Data Processing Agreement

Version 1.0 — Last updated: February 2026

UK GDPR Article 28 — Template for Business Customers

1. Parties

This Data Processing Agreement ("DPA") is entered between the Customer ("Data Controller") and Glitches in Matrix Limited ("Data Processor"), together "the Parties".

2. Subject Matter & Duration

The Processor processes personal data on behalf of the Controller to provide the Glitrix service (invoice scanning, expense tracking, financial reporting). Processing continues for the duration of the service agreement.

3. Nature & Purpose of Processing

• Collection and storage of financial records (invoices, receipts, income data)
• AI-powered text and image extraction for data entry automation
• Categorisation, reporting, and audit trail maintenance
• User authentication and access control

4. Categories of Data Subjects

• Employees and contractors of the Controller
• Customers and suppliers of the Controller (names appearing on invoices)

5. Types of Personal Data

• Names, email addresses, organisation names
• Financial data: invoice amounts, vendor names, dates, categories
• Document images (receipts, invoices)
• Authentication data: login timestamps, MFA status

6. Processor Obligations

The Processor shall:

• Process data only on documented instructions from the Controller
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Security Practices)
• Engage sub-processors only with prior written consent and equivalent contractual obligations
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination, subject to legal retention requirements
• Make available all information necessary to demonstrate compliance
• Allow and contribute to audits conducted by the Controller or an appointed auditor

7. Sub-processors

The current list of authorised sub-processors, including their identity, location, and function, will be provided to the Controller upon request or upon execution of this DPA. The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

8. International Transfers

Transfers outside the UK are protected by UK International Data Transfer Agreements (IDTAs) approved by the Information Commissioner's Office (ICO).

9. Security Measures

As detailed in our Security Practices page: Encryption in transit and at rest, multi-factor authentication, role-based access control, database-level data isolation, cryptographic audit trail, content security policy headers, and rate limiting.

10. Breach Notification

The Processor shall notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach, providing details of the nature, categories affected, likely consequences, and remedial measures.

11. Contact

For DPA enquiries: [email protected]

To request a signed copy of this DPA, contact [email protected] with your company details.