PrompTax
Verify Login | Register
BETA
BETA
📱 For the best experience, rotate to landscape or use a desktop device.

Data Processing Agreement

How we process your clients' data on your behalf

Data Processing Agreement

How we process your clients’ data on your behalf

Version 3.0 | Last updated: February 2026

1. The Relationship

This Data Processing Agreement (“DPA”) sets out how we handle your clients’ personal data when you use PrompTax. It is incorporated into and supplements the Beta Terms.

You are the Data Controller. When you upload your clients’ data to PrompTax, you decide what data to process and why. You have a direct relationship with your clients and are responsible for how their data is used. You are a controller established in the United Kingdom.

We are the Data Processor. PrompTax Ltd (company number 16908139, registered office at 6 Marlborough Drive, Sandbach, CW11 1SP, ICO registration ZC092274) processes your clients’ data on your behalf and according to your documented instructions (which are: “provide the PrompTax service as described in the Beta Terms”). We don’t decide what to do with the data — we process it to give you the service you’ve signed up for.

2. Scope of Processing

To comply with UK GDPR Article 28(3), here are the details of the processing we carry out:

Subject matter and purpose: Extracting trade data from uploaded documents using AI, and calculating UK Capital Gains Tax

Duration: For as long as your PrompTax account is active, plus any post-termination retention period described in section 9

Nature of processing: Collection, storage, extraction (via AI), computation, organisation, and retrieval

Categories of data subjects: Your clients (individual taxpayers whose CGT you are calculating)

Types of personal data we may process:

Identity data: Names, addresses, National Insurance numbers, Unique Taxpayer References (UTRs)

Financial data: Transaction records, account numbers, trade details, portfolio holdings, dividend records

Tax data: Capital gains calculations, tax year information, allowance usage, SA108 data

3. Our Obligations

We process only on your documented instructions. We will only process your clients’ data to provide the PrompTax service. We won’t use it for our own purposes, sell it, or share it except as described in this DPA. If we’re ever required by law to process the data for any other reason, we’ll tell you in advance (unless the law prevents us from doing so).

Confidentiality. Everyone at PrompTax who has access to your clients’ data is bound by contractual confidentiality obligations and has committed to confidentiality in accordance with Article 28(3)(b) of the UK GDPR. We limit access to those who need it to provide the service.

Security measures (Article 32). We protect your clients’ data using:

Encryption in transit (TLS 1.2+ / HTTPS for all connections)

Encryption at rest (AES-256 via AWS default encryption for storage and databases)

Secure password storage (hashed using industry-standard algorithms)

Multi-factor authentication available for all accounts

Rate limiting and abuse prevention

AWS infrastructure security (eu-west-2, London)

Regular security updates and monitoring

Access controls limiting who can access production data

We’re a small company, so we don’t yet have SOC 2 or ISO 27001 certification. We’re transparent about what we do have and we review our security measures regularly.

4. Sub-processors

You give us general written authorisation to engage sub-processors to help provide the service. Our current sub-processors are listed on our Subprocessors page. As of the date of this DPA, they are:

AWS (UK) — Hosting and data storage (London)

Anthropic (US) — Primary AI provider for document extraction. Does not use data for training. Retains data up to 30 days for trust & safety. Transfer mechanism: SCCs + UK International Data Transfer Addendum.

Google LLC (US) — Secondary AI provider for document extraction. Does not use paid API data for training. Retains data up to 30 days for security. Transfer mechanism: Google Cloud DPA + SCCs.

Stripe (US/EU) — Payment processing. Transfer mechanism: Stripe DPA + SCCs.

AWS SES (UK) — Email delivery (London region)

Changes to sub-processors: If we intend to add or replace a sub-processor that handles your clients’ personal data, we’ll notify you by email at least 30 days in advance. If you have a reasonable objection to the new sub-processor, you can notify us within that 30-day period and we’ll work with you to find a solution. If we can’t resolve your objection, you may terminate your account and we’ll assist with data export and deletion.

