Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") is made between Finssist Ltd ("Processor") and its clients ("Controller"). It outlines the terms under which personal data is processed through the Mortgage Assist Pro platform in compliance with UK GDPR.

2. Definitions

• Controller: The client using Mortgage Assist Pro who determines the purpose of processing personal data.
• Processor: Finssist Ltd, responsible for processing data on behalf of the Controller.
• Data Subject: Individuals whose personal data is processed.
• Processing: Any operation performed on personal data (e.g., collection, storage, analysis).
• Personal Data: Names, addresses, financial information (tax calculations, payslips, contracts, P60s, credit card statements, accounts).

3. Scope of Processing

• The Processor processes personal data only as instructed by the Controller.
• Users input/upload data, which is extracted and structured by AI models.
• Data is stored in AWS UK (eu-west-2) and retained for 30 days before automatic deletion.

4. Security Measures

• Data is encrypted at rest (AES-256) and in transit (TLS 1.2).
• Access is restricted to authorized personnel only.
• Multi-factor authentication (MFA) is enforced for administrative access.

5. Third-Party Processors

• AI processing is performed using Anthropic and OpenAI LLMs.
• AWS (UK, eu-west-2) is used for both data storage and document processing.
• Developer access for training and improvement of AI models is provided to authorized personnel in India.
• Any updates to third-party processors will be communicated to Controllers.

6. International Data Transfers

• Data access by developers in India is conducted through secure software interfaces.
• Cross-border transfers comply with Standard Contractual Clauses (SCCs) under UK GDPR.
• Controller consents to international data processing for AI training purposes.

7. Data Breach & Incident Response

• Processor shall notify Controller within 72 hours if a data breach occurs.
• Incident response steps:
  • Identification – Detect and analyze the breach.
  • Containment – Secure affected systems and prevent further impact.
  • Notification – Inform the ICO (if required) and affected Controllers.
  • Remediation – Take corrective actions to prevent recurrence.
• If a breach involves AI processing errors, corrective measures will be applied to system training.

8. Data Subject Rights

• Processor shall assist Controller in responding to data subject requests for access, correction, deletion, and portability.
• Users may request deletion of personal data before the 30-day retention period expires.

9. Termination & Data Deletion

• Upon termination of services, all personal data will be deleted within 30 days.
• Data deletion confirmation can be requested by the Controller.

10. Governing Law & Dispute Resolution

This DPA is governed by the laws of England and Wales. Any disputes shall be resolved in UK courts.

Privacy Policy

1. Introduction

This Privacy Policy explains how Finssist Ltd ("we," "us," "our") collects, processes, and protects personal data through the Mortgage Assist Pro platform.

2. Data We Collect

• Personal Information: Names, addresses, tax documents, payslips, contracts, P60s, credit card statements, bank statements.
• Usage Data: IP addresses, login timestamps, device/browser information.
• AI-Processed Data: Structured financial data extracted from uploaded documents.

3. How We Use Data

• To provide mortgage case-checking services.
• To improve AI models (with anonymized data).
• To comply with regulatory requirements.

4. Legal Basis for Processing

• Legitimate Interest: Processing financial documents for case-checking.
• Contractual Obligation: Service provision under agreed terms.
• Consent: Where applicable (e.g., for marketing communications).

5. Data Sharing & Third-Party Processors

• AI processing via Anthropic, OpenAI.
• Cloud storage on AWS UK (eu-west-2).
• Developer access in India for AI training (compliant with SCCs).

6. Data Retention & Deletion

• Data is stored for 30 days and automatically deleted.
• Users may request deletion before the 30-day period.

7. Data Security Measures

• AES-256 encryption (at rest) and TLS 1.2 encryption (in transit).
• Access controls & multi-factor authentication (MFA).
• Regular security audits.

8. User Rights

• Users can request access, correction, deletion, or data export.
• Requests can be sent to info@mortgageassistpro.co.uk.

9. Data Breach Notification

• Users will be informed within 72 hours if their data is compromised.
• Regulatory authorities (ICO) will be notified as required.

10. Governing Law

This Privacy Policy is governed by the laws of England and Wales.

11. Contact Information

For any privacy-related inquiries, contact info@mortgageassistpro.co.uk.

Home