Data processing terms between Paylists and business users where Paylists processes personal data on behalf of those business users.
This addendum supplements the User Agreement, Privacy Policy, Subprocessor List, Retention Schedule, Security Measures and Peppol Country Availability List.
1.1 This Data Processing Addendum ("DPA") forms part of the Paylists User Agreement between Paylists LTD ("Paylists", "we", "us" or "our") and the business, organisation or professional user that accepts the User Agreement or uses the Services ("Customer", "you" or "your").
1.2 This DPA applies only where Paylists processes Personal Data on behalf of Customer as a Processor in connection with the Services. It does not apply where Paylists acts as a Controller for its own purposes, which are described in the Paylists Privacy Policy.
1.3 The Services are provided for business and professional use only. They are not intended for consumers or for personal, family or household use.
| Term | Meaning |
|---|---|
| Agreement | The Paylists User Agreement between Paylists and Customer. |
| Applicable Data Protection Laws | All applicable laws and regulations relating to the processing, privacy and security of personal data, including the UK GDPR, the Data Protection Act 2018, Regulation (EU) 2016/679 (EU GDPR), Directive 2002/58/EC and applicable national laws implementing or supplementing them. |
| Controller | Has the meaning given under Applicable Data Protection Laws. |
| Processor | Has the meaning given under Applicable Data Protection Laws. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Customer Personal Data | Personal Data processed by Paylists on behalf of Customer in connection with the Services. |
| Data Subject | An identified or identifiable natural person whose Personal Data is processed. |
| Subprocessor | A third party engaged by Paylists to process Customer Personal Data on behalf of Paylists in connection with the Services. |
| Flowin | The e-invoicing product of Codabox used by Paylists as a third-party service to support Peppol onboarding, KYC/proof-of-ownership or authority verification where applicable, Peppol registration and the sending and receiving of e-invoices and credit notes through the Peppol network. |
| Codabox | Wolters Kluwer Belgium NV, providing or operating Flowin, or a relevant affiliate or successor provider of Flowin. |
| Peppol | The secure, standardised network and framework that enables businesses and public bodies to exchange electronic documents, including e-invoices and credit notes. |
| AI Services | Optional AI-assisted cash-flow insights or related outputs provided using third-party AI service providers, including OpenAI, where enabled or consented to by Customer. |
3.1 For Customer Personal Data, Customer is the Controller and Paylists is the Processor, unless the Privacy Policy, Agreement or the nature of a specific processing activity states otherwise.
3.2 Customer is responsible for determining the purposes and lawful basis for processing Customer Personal Data, including Personal Data contained in customer/vendor records, invoices, credit notes, bills, payment requests, attachments, communications and Peppol e-invoicing data.
3.3 Paylists acts as Controller where it processes Personal Data for its own business purposes, including account administration, billing, security, fraud prevention, compliance, support, service improvement, legal claims, DataRep representative management and ROPA compliance.
3.4 Where a processing activity includes both Controller and Processor elements, the parties will apply this DPA only to the Processor element.
4.1 Customer instructs Paylists to process Customer Personal Data as necessary to provide the Services, comply with the Agreement, provide support, maintain security, use approved Subprocessors, and comply with Applicable Data Protection Laws.
4.2 Customer instructions include the processing described in Appendix 1. Customer may provide additional written instructions, provided they are consistent with the Agreement, this DPA and the technical operation of the Services.
4.3 Paylists will inform Customer if, in Paylists' reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by law.
4.4 Paylists is not required to follow instructions that would require Paylists to breach law, compromise the security or integrity of the Services, violate third-party provider terms, or process data outside the scope of the Services.
Customer is responsible for:
Paylists will:
7.1 Paylists will implement appropriate technical and organisational measures designed to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
7.2 The current security measures are summarised in Appendix 2 and may be updated from time to time, provided that updates do not materially reduce the overall level of protection for Customer Personal Data.
7.3 Customer is responsible for securely configuring its Account, managing authorised users, protecting credentials, using appropriate internal access controls and promptly notifying Paylists of suspected unauthorised access.
8.1 Customer authorises Paylists to use Subprocessors to provide the Services. The current Subprocessor List is set out in Appendix 3 and may also be published or updated separately by Paylists.
8.2 Paylists will impose data protection obligations on each Subprocessor that are appropriate for the nature of the services provided and substantially protective of Customer Personal Data.
