← Back

Data Processing Agreement

Under UK GDPR Article 28

Data Controller ("the Firm"): [Name of accounting firm]

Data Processor ("the Provider"): Tymofii Iosypenko, operating MTD ITSA Manager

Date of Agreement: [Date to be completed on signing]

1. Background

The Firm (data controller) wishes to use the MTD ITSA Manager software service (the "Service") provided by the Provider (data processor) for the purpose of managing Making Tax Digital for Income Tax Self Assessment workflow. In doing so, the Firm will share personal data of its own clients with the Provider. This agreement sets out the terms on which the Provider will process that personal data on behalf of the Firm, as required by UK GDPR Article 28.

2. Details of processing

Subject matter: Management of MTD ITSA compliance workflow for the Firm's clients

Duration: For the duration of the Firm's subscription to the Service

Nature of processing: Storage, display, and management of tax compliance data; sending automated email reminders to clients; generating compliance reports

Purpose of processing: To enable the Firm to manage its clients' MTD ITSA quarterly submissions and annual declarations

Types of personal data: Client names, email addresses, Unique Taxpayer Reference (UTR) numbers, income and tax data

Categories of data subjects: The Firm's clients (individuals subject to MTD ITSA)

3. Processor obligations

The Provider shall:

Process personal data only on documented instructions from the Firm
Ensure that all persons authorised to process the data are subject to confidentiality obligations
Implement appropriate technical and organisational security measures
Not engage sub-processors without prior written authorisation from the Firm
Assist the Firm in meeting its obligations under UK GDPR (Articles 32–36)
Delete or return all personal data at the end of the service relationship, at the Firm's choice
Make available all information necessary to demonstrate compliance with this agreement

4. Security measures

The Provider implements the following technical and organisational measures:

Passwords stored using bcrypt hashing (not in plain text)
CSRF protection on all forms
Session management with secure cookie settings
Access controls — each firm's data is isolated from other firms
Restricted server access
Regular application updates and security patches

5. Authorised sub-processors

The Firm authorises the use of the following sub-processors:

Stripe Inc. — payment processing only (does not process client personal data)
Google / Gmail — transactional email delivery to the Firm's clients
VPS hosting provider — server infrastructure

The Provider will notify the Firm of any intended changes to sub-processors, giving the Firm opportunity to object.

6. Data subject rights

The Provider will assist the Firm in responding to requests from data subjects exercising their rights under UK GDPR. Requests should be directed to tymofiiiosypenko@gmail.com and will be acted upon within 30 days.

7. Data breach notification

The Provider will notify the Firm without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach involving the Firm's data, providing sufficient information to enable the Firm to meet its own notification obligations to the ICO.

8. Return and deletion of data

Upon termination of the subscription, the Provider will make available a data export for 30 days. After 30 days from termination, all the Firm's data and the personal data of its clients will be permanently deleted from the Provider's systems, unless retention is required by law.

9. HMRC disclaimer

MTD ITSA Manager is a workflow management tool only. It does not submit any data to HMRC or any other government body on behalf of the Firm or its clients. The Firm remains solely responsible for all statutory submissions to HMRC.

10. Governing law

This agreement is governed by the laws of England and Wales.

For the Data Controller (the Firm):

Signature

Name and title

Date

For the Data Processor (MTD ITSA Manager):

Signature — Tymofii Iosypenko

Date