Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") is made between Finssist Ltd ("Processor") and its clients ("Controller"). It outlines the terms under which personal data is processed through the Mortgage Assist Pro platform in compliance with UK GDPR.

2. Definitions

• Controller: The client using Mortgage Assist Pro who determines the purpose of processing personal data.
• Processor: Finssist Ltd, responsible for processing data on behalf of the Controller.
• Data Subject: Individuals whose personal data is processed.
• Processing: Any operation performed on personal data (e.g., collection, storage, analysis).
• Personal Data: Names, addresses, financial information (tax calculations, payslips, contracts, P60s, credit card statements, accounts).

3. Scope of Processing

• The Processor processes personal data only as instructed by the Controller.
• Users input/upload data, which is extracted and structured using automated processing tools.
• Data is stored on UK-based cloud infrastructure and retained for 90 days before automatic deletion.

4. Security Measures

• Data is encrypted at rest and in transit using industry-standard encryption protocols.
• Access is restricted to authorised personnel only.
• Multi-factor authentication (MFA) is enforced for administrative access.

5. Sub-Processors

The Processor engages the following categories of sub-processors:

• AI Processing: Third-party AI service providers for document analysis and data extraction.
• Cloud Infrastructure: UK-based cloud hosting services for data storage and processing.
• Technical Support: Authorised personnel in approved jurisdictions may access systems for development and maintenance purposes.

A detailed list of current sub-processors is available upon request. Controllers will be notified of any material changes to sub-processors.

6. International Data Transfers

• Where data is accessed from outside the UK, such access is conducted through secure interfaces and complies with Standard Contractual Clauses (SCCs) under UK GDPR.
• All international transfers are subject to appropriate safeguards as required by data protection legislation.

7. Data Breach & Incident Response

Processor shall notify Controller within 72 hours if a data breach occurs.

• Identification – Detect and analyse the breach.
• Containment – Secure affected systems and prevent further impact.
• Notification – Inform the ICO (if required) and affected Controllers.
• Remediation – Take corrective actions to prevent recurrence.

8. Data Subject Rights

• Processor shall assist Controller in responding to data subject requests for access, correction, deletion, and portability.
• Users may request deletion of personal data before the 90-day retention period expires.

9. Termination & Data Deletion

• Upon termination of services, all personal data will be deleted within 90 days.
• Data deletion confirmation can be requested by the Controller.

10. Governing Law & Dispute Resolution

This DPA is governed by the laws of England and Wales. Any disputes shall be resolved in UK courts.

Privacy Policy

1. Introduction

This Privacy Policy explains how Finssist Ltd ("we," "us," "our") collects, processes, and protects personal data through the Mortgage Assist Pro platform.

2. Data We Collect

• Personal Information: Names, addresses, tax documents, payslips, contracts, P60s, credit card statements, bank statements.
• Usage Data: IP addresses, login timestamps, device/browser information.
• Processed Data: Structured financial data extracted from uploaded documents.

3. How We Use Data

• To provide mortgage case-checking services.
• To maintain and improve our services.
• To comply with regulatory requirements.

4. Legal Basis for Processing

• Legitimate Interest: Processing financial documents for case-checking.
• Contractual Obligation: Service provision under agreed terms.
• Consent: Where applicable (e.g., for marketing communications).

5. Data Sharing & Third-Party Processors

We work with the following categories of service providers:

• AI service providers for document analysis and data extraction.
• Cloud infrastructure providers (UK-based) for secure data storage.
• Technical personnel in approved jurisdictions for system maintenance (subject to appropriate safeguards).

We do not sell personal data to third parties.

6. Data Retention & Deletion

• Data is stored for 90 days and automatically deleted.
• Users may request deletion before the 90-day period.

7. Data Security Measures

• Industry-standard encryption at rest and in transit.
• Access controls and multi-factor authentication (MFA).
• Regular security audits.

8. User Rights

Users can request access, correction, deletion, or data export. Requests can be sent to [email protected].

9. Data Breach Notification

• Users will be informed within 72 hours if their data is compromised.
• Regulatory authorities (ICO) will be notified as required.

10. Governing Law

This Privacy Policy is governed by the laws of England and Wales.

11. Contact Information

For any privacy-related inquiries, contact [email protected].

Home