8.3 Paylists may add, replace or remove Subprocessors. Where required by Applicable Data Protection Laws, Paylists will provide notice of material Subprocessor changes and allow Customer to object on reasonable data protection grounds within a reasonable period stated in the notice.
8.4 If Customer reasonably objects to a new Subprocessor and Paylists cannot provide the Services without that Subprocessor or offer a commercially reasonable alternative, either party may terminate the affected Services in accordance with the Agreement.
8.5 DataRep is Paylists' EU representative for data protection purposes and may receive and forward data protection requests and related communications. DataRep is not Paylists' Data Protection Officer and is not a product-support contact.
9.1 Paylists is established in the United Kingdom. Customer Personal Data may be processed in the United Kingdom, the European Economic Area and other countries where Paylists or its Subprocessors operate.
9.2 Where Customer Personal Data is transferred from the EEA to the United Kingdom, Paylists may rely on the European Commission adequacy decision for the United Kingdom where applicable. Where Customer Personal Data is transferred from the United Kingdom to the EEA, Paylists may rely on UK adequacy regulations for the EEA where applicable.
9.3 Where Customer Personal Data is transferred to a country that is not subject to an applicable adequacy decision or adequacy regulation, Paylists will use an appropriate transfer mechanism, such as the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful mechanism.
9.4 Customer authorises Paylists and its Subprocessors to make such transfers as necessary to provide the Services, subject to the safeguards described in this DPA.
10.1 If Paylists receives a request from a Data Subject relating to Customer Personal Data for which Customer is Controller, Paylists will, where legally permitted, either direct the Data Subject to Customer or notify Customer of the request.
10.2 Paylists will provide reasonable assistance to Customer to respond to Data Subject requests, taking into account the nature of the processing and the information available to Paylists.
10.3 Where DataRep receives a data protection request or communication on Paylists' behalf, Paylists remains responsible for responding to the request where Paylists is required to do so. Customer remains responsible where the request relates to Customer's own Controller obligations.
11.1 Paylists will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data processed by Paylists as Processor.
11.2 The notification will include information reasonably available to Paylists to assist Customer in meeting any breach notification obligations. Paylists may provide information in phases as it becomes available.
11.3 Customer is responsible for determining whether a breach must be notified to a supervisory authority or Data Subjects where Customer is Controller.
12.1 Upon termination or expiry of the Services, Paylists will delete or return Customer Personal Data in accordance with the Agreement, the Privacy Policy, the Retention Schedule and Applicable Data Protection Laws.
12.2 Paylists may retain Customer Personal Data where required or permitted by law, including for legal claims, fraud prevention, security, compliance, accounting, Peppol registration, dispute resolution, backup integrity and business records.
12.3 Backup copies may remain in secure backup systems until overwritten or deleted in accordance with Paylists' backup lifecycle.
13.1 Paylists will make available information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, Subprocessor information, retention information, transfer information and other relevant documentation.
13.2 Any audit must be subject to reasonable notice, confidentiality, security controls, limitations on access to other customers' data, and agreement on scope, timing and method. Paylists may satisfy audit requests by providing third-party reports, certifications, questionnaires or written responses where reasonable.
13.3 Paylists may refuse or limit audit activities that would compromise security, confidentiality, availability, third-party obligations or the rights of other users.
14.1 Where Customer enables Peppol e-invoicing functionality, Customer instructs Paylists to collect, store, process and share the relevant Customer Personal Data with Flowin, Codabox, Peppol access points and related service providers as necessary for Peppol onboarding, Flowin/Codabox KYC or verification, Peppol registration and the sending and receiving of e-invoices and credit notes through the Peppol network. Flowin/Codabox, and not Paylists, may perform KYC, proof-of-ownership, authority, business verification or other onboarding checks required for Peppol registration and use.
14.2 Customer is responsible for ensuring that Peppol onboarding information, proof of ownership or authority, invoice content, tax information, VAT treatment, invoice numbering and retention comply with applicable law.
14.3 Paylists and Flowin are not intended to be Customer's legal invoice archive. Customer is responsible for downloading, storing and retaining invoices, credit notes, bills and related records for the period required by applicable accounting, tax and business laws.
