TradesOffice

Data Processing Agreement

Effective: 15 May 2026 · Last updated: 15 May 2026 · ICO: ZC133896

This Data Processing Agreement ("DPA") forms part of the agreement between Trades Office Limited ("TradesOffice", "Processor", "we", "us") and the customer using the TradesOffice Service ("Customer", "Controller", "you").

Company Number: 17181500 · ICO Registration Number: ZC133896

This DPA applies where TradesOffice processes personal data on behalf of the Customer in connection with the TradesOffice platform, applications and related services (the "Service"). This DPA is intended to satisfy the requirements of Article 28 UK GDPR.

1. Definitions

"Controller" has the meaning given under UK GDPR;
"Processor" has the meaning given under UK GDPR;
"Data Subject" means any identified or identifiable individual whose personal data is processed under this DPA, including customers, clients and contacts of the Customer;
"Personal Data" means personal data processed by TradesOffice on behalf of the Customer;
"Sub-Processor" means any third party appointed by TradesOffice to process personal data on its behalf;
"UK GDPR" means the UK General Data Protection Regulation.

2. Scope of Processing

TradesOffice provides operational administration software for UK trades businesses.

Subject matter	Processing personal data to deliver the TradesOffice operational administration service
Duration	For the term of the subscription, plus the retention periods set out in Section 13
Nature of processing	Collection, storage, analysis, structuring, retrieval, use and deletion of personal data to generate invoices, quotes, expense records, mileage records, CIS records and operational communications
Purpose	Providing operational administration functionality for trades businesses on the Controller's instruction
Types of personal data	Customer names, contact details, addresses, job information, payment amounts, uploaded images, voice note transcriptions, and operational business records
Categories of data subjects	The Controller's customers, clients and contacts; and any other individuals referenced in operational records or messages submitted through the Service

TradesOffice processes personal data solely for the purpose of providing and operating the Service.

3. Controller & Processor Roles

The Customer acts as the data controller. TradesOffice acts as the data processor.

The Customer is responsible for:

determining the lawful basis for processing;
ensuring data accuracy;
providing required privacy notices;
and ensuring the lawful use of the Service;

TradesOffice processes personal data only on documented instructions from the Customer, except where otherwise required by law. For the purposes of this DPA, documented instructions include operational messages, uploads, requests and actions submitted by the Customer through the Service.

4. Nature & Purpose of Processing

Processing activities may include:

storing operational business records;
generating invoices and quotes;
AI-assisted drafting and classification;
generating accountant exports;
processing uploaded images and voice notes;
transmitting operational communications;
and maintaining platform audit logs;

The purpose of processing is to provide operational administration functionality for trades businesses.

5. AI Processing

TradesOffice uses third-party AI providers including OpenAI and Anthropic to assist with:

message interpretation;
operational classification;
receipt analysis;
voice transcription;
and drafting functions;

Customer data submitted through the Service is not used by TradesOffice to train general-purpose AI models.

AI-generated outputs are assistive drafts only and should be reviewed by the Customer before legal or commercial reliance.

6. Confidentiality

TradesOffice shall ensure that persons authorised to process personal data:

are subject to confidentiality obligations;
access personal data only on a need-to-know basis;
and are provided with appropriate security and privacy training where applicable;

At present, TradesOffice operates as a sole-founder business with restricted administrative access.

7. Security Measures

TradesOffice implements technical and organisational measures designed to protect personal data.

Measures implemented by TradesOffice may include:

encryption at rest;
TLS 1.2+ encrypted data transmission;
multi-factor authentication;
access controls;
audit logging;
infrastructure monitoring;
restricted administrative access;
managed cloud infrastructure;
rate limiting on authentication and public endpoints;
row-level security controls to isolate customer records at database level;
and incident monitoring;

TradesOffice uses managed infrastructure providers including Supabase and Vercel.

Operational audit logs are designed to record workflow and system events and are not intended to store full message content.

8. Sub-Processors

TradesOffice may engage approved Sub-Processors to provide parts of the Service.

