Data Processing Agreement
Last updated: May 2026 — UK GDPR Article 28
1. Parties
Controller: The accountant or bookkeeper who subscribes to PenaltyProof (the customer).
Processor: PenaltyProof, operated by Chavannes Ltd (Company No. 17198260), a private limited company registered in England and Wales.
This agreement is entered into automatically when the Controller creates an account and uses the PenaltyProof service. By subscribing, the Controller accepts the terms of this agreement.
2. Subject matter and scope of processing
PenaltyProof processes publicly available data from the Companies House public API on behalf of the Controller solely to provide the filing-deadline monitoring and alert service. The Processor does not access, collect, or process any confidential client financial data, tax records, or information beyond what is publicly listed at Companies House.
Data processed includes:
- UK company registration numbers (submitted by the Controller)
- Company names and filing-deadline dates (retrieved from the Companies House public API)
- The Controller's email address (used to send filing alerts)
3. Categories of data subjects
Directors and company secretaries of UK limited companies whose details appear on the public Companies House register. All such data is already published by Companies House under UK company law and is not confidential in nature.
4. Lawful basis for processing
Processing of publicly listed Companies House data is carried out under Article 6(1)(f) UK GDPR (legitimate interests). The legitimate interest is enabling accountants and bookkeepers to monitor their clients' statutory filing obligations — an activity that benefits both the Controller and the data subjects (companies and their officers) by reducing the risk of penalties.
The Controller's own email address is processed under Article 6(1)(b) UK GDPR (performance of a contract) to deliver the service the Controller has subscribed to.
5. Sub-processors
The Processor engages the following sub-processors. All international transfers are covered by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office or an equivalent UK transfer mechanism.
| Sub-processor | Purpose | Country | Transfer safeguard |
|---|---|---|---|
| Railway | Application hosting and managed database | USA | SCCs |
| Resend | Transactional email delivery | USA | SCCs |
| Stripe | Payment processing and subscription management | USA | SCCs |
| Companies House API | Public company data retrieval (read-only) | UK | UK public register — no transfer |
| Sentry | Error monitoring and crash reporting | USA | SCCs |
The Processor will notify the Controller of any intended changes to sub-processors with reasonable notice, giving the Controller the opportunity to object.
6. Data retention
- Account data (email address, company numbers): deactivated immediately on account deletion and permanently erased within 90 days of account deletion. See our Privacy Notice for the lawful basis and immediate erasure request process.
- Filing-deadline snapshots (Companies House data retrieved during monitoring): retained for 12 months for audit trail purposes, then permanently deleted.
- Payment records: retained by Stripe in accordance with their own data-retention policy and applicable financial regulations.
7. Security measures
The Processor implements the following technical and organisational measures:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher.
- Encryption at rest: The database is hosted on Railway's managed PostgreSQL service, which encrypts data at rest.
- Access control: No routine human access to personal data. Administrative access is limited to the sole operator and protected by strong authentication.
- Incident response: In the event of a personal data breach, the Processor will notify the Controller without undue delay and, where required by UK GDPR, report to the ICO within 72 hours.
8. Data subject rights
The Processor will assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 7 days of receiving the request.
Data subjects or Controllers may submit rights requests to: privacy@penaltyproof.co.uk
Account holders may exercise their right to erasure directly at /delete-account at any time.
9. Governing law
This agreement is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
This agreement is subject to UK GDPR and the Data Protection Act 2018. The Processor is registered with the Information Commissioner's Office (ICO) under registration reference ZC142025.
© 2026 PenaltyProof
Chavannes Ltd · Registered in England and Wales · Company No. 17198260 · Registered office: Unit A, 82 James Carter Road, Mildenhall, IP28 7DE