14.4 Peppol functionality may be suspended or restricted where required by Flowin, Codabox, Peppol, a Peppol access point, a regulator, a competent authority, or where Paylists reasonably considers that continued use may create legal, fraud, security, AML, sanctions, GDPR or compliance risk.
15.1 Where Customer enables or consents to optional AI-assisted cash-flow insights, Customer instructs Paylists to process the relevant Customer Personal Data and to share minimised, aggregated, anonymised or pseudonymised data with third-party AI service providers where reasonably possible.
15.2 Paylists does not intend to send names of users, businesses, customers or vendors to the AI service provider for this feature. Paylists may use internal random identifiers so results can be matched back inside Paylists.
15.3 Because Paylists may be able to match identifiers back to businesses, customers or vendors within Paylists, this data should be treated as pseudonymised data rather than fully anonymous data unless Paylists confirms otherwise.
15.4 AI-generated outputs are provided for information only and do not constitute financial, accounting, tax, legal or professional advice.
Customer must not upload, submit or include in the Services any special categories of personal data, including health data, biometric data, religious or political information, trade union membership, sexual orientation or other sensitive personal data, unless Paylists has expressly agreed in writing and Customer has a valid lawful basis to do so.
If there is a conflict between this DPA and the Agreement, this DPA will prevail only in relation to the processing of Customer Personal Data by Paylists as Processor. The Agreement will prevail for all other matters.
If the EU Standard Contractual Clauses, UK International Data Transfer Agreement, UK Addendum or another mandatory transfer mechanism applies and conflicts with this DPA, the applicable transfer mechanism will prevail to the extent of the conflict.
Paylists may update this DPA from time to time to reflect changes to the Services, Applicable Data Protection Laws, Subprocessors, transfer mechanisms or security practices. Paylists will provide notice of material changes where required by law or the Agreement.
Questions about this DPA should be sent to privacy@paylists.com.
| Item | Details |
|---|---|
| Subject matter | Provision of the Paylists B2B SaaS platform, including payment-request workflow, invoice and credit-note workflow, vendor/customer management, communications, Peppol e-invoicing via Flowin, optional AI-assisted cash-flow insights, support, security and related services. |
| Duration | For the term of the Agreement and thereafter as required or permitted by the Agreement, this DPA, the Privacy Policy, the Retention Schedule and Applicable Data Protection Laws. |
| Nature of processing | Collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, disclosure to Subprocessors, restriction, deletion, audit logging and other processing necessary to provide the Services. |
| Purposes | Account and business setup, customer/vendor records, payment requests, invoices, credit notes, bills, attachments, reminders, communications, Peppol registration and e-invoicing, optional AI cash-flow insights, support, security, fraud prevention, compliance and service operation. |
| Category | Examples |
|---|---|
| Customer authorised users | Business users, admins, authorised representatives, finance staff, support contacts. |
| Business contacts | Customer/vendor business contacts and representatives. |
| Peppol-related contacts | Contacts provided for Peppol registration, verification, proof of ownership/authority or technical delivery. |
| Communication participants | Individuals included in reminders, messages, support communications or invoice-related correspondence. |
| Category | Examples |
|---|---|
| Account and user data | Name, business email, business phone, role, login information, authentication metadata. |
| Business profile data | Business name, company number, registered address, contact details, authorised users, verification status. |
| Customer/vendor data | Business contact names, business emails, phone numbers, addresses, customer/vendor relationship data. |
| Invoice and payment workflow data | Invoice/credit-note/bill metadata, amounts, due dates, payment status, partial payment status, references, attachments and communications. |
| Peppol data | Company number, legal name, registered office, proof of ownership or authority, Peppol identifiers, document metadata, transmission status and technical logs. |
| AI feature data | Invoice amount, due date, payment/partial-payment status, pseudonymous identifiers and AI output where enabled. |
| Technical and security data | IP address, device/browser metadata, audit logs, access logs, event logs and security alerts. |
| Support data | Support tickets, emails, complaint content, troubleshooting information. |
| Control area | Measures |
|---|---|
| Access control | Role-based access controls; least privilege; admin access restricted to authorised personnel; access reviews where appropriate. |
| Authentication | Secure password requirements; multi-factor authentication for administrative access where available and appropriate. |
| Encryption and transmission | TLS/HTTPS for transmission of data through the Services; encryption at rest where supported by hosting/database providers. |
| Logging and monitoring | Audit logs for key account, business-profile, Peppol, AI consent and invoice/payment workflow events; monitoring for security and operational issues. |
| Data minimisation | Processing limited to data reasonably required to provide the Services; minimisation and pseudonymisation for AI features where reasonably possible. |
| Backup and resilience | Backups and recovery measures designed to protect service availability and data integrity, subject to backup lifecycle and deletion limits. |
| Supplier management | Use of selected service providers including AWS, Supabase, Vercel, Twilio, OpenAI, Flowin/Codabox and DataRep where applicable; contractual protections and appropriate transfer safeguards where required. |
| Incident response | Internal process for assessing, containing, investigating and notifying relevant parties of security incidents and Personal Data Breaches where required. |
| Confidentiality | Personnel and service providers are subject to confidentiality obligations appropriate to their role. |
| Segregation | Logical separation of customer data within the application and underlying providers where applicable. |
This list reflects the services Paylists expects to use. See the Subprocessor List for the current authoritative version.
