Last updated: 12 May 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer (the accountancy practice, "Controller") and FirmBooks ("Processor") and applies whenever FirmBooks processes personal data on behalf of the Controller.
The Controller determines the purposes and means of processing. FirmBooks acts as Processor and processes personal data only on the documented instructions of the Controller.
Subject matter: bookkeeping, VAT returns, MTD submissions and year-end accounts services.
Duration: for the term of the services plus the retention period set out in our Privacy Policy.
Processing of accounting source data to produce deliverables instructed by the Controller.
Subjects: the Controller's clients, their employees, suppliers and customers.
Data: name, address, contact details, bank/transaction data, payroll data where supplied, and any further personal data within the source documents uploaded.
The Controller authorises FirmBooks to engage sub-processors listed in our Privacy Policy. FirmBooks will impose equivalent data protection obligations on each sub-processor and remains liable for their performance.
All accounting work is delivered by FirmBooks' in-house, UK-based team. Where any personal data is transferred outside the UK/EEA via a sub-processor (e.g. cloud infrastructure), FirmBooks will rely on the UK IDTA and/or EU Standard Contractual Clauses, together with supplementary measures.
FirmBooks will make available to the Controller all information necessary to demonstrate compliance and allow for audits, including inspections, on reasonable notice.
This DPA is governed by the laws of England and Wales. Liability is as set out in the main services agreement.
For a counter-signed copy of this DPA, email hello@firmbooks.co.uk.