We ensure that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

5. Data Subject Requests

If any of your clients contact us directly about their data, we’ll refer them to you and let you know promptly. If you need our help to respond to a data subject access request, deletion request, or any other request under UK GDPR, we’ll assist you within a reasonable timeframe (and in any event within 10 working days).

6. Data Breach Notification

If we become aware of a personal data breach affecting your clients’ data, we’ll notify you without undue delay and within 48 hours of becoming aware of the breach. Our notification will include:

A description of the nature of the breach

The categories and approximate number of data subjects affected (if known)

The likely consequences of the breach

The measures we’ve taken or propose to take to address the breach

A contact point for further information

This gives you time to assess whether you need to notify the ICO (within 72 hours of becoming aware) and/or the affected individuals.

7. Your Responsibilities

Lawful basis for sharing data. By uploading client data to PrompTax, you confirm that you have the necessary legal basis and permissions to do so. This typically means having an appropriate engagement letter with your clients that covers the use of third-party software.

Inform your clients. Your professional body (ICAEW, ACCA, etc.) likely requires you to tell clients about the tools and software you use. Please ensure your privacy notices and engagement letters cover the use of platforms like PrompTax, including the fact that data may be processed by AI providers in the United States.

Lawful instructions. You control what data you upload and how you use PrompTax. You’re responsible for ensuring that your instructions to us (i.e., your use of the service) are lawful.

8. Audit and Verification

We’ll make available to you the information reasonably necessary to demonstrate our compliance with this DPA and UK GDPR Article 28. This includes:

Answering questions about our data processing practices

Providing documentation about our security measures

Making available any relevant certifications or audit reports we obtain

Discussing any specific concerns you have

We’ll also allow for and contribute to reasonable audits. Given our size, we’d prefer to handle audit requests through documentation and remote review in the first instance. If a more formal audit is required, we will permit on-site audits with at least 30 days’ written notice, during normal business hours, no more than once per calendar year, and at the requesting party’s reasonable cost. We won’t unreasonably refuse an audit request. Please contact us at contact@promptax.com to discuss.

9. When the Relationship Ends

When your PrompTax account ends (for any reason), you have a choice:

Return: You can request that we export and return all your clients’ data to you in a structured, commonly used format.

Deletion: You can request that we delete all your clients’ data.

We’ll carry out your choice within 30 days of your request and confirm completion in writing. If you don’t give us instructions within 60 days of your account ending, we’ll delete the data.

Some data may remain in encrypted backups for up to 90 days after deletion (for disaster recovery), after which it will be automatically purged. Additionally, our AI sub-processors (Anthropic and Google) may retain processed data for up to 30 days for trust and safety purposes in accordance with their data processing terms, after which it is automatically deleted.

Upon completion of deletion, we will delete or return all copies of personal data in our possession, except where retention is required by applicable law.

10. Assistance with Compliance

We’ll assist you, to the extent reasonably practical, with:

Responding to data subject requests (see section 5)

Meeting your data security obligations (Article 32)

Breach notification and communication (see section 6)

Data protection impact assessments, if you determine one is needed for your use of PrompTax

Prior consultation with the ICO, if required

11. International Transfers

Where personal data is transferred to sub-processors outside the United Kingdom (currently Anthropic and Google, both based in the United States), we rely on Standard Contractual Clauses approved by the ICO, supplemented by the UK International Data Transfer Addendum where applicable.

We have conducted transfer risk assessments for each international sub-processor in accordance with ICO guidance, considering the legal framework in the destination country and any supplementary measures in place. These assessments are reviewed periodically and are available on request.

12. Legal Framework

This DPA is governed by the laws of England and Wales. It supplements (and is incorporated into) the Beta Terms you’ve accepted. If there’s any conflict between this DPA and the Beta Terms on data protection matters, this DPA takes precedence.

This DPA is designed to comply with the UK GDPR (the retained EU GDPR as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. If you’re also subject to EU GDPR (because you have EU-based clients), the same protections apply.

Questions? Email contact@promptax.com.

Beta Terms Privacy Notice Subprocessors
← Back to Home