Data Processing Agreement
Last updated: March 2026 — TP Commercial Finance Ltd
Important Notice
This Data Processing Agreement (“DPA”) is incorporated by reference into the Terms & Conditions governing your use of the Loan Intel Platform. It applies where TP Commercial Finance Ltd processes personal data on behalf of your organisation in connection with the Platform services.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here shall have the meanings given to them in the Terms & Conditions or under applicable Data Protection Legislation.
- “Controller” means the natural or legal person who determines the purposes and means of processing personal data.
- “Processor” means a natural or legal person who processes personal data on behalf of the Controller.
- “Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection laws as amended from time to time.
- “Personal Data” has the meaning given in the UK GDPR — any information relating to an identified or identifiable natural person.
- “Processing” has the meaning given in the UK GDPR and includes any operation performed on personal data.
- “Sub-processor” means any processor engaged by TPCF to process personal data on behalf of the Controller.
- “Security Incident” means any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
2. Roles of the Parties
For the purposes of this DPA and in respect of any personal data processed in connection with the Platform:
- Your organisation (the “Lender”) acts as the Controller in respect of personal data relating to your employees, Authorised Users, and any personal data you submit or configure through the Platform.
- TP Commercial Finance Ltd acts as the Processor in respect of personal data processed on your behalf in connection with providing the Platform services.
Each party acknowledges that, in respect of the aggregated cross-lender intelligence functionality of the Platform, TPCF may act as an independent Controller of anonymised and aggregate data sets that do not relate to identifiable natural persons.
3. Processing Details
Nature and Purpose of Processing
TPCF processes personal data on the Controller's behalf for the purpose of providing the Platform services described in the Terms & Conditions, including account management, authentication, access control, support services, and the processing of data submitted by Authorised Users.
Categories of Data Subjects
- Authorised Users of the Controller's account (employees, contractors)
- Individuals whose contact details are submitted in connection with support requests or billing
Categories of Personal Data
- Identity data: name, job title
- Contact data: business email address, telephone number
- Authentication data: hashed passwords, MFA tokens
- Usage data: login timestamps, IP addresses, in-platform activity
Duration
Processing continues for the duration of the subscription agreement and for such period thereafter as is necessary to comply with legal obligations or resolve disputes, in accordance with the retention periods set out in the Privacy Policy.
4. Controller Obligations
The Controller represents and warrants that:
- It has a valid lawful basis under Data Protection Legislation for all personal data submitted to the Platform
- Where consent is the lawful basis, it has obtained and documented appropriate consents from data subjects
- It has provided data subjects with all required notices and information about processing carried out by TPCF on its behalf
- Its instructions to TPCF comply with Data Protection Legislation
5. Processor Obligations
TPCF, as Processor, shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 8 of this DPA
- Assist the Controller in meeting its obligations to respond to data subject rights requests, insofar as this is technically feasible
- Notify the Controller without undue delay upon becoming aware of a Security Incident affecting the Controller's personal data
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
- Delete or return all personal data on termination of the agreement as set out in Section 9 of this DPA
6. Sub-processors
The Controller grants TPCF general authorisation to engage sub-processors. TPCF shall inform the Controller of any intended changes to sub-processors by updating this DPA with at least 14 days' notice, providing the Controller with an opportunity to object. Current approved sub-processors include:
| Sub-processor | Location | Purpose |
|---|---|---|
| Cloud Hosting Provider | United Kingdom | Infrastructure hosting and data storage |
| Stripe | UK / EEA | Payment processing and billing |
| Email Service Provider | UK / EEA | Transactional and notification emails |
TPCF imposes data protection obligations on each sub-processor that are substantially equivalent to those in this DPA. TPCF remains fully liable to the Controller for the acts and omissions of sub-processors.
7. International Data Transfers
All personal data processed under this DPA is stored and processed within the United Kingdom. TPCF will not transfer personal data to a country outside the UK or EEA without the prior written consent of the Controller and without ensuring that an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
8. Security Measures
TPCF implements the following technical and organisational measures to protect personal data:
- 256-bit AES encryption of all data at rest
- TLS 1.3 encryption for all data in transit
- Role-based access control limiting data access to authorised personnel only
- Multi-factor authentication enforced for all administrative accounts
- Immutable audit logging of all data access and configuration changes
- Regular vulnerability scanning and independent penetration testing
- Business continuity and disaster recovery procedures with tested recovery time objectives
- Staff training on data protection and security awareness
- Incident response procedures meeting the ICO's 72-hour breach notification requirement
9. Audit Rights
The Controller may, upon giving not less than 30 days' written notice, request an audit of TPCF's data processing activities to verify compliance with this DPA. Audits shall be conducted during normal business hours, at the Controller's cost, and in a manner that minimises disruption to TPCF's operations. TPCF may satisfy audit requests by providing current third-party audit reports or certifications where available.
10. Deletion on Termination
Upon termination or expiry of the subscription agreement, TPCF shall, at the Controller's election:
- Delete all personal data processed under this DPA within 30 days of the termination date; or
- Return all personal data to the Controller in a structured, commonly used, machine-readable format, and thereafter delete all copies held by TPCF
TPCF shall provide written confirmation of deletion to the Controller. TPCF may retain personal data beyond this period only to the extent required by applicable law, and shall inform the Controller of any such retention.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Contact
For questions about this DPA, data subject rights requests, or to exercise your rights under Data Protection Legislation, please contact: