Data Processing Addendum

    Last Updated: November 27, 2025

    This Data Processing Addendum ("DPA") forms part of your agreement with Guardian Volt and governs how we process personal data on your behalf.

    Data Processing Terms

    1. Definitions

    In this DPA:

    • "Controller" means you, the customer, who determines the purposes and means of processing personal data.
    • "Processor" means Guardian Volt Ltd, which processes personal data on behalf of the Controller.
    • "Data Subject" means an identified or identifiable natural person whose personal data is processed.
    • "Personal Data" means any information relating to a Data Subject.
    • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
    • "UK GDPR" means the UK General Data Protection Regulation as incorporated into UK law.

    2. Scope and Purpose of Processing

    This DPA applies to the processing of Personal Data by Guardian Volt Ltd in connection with the provision of the Guardian Volt service.

    ElementDescription
    Subject MatterFinancial management and court reporting services for guardians/deputies
    DurationFor the term of the service agreement plus any retention period
    Nature of ProcessingCollection, storage, organisation, retrieval, use, disclosure, and deletion
    PurposeProviding the Guardian Volt service including transaction tracking, categorisation, and report generation
    Categories of Data SubjectsUsers (guardians/deputies), protected persons (wards), bank account holders
    Types of Personal DataIdentity data, contact data, financial data, transaction data, guardianship data

    3. Processor Obligations

    Guardian Volt Ltd agrees to:

    • Process Personal Data only on documented instructions from the Controller
    • Ensure that persons authorised to process Personal Data have committed to confidentiality
    • Implement appropriate technical and organisational security measures
    • Not engage another processor without prior written authorisation from the Controller
    • Assist the Controller in responding to Data Subject requests
    • Assist the Controller in ensuring compliance with security, breach notification, and DPIA obligations
    • Delete or return all Personal Data at the end of the service, at the Controller's choice
    • Make available all information necessary to demonstrate compliance with these obligations

    4. Authorised Sub-processors

    The Controller provides general authorisation for the Processor to engage the following Sub-processors:

    Sub-processorPurposeLocationSafeguards
    Amazon Web ServicesCloud infrastructure and data storageEU (London)UK Addendum
    TrueLayerBank account connectivityUK/EUDPA
    AnthropicAI transaction categorisationUSASCCs + Supplementary Measures
    OpenAIBackup AI processingUSASCCs + Supplementary Measures
    StripePayment processingUK/EUDPA
    ClerkAuthentication servicesUSASCCs
    ResendEmail deliveryUSASCCs

    The Processor will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object.

    5. Technical and Organisational Security Measures

    The Processor implements the following security measures:

    5.1 Encryption

    • AES-256 encryption for data at rest
    • TLS 1.3 for data in transit
    • AES-256-GCM with PBKDF2 for bank access tokens

    5.2 Access Controls

    • Multi-factor authentication required for all users
    • Role-based access control
    • Principle of least privilege

    5.3 Monitoring and Logging

    • Complete audit logging of all data access and modifications
    • Audit logs retained for 7 years
    • Security monitoring and alerting

    5.4 Infrastructure Security

    • AWS cloud infrastructure with SOC 2 certification
    • Regular security assessments
    • Incident response procedures

    6. International Data Transfers

    Where Personal Data is transferred outside the UK/EEA, such transfers are made in compliance with Chapter V of the UK GDPR through:

    • Standard Contractual Clauses (SCCs): EU Commission approved clauses incorporated by reference
    • UK International Data Transfer Addendum: Where applicable
    • Supplementary Measures: Including encryption, pseudonymisation, and access controls

    The Processor has conducted transfer impact assessments for all international transfers and maintains documentation available upon request.

    7. Assistance with Data Subject Rights

    The Processor will assist the Controller in responding to requests from Data Subjects to exercise their rights under UK GDPR and Data Protection Act 2018, including:

    • Access requests
    • Rectification requests
    • Erasure requests
    • Data portability requests
    • Objection to processing
    • Requests related to automated decision-making

    The Processor provides self-service data export and deletion tools within the Service. Additional assistance is available by contacting privacy@guardianvolt.com.

    8. Personal Data Breach Notification

    In the event of a Personal Data Breach, the Processor will:

    • Notify the Controller without undue delay after becoming aware of the breach
    • Aim to notify within 24 hours to allow Controller to meet 72-hour ICO notification requirement
    • Provide the Controller with sufficient information to meet notification obligations
    • Cooperate with the Controller in investigating and mitigating the breach
    • Document all breaches, including facts, effects, and remedial actions

    9. Audit Rights

    The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits:

    • The Controller may request compliance documentation at any time
    • On-site audits may be conducted with reasonable notice (minimum 30 days)
    • The Controller may use a qualified third-party auditor (subject to confidentiality agreements)
    • Audit costs are borne by the Controller unless the audit reveals material non-compliance

    10. Data Deletion and Return

    Upon termination of the Service or upon Controller's request:

    • The Processor will delete or return all Personal Data within 30 days
    • Data export is available in JSON format via the Service settings
    • Deletion certificates are available upon request
    • Backup data will be deleted according to standard backup rotation (maximum 90 days)
    • Data required for legal compliance may be retained as permitted by law

    11. Liability

    Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service. The Processor's total liability for all claims arising under this DPA shall not exceed the liability cap in the Terms of Service.

    12. Contact Information

    For questions about this DPA or to exercise audit rights:

    • Company: Guardian Volt Ltd
    • Privacy/DPA Email: privacy@guardianvolt.com
    • Legal Email: legal@guardianvolt.com
    • Data Protection Officer: privacy@guardianvolt.com

    By using the Guardian Volt Service, you acknowledge and agree to the terms of this Data Processing Addendum. This DPA is incorporated into and forms part of the Terms of Service.