AI TaxPilot← Back to site
DPA

Data Processing Addendum

Article 28 UK GDPR addendum to the AI TaxPilot Terms and Conditions

Aicountant Ltd (trading as AI TaxPilot) Version 1.0 — Effective 01 May 2026

This Data Processing Addendum ("DPA") forms part of the agreement ("Agreement") between Aicountant Ltd, trading as AI TaxPilot, a company registered in England and Wales under company number 17193613 with its registered office at 61 Bridge Street, Kington, United Kingdom, HR5 3DJ ("Aicountant", "we", "us"), and the customer that has accepted the AI TaxPilot Terms and Conditions ("Customer", "you"). This DPA applies to the extent we process Personal Data on Customer's behalf in connection with the Service.

1. Definitions

Capitalised terms not defined here have the meanings given in the Agreement or, where applicable, in the UK GDPR and the Data Protection Act 2018:

  • "Data Protection Laws" — the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) and any successor legislation.
  • "Customer Personal Data" — Personal Data processed by us on behalf of Customer in connection with the Service, as further described in Schedule 1.
  • "Sub-processor" — any third party engaged by us to process Customer Personal Data, as listed in Schedule 2.
  • "Personal Data", "Controller", "Processor", "Processing", "Data Subject" and "Personal Data Breach" — as defined in the UK GDPR.

2. Roles of the parties

  • For Customer Personal Data we host and process at Customer's instruction (such as Customer's books, invoices, transaction data and uploaded documents), Customer is the Controller and Aicountant is the Processor.
  • For Personal Data we process for our own purposes (such as account administration, billing, security, fraud prevention, regulatory compliance and the fraud prevention headers we are legally required to send to HMRC), Aicountant is an independent Controller and our Privacy Policy applies.
  • Where Customer is itself a Processor for an upstream Controller (for example, an accountant acting for a client), Customer warrants that the upstream Controller has authorised the engagement of Aicountant as a Sub-processor on these terms.

3. Subject matter, duration, nature, purpose

The subject matter, duration, nature, purpose, type of Personal Data and categories of Data Subjects are set out in Schedule 1.

4. Customer instructions

  • We will process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, except where required by law (in which case we will inform Customer of that legal requirement before processing, unless prohibited by law).
  • The Agreement (including the Service configuration options chosen by Customer) constitutes Customer's complete and final documented instructions to us.
  • If we believe an instruction infringes Data Protection Laws, we will notify Customer.

5. Confidentiality

We will ensure that personnel authorised to process Customer Personal Data are subject to a duty of confidentiality (whether contractual or statutory) and have received appropriate data-protection training.

6. Security of processing

We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the cost of implementation, and the nature, scope, context and purposes of processing. The measures we currently apply are described in Schedule 3. We may update them from time to time provided the level of protection is not materially diminished.

7. Sub-processors

  • Customer grants Aicountant general written authorisation to engage Sub-processors, on the condition that we impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
  • Our current Sub-processors are listed in Schedule 2.
  • We will give Customer at least 30 days' notice (by email or in-app message) of any intended addition or replacement of a Sub-processor. Customer may object on reasonable data-protection grounds within that period; if we cannot resolve the objection, Customer may terminate the affected part of the Service for convenience and receive a pro-rata refund of pre-paid fees for the remainder of the Subscription Term.
  • We remain liable to Customer for the acts and omissions of our Sub-processors as if they were our own.

8. Assistance with Data Subject rights

Taking into account the nature of the processing, we will provide reasonable assistance — by appropriate technical and organisational measures, in so far as this is possible — to enable Customer to respond to requests from Data Subjects exercising their rights under the UK GDPR. Where a Data Subject contacts us directly about Customer Personal Data, we will pass the request to Customer without undue delay.

9. Personal Data Breach

  • We will notify Customer without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data.
  • Our notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
  • We will provide reasonable cooperation to Customer in meeting Customer's own breach-notification obligations to the ICO and affected Data Subjects.

10. Data Protection Impact Assessments

On reasonable request and at Customer's cost, we will provide reasonable assistance to Customer with Data Protection Impact Assessments and prior consultations with the ICO under Articles 35–36 UK GDPR, in each case in relation to the Service.

11. Deletion or return of Customer Personal Data

  • On termination or expiry of the Agreement, we will, at Customer's choice, delete or return all Customer Personal Data, save where retention is required by law (including HMRC tax-record retention requirements).
  • We will retain Customer Personal Data in read-only form for at least 30 days after termination to allow Customer to export, after which we will delete or anonymise it on a rolling basis.
  • Backup copies will be overwritten in the ordinary course, normally within 90 days.
  • Where we are required to retain data by law, we will restrict further processing to that purpose and apply appropriate safeguards.

