Data Processing Agreement (DPA)
Last updated: May 28, 2026
1. Definitions
For purposes of this DPA:
- “Controller” means the entity determining the purposes and means of processing personal data.
- “Processor” means FinTech Intelligence Ltd acting as a processor on behalf of the Controller.
- “Personal Data” has the meaning given under applicable data protection laws.
- “Processing” means any operation performed on personal data.
- “UK GDPR” means the United Kingdom General Data Protection Regulation.
- “EU GDPR” means Regulation (EU) 2016/679.
- “Services” means the services provided through https://address-to-iso20022.com.
- “Sub-processor” means a third party engaged by the Processor to process personal data.
2. Scope
This DPA forms part of the Terms of Service.
The Processor shall process personal data solely:
- on behalf of the Controller;
- in accordance with documented instructions from the Controller; and
- for the purpose of providing the Services.
3. Nature and Purpose of Processing
3.1 Categories of Personal Data
The Processor may process:
- Address-related data
- Postal codes and country information
- Approximate geocoding coordinates generated from submitted addresses
- Account and billing information
- API request metadata and IP addresses
3.2 Processing Activities
Processing activities may include:
- Parsing and normalizing address data
- Address validation and formatting
- Geocoding
- Security monitoring and abuse prevention
- Billing and usage measurement
- Service reliability and debugging
3.3 Duration
Personal data shall be processed only for the duration necessary to provide the Services and comply with applicable legal obligations.
Address data submitted through the API is processed transiently and is not permanently stored except where reasonably necessary for:
- Security monitoring
- Fraud prevention
- Debugging and service reliability
- Billing disputes
- Legal compliance
4. Controller Obligations
The Controller represents and warrants that:
- it has all necessary rights and lawful bases to disclose personal data to the Processor;
- it shall comply with applicable data protection laws;
- it shall not submit special category personal data unless explicitly agreed in writing.
5. Processor Obligations
5.1 Instructions
The Processor shall process personal data only on documented instructions from the Controller unless otherwise required by law.
5.2 Confidentiality
The Processor shall ensure that personnel authorized to process personal data are subject to confidentiality obligations.
5.3 Security Measures
The Processor shall implement appropriate technical and organizational security measures, including:
- Encryption in transit using TLS/HTTPS
- Access controls and authentication
- Role-based access restrictions
- Logging and monitoring
- Vulnerability management procedures
- Backup and recovery processes
5.4 No Sale or Advertising Use
The Processor shall not:
- sell Customer Personal Data;
- disclose Customer Personal Data to advertising networks or data brokers; or
- use Customer Personal Data to build unrelated commercial datasets.
5.5 AI and Machine Learning Restrictions
Unless explicitly agreed in writing, the Processor shall not use Customer Personal Data to train general-purpose artificial intelligence or machine learning models unrelated to providing the Services.
5.6 Personal Data Breaches
The Processor shall notify the Controller without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data.
6. Sub-processors
6.1 Authorization
The Controller authorizes the Processor to engage Sub-processors in connection with the Services.
6.2 Current Sub-processors
Current Sub-processors may include:
- Cloudflare
- Vercel
- Stripe
- Hetzner
The Processor may update Sub-processors from time to time.
6.3 Sub-processor Obligations
The Processor shall impose data protection obligations on Sub-processors substantially similar to those set out in this DPA.
7. Data Subject Rights
Taking into account the nature of processing, the Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects.
The Processor shall not independently respond to data subject requests unless legally required.
8. International Transfers
Where personal data is transferred outside the United Kingdom or European Economic Area, the Processor shall implement appropriate safeguards, including:
- Standard Contractual Clauses;
- UK International Data Transfer Addendum;
- adequacy decisions; or
- other lawful transfer mechanisms.
9. Audits
Upon reasonable written request, and no more than once annually unless required by law or following a confirmed security incident, the Processor shall provide reasonable information necessary to demonstrate compliance with this DPA.
Audits shall:
- occur during normal business hours;
- avoid disruption to operations;
- be subject to confidentiality obligations; and
- not require access to systems, data, or information belonging to other customers.
The Controller shall bear audit costs unless material non-compliance is identified.
10. Data Deletion and Return
Upon termination of Services, the Processor shall delete or return Customer Personal Data unless retention is required by applicable law.
11. Liability
Liability under this DPA shall be subject to limitations and exclusions set out in the Terms of Service to the extent permitted by law.
12. Governing Law
This DPA shall be governed by the laws of England and Wales.
Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
13. Updates
We may update this DPA from time to time to reflect changes in law, regulation, or processing practices.
Material changes will be published on this page.
14. Contact Information
Privacy Contact
Email: privacy@address-to-iso20022.com
Address: Level39, One Canada Square, London E14 5AB, United Kingdom
15. Acceptance
By using the Services, the Controller acknowledges and agrees to this DPA.