Data Processing Addendum

DATA PROCESSING ADDENDUM

Spread Software Limited
Last updated: 27 May 2026 | Version 2.0

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between Spread Software Limited ("Processor") and the Customer ("Controller"). It governs all processing of personal data carried out by Spread on behalf of the Customer in connection with the Service.

DPA 1. PARTIES AND ROLES

1.1 For the purposes of applicable data protection legislation, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018:

(a) the Customer acts as the Data Controller, determining the purposes and means of personal data processing; and
(b) Spread Software Limited acts as the Data Processor, processing personal data on behalf of the Customer solely in accordance with documented instructions.

1.2 Both parties commit to complying with their respective obligations under applicable data protection law in connection with the Service.

DPA 2. SUBJECT MATTER AND DURATION

2.1 Spread will process personal data on behalf of the Customer for the purpose of providing the Service, including:

(a) automated processing of accounting transactions, invoices, and financial records;
(b) generation and posting of accounting journal entries to connected Accounting Software;
(c) management of accruals, prepayments, deferred revenue, and recurring billing workflows;
(d) storage, retrieval, and synchronisation of Data between the Service and connected Accounting Software;
(e) provision of reporting, reconciliation, and audit trail functionality;
(f) support, maintenance, and improvement of the Service.

2.2 Processing under this DPA shall commence on the date the Customer first accesses the Service and shall continue for the duration of the Subscription and any applicable retention period thereafter.

DPA 3. NATURE OF PERSONAL DATA PROCESSED

3.1 The categories of personal data processed under this DPA may include:

(a) Identity data: names, job titles, and business roles of Users and contacts appearing in accounting records;
(b) Contact data: email addresses, telephone numbers, and business addresses;
(c) Financial data: invoice references, transaction amounts, supplier and customer names, bank account references, and accounting codes;
(d) Usage metadata: login activity, feature usage, audit logs, and IP addresses;
(e) Any other personal data contained within documents, invoices, or records uploaded to or processed through the Service.

3.2 The data subjects whose personal data may be processed include:

(a) Users and administrators of the Service;
(b) Employees, contractors, and representatives of the Customer;
(c) Customers, suppliers, and counterparties of the Customer whose information appears in financial records processed through the Service.

3.3 Spread does not knowingly process special category data or criminal offence data through the Service. Customers must not submit such data unless separately agreed in writing with Spread.

DPA 4. PROCESSOR OBLIGATIONS

4.1 Instruction-based processing. Spread shall process personal data only on documented instructions from the Customer. Where Spread is required to process data for another purpose by applicable law, Spread shall notify the Customer before processing unless prohibited from doing so by law.

4.2 Confidentiality. Spread shall ensure that all personnel authorised to process personal data are subject to binding obligations of confidentiality and are trained on applicable data protection requirements.

4.3 Security. Spread shall implement and maintain appropriate technical and organisational security measures to protect personal data. These measures shall include, at minimum:

(a) encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
(b) role-based access controls and the principle of least privilege;
(c) multi-factor authentication for internal administrative access;
(d) regular vulnerability assessments and penetration testing;
(e) incident response procedures and documented security policies;
(f) audit logging of access to personal data.

4.4 Data Subject Rights. Spread shall provide commercially reasonable assistance to the Customer in responding to requests from data subjects to exercise their rights under applicable data protection law, including rights of access, erasure, restriction, portability, and objection.

4.5 Data Protection Impact Assessments. Spread shall provide reasonable assistance to the Customer in carrying out any data protection impact assessment or consultation with a supervisory authority where required under applicable law.

4.6 Breach Notification. Spread shall notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Customer's personal data. Such notification shall include, where available: the nature of the breach, the categories and approximate numbers of data subjects and records affected, the likely consequences, and the measures taken or proposed.

4.7 Deletion and Return. On termination of the Subscription or upon written request, Spread shall, at the Customer's election, either return or securely delete all personal data processed on the Customer's behalf and certify in writing that it has done so, unless retention is required by applicable law.

4.8 Authorised Account Access. As described in clause 10 of the Terms and Conditions, Spread may access Customer accounts using internal staff access tools for the purposes of support, onboarding, quality assurance, and other permitted purposes. All such access constitutes processing of personal data under this DPA. Spread confirms that:

(a) such access is carried out exclusively by authorised personnel subject to binding confidentiality obligations;
(b) data observed during access will not be used for any purpose beyond those specified in clause 10.2 of the Terms and Conditions;
(c) such access is carried out in accordance with the principle of data minimisation — Spread personnel will only review the data necessary to fulfil the stated purpose of each access event.

DPA 5. SUB-PROCESSORS

5.1 The Customer grants general authorisation for Spread to engage sub-processors for the provision of the Service, provided that Spread:

(a) enters into a written agreement with each sub-processor imposing equivalent data protection obligations;
(b) remains fully liable to the Customer for the acts and omissions of its sub-processors; and
(c) maintains and makes available to the Customer upon request an up-to-date list of sub-processors.

5.2 Spread's current sub-processors include cloud infrastructure, hosting, database, and email delivery providers. A current list is available at spread.finance/sub-processors or on written request to privacy@spread.finance.

5.3 Spread will provide the Customer with at least 14 days' prior notice of any intended addition or replacement of sub-processors. If the Customer reasonably objects on legitimate data protection grounds and the objection cannot be resolved, the Customer may terminate their Subscription on 30 days' written notice without penalty.

DPA 6. INTERNATIONAL DATA TRANSFERS

6.1 Spread shall not transfer personal data outside the UK or EEA without ensuring that appropriate safeguards are in place in accordance with UK GDPR, including UK Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms.

6.2 Where sub-processors process personal data outside the UK or EEA, Spread shall ensure equivalent transfer safeguards are in place and documented.

DPA 7. AUDIT RIGHTS

7.1 The Customer may, on reasonable written notice and no more than once per calendar year, audit Spread's compliance with this DPA, or request a written summary of relevant security certifications, penetration test outcomes, or internal audit reports (subject to appropriate confidentiality obligations).

7.2 Audit costs shall be borne by the Customer unless the audit reveals a material breach of this DPA, in which case Spread shall bear its own reasonable costs.

DPA 8. CONTROLLER OBLIGATIONS

8.1 The Customer warrants that:

(a) it has a lawful basis for all personal data it submits to or processes through the Service;
(b) it has provided all required privacy notices to data subjects whose personal data is processed through the Service;
(c) it will only submit personal data that is necessary for the purposes of using the Service; and
(d) it has appropriate technical and organisational measures in its own systems to protect personal data.

8.2 The Customer shall promptly inform Spread of any instruction that, in the Customer's reasonable opinion, would cause Spread to breach applicable data protection law.

DPA 9. GOVERNING LAW

9.1 This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the English courts.

9.2 In the event of any conflict between this DPA and the Terms and Conditions with respect to data protection matters, this DPA shall prevail.

---
Spread Software Limited | Company No. 16564312
The Coach House, 5 West Street, Leighton Buzzard, LU7 1DA
hello@spread.finance | spread.finance