Data Processing Agreement — Siensi Software

Last updated: 18 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Siensi Software ("Processor", "we", "us"), a trading name of Siensi Financial Solutions Limited. It sets out how we process personal data on your behalf in connection with your use of the Siensi Software practice management Service.

This DPA is incorporated by reference into the Terms of Service. By accepting the Terms, you accept this DPA.

1. Roles

You are the Data Controller of personal data you enter about your end clients.
We are the Data Processor and process such data only on your documented instructions.
Where we collect your own account information directly (your name, email, billing details), we act as a Data Controller for that limited purpose, as set out in our Privacy Policy.

2. Subject matter and duration

The subject matter of processing is the provision of the Siensi Software Service. The duration of processing is the duration of your subscription, plus any retention period specified in our Privacy Policy.

3. Nature and purpose of processing

We process personal data on your behalf for the purpose of:

Storing and displaying client and contact records you create
Calculating and tracking deadlines
Generating draft emails for sending to your clients (sent via your own SMTP)
Storing documents you upload (engagement letters, AML documents, etc.)
Backing up data for disaster recovery
Providing support when you request it

4. Categories of data and data subjects

Categories of data subjects	Categories of personal data
Your end clients (individuals and company officers)	Name, address, contact details, date of birth, NI number, UTR, identity documents, AML records, company numbers, engagement details
Your end clients' beneficial owners and directors	Name, address, date of birth, identity documents, AML records

5. Our obligations as Processor

We will:

Process personal data only on your documented instructions (which are set by your use of the Service in the ordinary course)
Ensure persons authorised to access the data are bound by confidentiality
Implement appropriate technical and organisational security measures (see Section 7)
Assist you in responding to data subject requests (access, deletion, etc.) where reasonably practicable
Notify you without undue delay of any personal data breach affecting your data
At your choice, delete or return your data at the end of the service relationship (subject to legal retention requirements)
Make available all information necessary to demonstrate compliance with our obligations

6. Sub-processors

You authorise us to engage sub-processors to deliver the Service. Our current sub-processors are:

Sub-processor	Purpose	Location
Supabase Inc.	Database hosting, authentication	EU (Ireland)
Netlify, Inc.	Application hosting, edge functions	EU/US
livemail.co.uk (Heart Internet)	Outbound transactional email (auth)	UK

Where data is processed outside the UK or EU, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses or adequacy decisions).

We will give you at least 30 days' notice of any change to our sub-processors. If you object, you may terminate the agreement before the change takes effect.

7. Security measures

We implement the following technical and organisational measures:

HTTPS/TLS encryption in transit
Encryption of data at rest at the database level
Row-level security (RLS) ensuring strict isolation between Customer practices
Strong authentication (JWT tokens, hashed passwords via Supabase Auth)
Access controls limiting employee access to data on a need-to-know basis
Audit logging of admin access
Regular automated backups with retention
Vulnerability monitoring and patching

8. Data breaches

If we become aware of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours where feasible. Our notice will include the nature of the breach, categories of data subjects affected, likely consequences, and steps taken to mitigate.

9. Data subject requests

If we receive a request directly from one of your end clients (a data subject), we will forward the request to you and not respond directly, except to acknowledge receipt and refer them to you.

We will provide reasonable assistance to help you respond to such requests. Most data is accessible directly via your account using the built-in export feature.

10. Audits

Upon reasonable written notice, we will provide reasonable information necessary to demonstrate our compliance with this DPA. Where Customer requires more extensive audits, we may charge reasonable costs.

11. International transfers

Where personal data is transferred outside the UK or EU, we rely on:

Adequacy decisions of the European Commission or UK Government, where available
Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum

12. Termination and return of data

On termination of your subscription, you may export all your data using the built-in backup feature. We will retain your data for 90 days post-termination to allow reactivation, then delete it permanently. Backups containing deleted data may persist for up to 30 days before being purged.

13. Liability and indemnification

Liability under this DPA is subject to the limitations set out in the main Terms of Service.

14. Contact

For any data processing queries:

Email: support@siensi.co.uk
Post: Siensi Software, c/o Siensi Financial Solutions Limited, 167-169 Great Portland Street, London, England, W1W 5PF