Data Processing Agreement
KLP-POL-004 | Version 1.0 | Effective: 25 March 2026
Last reviewed: 17 April 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Klipy UK Limited (Company No. 15984744), acting as the Data Controller ("Controller"), and the third-party services used by the Rizq platform, acting as Data Processors ("Processors"). This DPA complies with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Scope of Processing
The Rizq platform processes the following categories of personal data in the course of its merchant lead intelligence and commission tracking operations:
| Data Category | Examples | Retention |
|---|---|---|
| Lead contact data | Director name, email, phone, business address | 3 years |
| Merchant financial data | Card turnover, transaction fees, commission amounts | 7 years |
| Merchant statements | Payment processing statements uploaded for analysis | Not stored (processed in transit) |
| Company registry data | Company number, SIC codes, registered addresses, directors | 3 years |
3. Sub-Processors
The Controller authorises the use of the following sub-processors for the purposes described. Each sub-processor has been assessed for adequate data protection measures.
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic (Claude AI) | Statement analysis, lead scoring, AI briefings | USA | UK-US DPF, zero-retention API |
| Airtable | Lead pipeline synchronisation | USA | UK-US DPF, SOC 2 Type II |
| Supabase (PostgreSQL) | Primary database hosting | EU (Frankfurt) | UK Adequacy Decision, SOC 2 |
| Vercel | Application hosting and CDN | Global (Edge) | UK-US DPF, SOC 2 Type II |
| Companies House | Company data enrichment | UK | Public authority, UK jurisdiction |
4. Obligations of the Controller
The Controller shall ensure that personal data is processed lawfully and in accordance with the UK GDPR, maintain accurate records of processing activities, conduct Data Protection Impact Assessments where required, ensure data subjects are informed of their rights, and respond to data subject access requests within one calendar month.
5. Obligations of Processors
Each Processor shall process personal data only on documented instructions from the Controller, ensure that persons authorised to process the data are subject to confidentiality obligations, implement appropriate technical and organisational security measures, assist the Controller in responding to data subject requests, delete or return all personal data upon termination of the service, and make available all information necessary to demonstrate compliance.
6. Security Measures
The following security measures are implemented across the platform: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access control with principle of least privilege, bcrypt password hashing with brute-force protection, CSRF protection on all authenticated endpoints, session tokens with secure cookie flags, audit logging of data access and modifications, and regular dependency security updates.
7. Data Breach Notification
In the event of a personal data breach, the Controller shall notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach (where the breach is likely to result in a risk to data subjects). Affected data subjects shall be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
8. International Transfers
Where personal data is transferred outside the UK, the Controller ensures appropriate safeguards are in place. Transfers to the USA are covered by the UK Extension to the EU-US Data Privacy Framework. Transfers to the EU are covered by the UK Adequacy Decision. No personal data is transferred to countries without adequate protection measures.
9. Data Subject Rights
Data subjects may exercise their rights under UK GDPR including the right of access, rectification, erasure, restriction of processing, data portability, and objection. Requests should be directed to admin@klipy.uk. The GDPR data export feature in the Platform settings facilitates subject access requests.
10. Term and Termination
This DPA shall remain in effect for the duration of the processing. Upon termination of any Processor agreement, the Processor shall, at the Controller's election, delete or return all personal data processed on behalf of the Controller and delete existing copies unless storage is required by applicable law.
11. Contact
Data Controller: Mohammad Jamal Abid, Director, Klipy UK Limited
Email: admin@klipy.uk
Teya Solutions Ltd. is authorised by the Financial Conduct Authority under the E-Money Regulations 2011 (Reference no. 978181).
Klipy UK Limited. Company No. 15984744.
Back to Home