Deletion includes removing uploaded files from storage. You may request an export of the personal data before deletion.

7. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

---

Annex 1: Details of processing

• Subject matter: provision of the expense and invoice management Services.
• Duration: for the term of the Services and any retention period required by law.
• Nature and purpose: hosting, storing, organising, analysing, and transmitting personal data to operate expense capture, mileage and invoice processing, approval workflows, reconciliation, reporting, and integrations.
• Types of personal data: names, email addresses, job roles, expense and mileage claim details (including addresses entered for journeys), receipt and invoice contents, financial amounts, and approval records. Special-category data is not intentionally processed but may appear incidentally on uploaded documents.
• Categories of data subjects: your employees, administrators, and other authorised users, and individuals named on receipts, invoices, or in connected systems (such as suppliers and contacts).

Annex 2: Security measures

• Encryption of data in transit.
• Access controls and role-based permissions.
• Row-level security on the database isolating each organisation's data.
• Private storage for uploaded documents, accessible only through short-lived signed links.
• Audit logging of key actions.
• Rate limiting and abuse prevention.
• Regular backups.

Annex 3: Approved sub-processors

Connected services that you choose to enable (such as your accounting software or HR system) act under your own direction and are not Sciro sub-processors.