Data Processing Agreement

Controller means the accounting firm or practice that has subscribed to the Lexendo platform and determines the purposes and means of processing personal data entered into the platform.

Processor means Lexendo Ltd (company number 17177825), registered in England and Wales, whose registered office is at 304 Carr Road, Northolt, UB5 4RL.

Data Protection Law means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended from time to time.

Personal Data, Processing, Data Subject, Personal Data Breach have the meanings given in Data Protection Law.

Sub-processor means any third party engaged by Lexendo Ltd to process personal data on behalf of the Controller.

Lexendo Ltd processes personal data on behalf of the Controller solely to provide the Lexendo platform and its associated features, including employment tax risk assessments, client portfolio management, AI-assisted analysis, and report generation.

Types of personal data processed:

• Employer client names, addresses, and company registration details
• Employee names and benefit-in-kind information (for P11D assessments)
• Contractor and engagement details (for IR35 assessments)
• Payroll and remuneration data entered for assessment purposes
• Any other personal data the Controller uploads to the platform

Categories of data subjects: Employees, directors, and contractors of the Controller’s employer clients.

Duration: For the duration of the Controller’s active subscription, and as required by applicable law thereafter.

Lexendo Ltd shall, in its capacity as Processor:

• Process personal data only on documented instructions from the Controller, unless required to do so by law
• Ensure that all persons authorised to process personal data are subject to binding confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures in accordance with Article 32 UK GDPR
• Not engage any sub-processor without the Controller’s general authorisation (granted by acceptance of this DPA) and in compliance with clause 6 of this DPA
• Assist the Controller in responding to data subject rights requests to the extent reasonably practicable
• Notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting the Controller’s data
• Assist the Controller with its obligations under Articles 32 to 36 UK GDPR, including data protection impact assessments
• At the Controller’s election, delete or return all personal data upon termination of services, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

The Controller warrants and represents that:

• It has a lawful basis for processing and sharing with Lexendo Ltd all personal data it uploads to the platform
• It has provided adequate privacy notices to the relevant data subjects (employees and contractors of its employer clients) covering processing by third-party service providers
• Its instructions to Lexendo Ltd will at all times comply with Data Protection Law
• It has included Lexendo Ltd in its own records of processing activities as a data processor

The Lexendo platform uses artificial intelligence provided by Anthropic, PBC (“Anthropic”) and embedding services provided by Voyage AI, Inc. (“Voyage AI”) via their respective APIs. When the Controller uses AI-assisted features (including employment tax assessments, the audit module, and the Lex AI assistant), personal data entered for those features is transmitted to Anthropic’s API for processing. To enable retrieval of relevant HMRC guidance and case law in response to Lex queries, the query text is also transmitted to Voyage AI’s API to generate a mathematical embedding used solely to search Lexendo’s knowledge base.

Key facts about Anthropic API processing:

• Anthropic does not use data submitted via its API to train its AI models
• Data transmitted to the Anthropic API is processed transiently and is not retained by Anthropic beyond the immediate API request
• Anthropic is SOC 2 Type II certified
• Anthropic’s Data Processing Addendum (including Standard Contractual Clauses and UK GDPR Addendum) is incorporated into their Commercial Terms of Service, accessible at anthropic.com/legal/data-processing-addendum

Key facts about Voyage AI API processing:

• Voyage AI does not use data submitted via its API to train its embedding models
• Query text is processed transiently to produce a numerical embedding and is not retained beyond the immediate request
• The embedding is used solely by Lexendo Ltd to retrieve relevant knowledge-base entries; it is never shared with any third party
• Standard Contractual Clauses are in place for the transfer to Voyage AI’s US infrastructure

The Controller accepts this processing by using AI-assisted features on the platform. If the Controller requires assessments to be conducted without AI processing, they should contact support@lexendo.co.uk.

The Controller grants Lexendo Ltd general authorisation to engage the following sub-processors. Lexendo Ltd will notify the Controller of any intended changes to this list with reasonable notice.

All sub-processors are bound by data processing agreements consistent with the requirements of UK GDPR Article 28. Standard Contractual Clauses (SCCs) are in place for all transfers to processors outside the UK/EEA.

Lexendo Ltd implements and maintains the following technical and organisational security measures:

• All data in transit encrypted via TLS 1.2 or higher (HTTPS)
• All data at rest encrypted using AES-256
• Row level security (RLS) enforced at the database level: each firm can only access its own data
• Authentication via Supabase Auth with support for multi-factor authentication
• API keys and secrets stored as environment variables, never in source code
• Access to production systems restricted to authorised personnel only
• Regular security reviews and dependency updates

Personal data is primarily stored within the EU (Supabase, Ireland region). Where data is transferred to processors outside the UK/EEA (Anthropic, Voyage AI, Vercel, Resend, Stripe), Lexendo Ltd ensures appropriate safeguards are in place in the form of Standard Contractual Clauses (SCCs) approved for use under UK GDPR.

Lexendo Ltd retains personal data entered into the platform for the duration of the Controller’s active subscription.

Upon termination or cancellation of the subscription, personal data will be retained for a further 90 days to allow for reactivation, after which it will be securely deleted unless a longer retention period is required by applicable law.

The Controller may request earlier deletion by contacting support@lexendo.co.uk. Deletion will be completed within 30 days of the verified request.

In the event of a Personal Data Breach affecting the Controller’s data, Lexendo Ltd will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing:

• A description of the nature of the breach
• The categories and approximate number of data subjects affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach

Breach notifications should be directed to support@lexendo.co.uk.

The Controller may request information reasonably necessary to verify Lexendo Ltd’s compliance with this DPA by submitting a written request to support@lexendo.co.uk. Lexendo Ltd will respond within 30 days. Where an on-site audit is requested, the parties will agree terms, timing, and cost in advance.

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

For all data protection queries, requests, or breach notifications:

Lexendo Ltd
304 Carr Road, Northolt, UB5 4RL
Email: support@lexendo.co.uk