12. Audits and information

  • We will make available to Customer the information reasonably necessary to demonstrate compliance with our obligations under Article 28 UK GDPR.
  • We will allow for, and contribute to, audits — including inspections — conducted by Customer or another auditor mandated by Customer, no more than once in any 12-month period (more often if required by a competent supervisory authority or following a Personal Data Breach), on at least 30 days' written notice and during normal business hours.
  • Audits will be conducted in a way that does not unreasonably interfere with our business and will be subject to confidentiality. Where we hold an applicable independent third-party audit report or certification, we may satisfy this clause by providing it.

13. International transfers

  • Customer Personal Data is primarily processed in the United Kingdom.
  • Where a Sub-processor is located outside the UK, we will rely on a valid transfer mechanism — UK adequacy regulations (including the UK extension to the EU-US Data Privacy Framework where applicable), the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.
  • Where the IDTA or UK Addendum applies, the parties incorporate it into this DPA by reference and agree the relevant tables on request.

14. Liability

Each party's liability under this DPA is subject to the liability limits set out in the Agreement. Nothing in this DPA limits a party's liability where it cannot be limited under Data Protection Laws or other applicable law.

15. General

  • If there is any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict and only in relation to processing of Customer Personal Data.
  • We may update this DPA from time to time where required by law or to add functionality. Where changes are material we will give Customer at least 30 days' notice.
  • This DPA is governed by the laws of England and Wales.

Schedule 1 — Description of processing

Item

Description

Subject matter

Provision of the AI TaxPilot software-as-a-service for Making Tax Digital (MTD) record-keeping, calculation, validation and submission to HMRC.

Duration

For the term of the Agreement and the period required to delete or return Customer Personal Data on termination.

Nature and purpose

Hosting, organising, structuring, storing, retrieving, consulting, using, transmitting (including to HMRC), and erasing Customer Personal Data, plus AI-assisted categorisation, extraction and validation of tax data.

Categories of Data Subject

Customer's principals, employees, contractors, clients, suppliers and (for accountants/agents) end-clients whose tax data is processed in the Service.

Categories of Personal Data

Identity data (name, business name); contact data (email, address, phone); tax identifiers (UTR, VAT number, NI number); financial and accounting data; transaction records; documents uploaded by Customer; communications and support tickets; technical and usage data.

Special category data

Not intentionally collected; may incidentally appear in uploaded documents. Customer must not upload special category data unless strictly necessary, and warrants it has a lawful basis under Article 9 UK GDPR.

Frequency

Continuous for the duration of the Agreement.

Schedule 2 — Sub-processors

Sub-processor

Role

Location of processing

Transfer mechanism (where outside UK)

GoDaddy.com, LLC (and group)

Hosting and infrastructure

United Kingdom / European Economic Area (with limited US support functions)

UK adequacy / IDTA where applicable

Stripe Payments Europe Ltd; Stripe, Inc.

Payment processing for subscriptions

Ireland / United States

UK adequacy (UK extension to EU-US Data Privacy Framework) and/or IDTA

Microsoft Corporation (Microsoft 365, provided through GoDaddy)

Business email and document storage

European Economic Area / United States

UK adequacy (UK extension to EU-US Data Privacy Framework)

Anthropic PBC

AI / large language model processing for AI-assisted features (no model training on Customer Data)

United States

UK Addendum to EU SCCs / UK extension to EU-US Data Privacy Framework

Aicountant maintains an up-to-date Sub-processor list. To receive notifications of changes, please subscribe by email to privacy@aicountant.co.uk.

Schedule 3 — Technical and organisational measures

  • Encryption in transit using TLS 1.2 or higher.
  • Encryption at rest for production databases, backups and document storage.
  • Role-based access controls applying the principle of least privilege.
  • Multi-factor authentication for staff and administrators.
  • Network segregation, firewalls and continuous monitoring.
  • Vulnerability scanning and patching on a defined schedule.
  • Independent penetration testing at least annually.
  • Documented secure-development practices, including code review and dependency scanning.
  • Regular, encrypted backups with tested restore procedures.
  • Documented incident response and breach notification procedures aligned with the 72-hour ICO notification requirement.
  • Data-protection and information-security training for all personnel on induction and at least annually.
  • Confidentiality obligations on all personnel and a documented joiner/leaver process.
  • Physical security of office locations and supplier-managed data centres.
  • Disaster recovery and business continuity plans, tested at least annually.
  • Records of processing activities maintained under Article 30 UK GDPR.

Acceptance

This DPA is incorporated into and forms part of the Agreement. Customer accepts this DPA by accepting the Agreement or by continuing to use the Service. Customer may also request a counter-signed copy by contacting privacy@aicountant.co.uk.

For and on behalf of Aicountant Ltd:

Name: Haroon Ibrahim

Title: Director / Data Protection Officer

Signature: _____________________________

Date: _________________________________

For and on behalf of Customer:

Name: _________________________________

Title: ________________________________

Signature: _____________________________

Date: _________________________________

Questions? Contact our Data Protection Officer at dpo@aitaxpilot.com or write to Aicountant Ltd, England & Wales.