| Provider | Purpose | Location / transfer notes |
|---|---|---|
| AWS (Amazon Web Services) | Hosting and server infrastructure. | London, United Kingdom. Paylists will assess transfer safeguards if the processing location changes or if processing outside the UK/EEA becomes necessary. |
| Supabase | Managed PostgreSQL database, backend and authentication services where used, hosted on AWS infrastructure. | London, United Kingdom. Paylists will assess transfer safeguards if the processing location changes or if processing outside the UK/EEA becomes necessary. |
| Vercel | Hosting and delivery of the Paylists Next.js / TypeScript application layer. | London, United Kingdom. Paylists will assess transfer safeguards if the processing location changes or if processing outside the UK/EEA becomes necessary. |
| Twilio | Communications services such as email, SMS or authentication messages where used. | Provider locations depend on service; appropriate transfer safeguards where required. |
| OpenAI API platform | Optional AI-assisted cash-flow insights where enabled or consented to by Customer. | May involve transfers outside UK/EEA; appropriate transfer safeguards where required. |
| Wolters Kluwer Belgium NV / Codabox / Flowin | Peppol onboarding, KYC/proof-of-ownership or authority verification, Peppol registration and sending/receiving e-invoices and credit notes through the Peppol network. | Belgium/EU and related Peppol infrastructure; as described in Flowin documentation. |
| DataRep / Data Protection Representative Limited | EU representative services and receiving/forwarding data protection requests or communications where applicable. | Ireland/EU and UK as needed to forward requests to Paylists. |
Processing locations and transfer safeguards: Paylists records the regions and processing locations used by its Subprocessors. If a Subprocessor changes its processing location or begins processing Customer Personal Data outside the UK or EEA, Paylists will assess whether updates are needed to this DPA, the Subprocessor List, the Privacy Policy, the ROPA, and any applicable international transfer safeguards.
This summary should be read with the Paylists Data Retention Schedule. Paylists may retain data longer where required or permitted by law, including for legal claims, fraud prevention, security, compliance, accounting, Peppol registration, dispute resolution, backup integrity or business records.
| Data category | Indicative retention approach |
|---|---|
| Account and business profile data | For the life of the account and a reasonable period after closure for legal, security, compliance and dispute purposes. |
| Business-profile change logs | Retained for audit, fraud prevention, dispute resolution, Peppol registration and compliance purposes according to the Retention Schedule. |
| Invoice/payment workflow data | Retained as needed to provide the Services and comply with legal, accounting, tax, audit, dispute and compliance requirements. |
| Peppol/Flowin data | Retained as needed for Peppol onboarding, Flowin/Codabox KYC or verification, Peppol registration, delivery, support, legal, compliance and dispute purposes; Paylists and Flowin are not legal invoice archives. |
| AI feature consent and logs | Retained as evidence of consent/enablement and to support audit, troubleshooting and legal compliance. |
| Security logs | Retained for a limited period unless needed for investigation, fraud prevention, legal claims or compliance. |
| Backups | Retained according to backup lifecycle and overwritten/deleted in ordinary course. |
Peppol e-invoicing via Flowin is separate from general Paylists software availability. The United Kingdom may be supported for general Paylists features but is not currently a Flowin Supported Country unless Paylists confirms otherwise in writing. See the Peppol Country Availability List for the full table.