Current Sub-Processors may include:

Supabase;
Vercel;
Twilio;
OpenAI;
Anthropic;
Stripe;
Resend;
Upstash;
Google APIs;
PostHog;
and Sentry;

A current list of approved Sub-Processors is maintained in the TradesOffice Sub-Processors Policy.

Where TradesOffice intends to appoint a new Sub-Processor involving new international transfers of personal data, at least 30 days' notice will be provided through updates to the Sub-Processors Policy.

TradesOffice shall ensure that Sub-Processors are subject to appropriate data protection obligations.

9. International Transfers

Some Sub-Processors may process personal data outside the United Kingdom.

Where international transfers occur, TradesOffice will implement appropriate safeguards including:

adequacy regulations;
UK International Data Transfer Agreements (IDTAs);
Standard Contractual Clauses (SCCs);
or equivalent lawful mechanisms;

10. Data Subject Rights & DPIA Assistance

TradesOffice shall provide reasonable assistance to the Customer where required to support responses to:

subject access requests;
deletion requests;
correction requests;
restriction requests;
and other applicable data subject rights;

Where TradesOffice directly receives a data subject request relating to Customer-controlled data, TradesOffice will forward the request to the Customer within 5 business days.

TradesOffice shall also provide reasonable assistance to the Customer in meeting obligations under UK GDPR Articles 32–36, including security assessments, breach notification and Data Protection Impact Assessments (DPIAs), where such assistance is reasonably requested and within TradesOffice's ability to provide.

The Customer remains responsible for responding to data subject requests and complying with applicable UK GDPR obligations.

11. Personal Data Breaches

TradesOffice shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer personal data.

Breach notifications may include:

the nature of the breach;
categories of affected data;
likely consequences;
and measures taken or proposed to address the breach;

The Customer remains responsible for assessing whether notification to the Information Commissioner's Office (ICO) or affected data subjects is legally required. Where legally required, TradesOffice will comply with applicable UK GDPR breach notification obligations.

12. Audit Rights

TradesOffice may provide reasonable written information to demonstrate compliance with this DPA.

Direct infrastructure audits, penetration testing or unrestricted access to systems are not permitted.

Audit or compliance requests must:

be reasonable and proportionate;
avoid disruption to the Service;
protect the confidentiality and security of other customers;
be requested with at least 30 days' written notice;
and be conducted at the Customer's cost;

TradesOffice may charge reasonable administrative fees for responding to extensive audit or compliance requests.

13. Data Retention & Deletion

Customer data may remain accessible for up to 90 days following cancellation or termination to allow export.

After this period, data may be deleted unless retention is required:

by law;
for legitimate regulatory obligations;
or for security or fraud prevention purposes;

Certain operational records may be retained for up to 7 years where required for tax, accounting or legal obligations. TradesOffice cannot delete financial records within this period even on erasure request, as HMRC regulations require retention.

Uploaded photographs and raw voice recordings are typically deleted within 24 hours after processing or transcription.

Operational audit logs are retained for up to 12 months.

On written request following the end of the applicable retention period, TradesOffice will confirm in writing that Customer personal data has been deleted in accordance with this DPA and applicable retention obligations.

14. Data Export

The Service provides self-service export functionality for operational records including:

income exports;
expense exports;
mileage exports;
CIS exports;
and accountant export packs;

TradesOffice does not currently provide enterprise migration or managed offboarding services.

15. Limitation of Liability

Liability relating to this DPA shall be subject to the limitation of liability provisions contained within the TradesOffice Terms of Service.

16. Changes to this DPA

TradesOffice may update this DPA from time to time. Where material changes affect processing obligations or rights, reasonable notice will be provided.

17. Governing Law

This DPA shall be governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over disputes relating to this DPA.

18. Contact Information

Questions relating to this DPA or data protection matters may be directed to: [email protected]

Trades Office Limited
Company No. 17181500
Hexham, Northumberland, United Kingdom
ICO Registration Number: ZC133896