Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between Sodium Software Ltd ("Sodium", "Processor", "we", "us") and the customer identified in the applicable Order Form or subscription agreement ("Customer", "Controller"). It records the terms on which Sodium processes personal data on the Customer's behalf in the course of providing the Services.

Sodium Software Ltd is registered in the United Kingdom at Amelia House, Crescent Road, Worthing, West Sussex, BN11 1RL, United Kingdom (Company No. 16240788). Sodium is registered with the Information Commissioner's Office (ICO) under registration number ZB889809.

If there is any conflict between this DPA and the Terms of Service in relation to the processing of Personal Data, this DPA prevails to the extent of that conflict.

1. Definitions

In this DPA:

  • "Applicable Data Protection Law" means all laws applicable to the processing of Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.
  • "UK GDPR" has the meaning given in section 3(10) of the Data Protection Act 2018.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Category Data" and "Sub-processor" have the meanings given in Applicable Data Protection Law.
  • "Services" means the software and related services provided by Sodium to the Customer under the Terms of Service.

2. Scope and Roles

2.1 The Customer appoints Sodium to process Personal Data on its behalf in connection with the provision of the Services.

2.2 The Customer acts as Controller and Sodium acts as Processor. Where the Customer is itself a processor acting on behalf of a third-party controller, the Customer warrants that it has authority to appoint Sodium as a sub-processor on the terms of this DPA.

2.3 The Customer determines the purposes and means of processing Personal Data, and Sodium processes Personal Data only on the Customer's documented instructions, including as set out in this DPA and the Terms of Service.

3. Customer Obligations

The Customer shall:

  • comply with Applicable Data Protection Law;
  • ensure that it has all necessary rights, consents, permissions and a valid lawful basis to enable Sodium to process Personal Data in accordance with this DPA;
  • ensure that its instructions to Sodium comply with Applicable Data Protection Law;
  • be responsible for the accuracy, quality and legality of the Personal Data it submits to the Services and the means by which it acquired that Personal Data.

4. Processor Obligations

Sodium shall:

  • process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do otherwise by UK or EU law to which Sodium is subject; in such a case, Sodium shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • inform the Customer without delay if, in Sodium's opinion, an instruction infringes Applicable Data Protection Law;
  • ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement and maintain the technical and organisational measures described in clause 5 (and Schedule 1) in accordance with Article 32 of the UK GDPR;
  • respect the conditions in clause 6 for engaging sub-processors;
  • notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data;
  • taking into account the nature of processing, assist the Customer as set out in clauses 8 and 9;
  • at the Customer's choice, delete or return Personal Data as set out in clause 12; and
  • make available to the Customer the information necessary to demonstrate compliance with this clause and Article 28 of the UK GDPR, as set out in clause 11.

5. Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Sodium shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including where appropriate:

  • access controls and authentication mechanisms;
  • encryption of data in transit using TLS;
  • encryption of data at rest where supported by the underlying infrastructure;
  • logging and monitoring of access to systems;
  • regular backup procedures;
  • vulnerability management and security patching processes;
  • role-based access controls for personnel; and
  • processes for regularly testing, assessing and evaluating the effectiveness of these measures.

Sodium may update its security measures from time to time provided that such updates do not materially reduce the overall level of security of the Services.

6. Sub-processors

6.1 The Customer provides Sodium with general written authorisation to engage sub-processors to assist in providing the Services. The sub-processors engaged at the date of this DPA are listed in Schedule 2.

6.2 Sodium shall, by written contract, impose on each sub-processor data protection obligations that are substantially equivalent to those set out in this DPA, in particular obligations to implement appropriate technical and organisational measures.

6.3 Where a sub-processor fails to fulfil its data protection obligations, Sodium remains fully liable to the Customer for the performance of that sub-processor's obligations.

6.4 Sodium shall maintain an up-to-date list of its sub-processors (Schedule 2 / this page). Sodium shall give the Customer at least 30 days' prior notice of any intended addition or replacement of a sub-processor (for example by updating this page or by email), thereby giving the Customer the opportunity to object. If the Customer reasonably objects on legitimate data protection grounds within that notice period, the parties shall work together in good faith to find a resolution; if no resolution is reached, the Customer may terminate the affected Services.

7. International Transfers

7.1 Sodium shall not transfer Personal Data outside the United Kingdom (or, where the EU GDPR applies, outside the EEA) unless appropriate safeguards are in place as required by Applicable Data Protection Law.

7.2 Such safeguards may include:

  • adequacy regulations or an adequacy decision;
  • the UK International Data Transfer Agreement (IDTA);
  • the UK Addendum to the EU Standard Contractual Clauses;
  • the EU Standard Contractual Clauses; or
  • other legally recognised transfer mechanisms.

7.3 Where a sub-processor listed in Schedule 2 processes Personal Data outside the United Kingdom, Sodium has put in place an appropriate transfer mechanism of the kind described above. Further details are available to the Customer on request.

8. Assistance

Taking into account the nature of the processing and the information available to Sodium, Sodium shall provide reasonable assistance to the Customer in relation to:

  • data subject rights requests;
  • data protection impact assessments;
  • prior consultations with supervisory authorities; and
  • the Customer's obligations to keep Personal Data secure and to notify Personal Data Breaches under Applicable Data Protection Law.

Sodium may charge reasonable fees for substantial assistance that falls outside the normal scope of the Services.

9. Data Subject Requests

If Sodium receives a request from a Data Subject relating to Customer Personal Data, Sodium shall:

  • notify the Customer promptly;
  • not respond directly to the Data Subject unless legally required to do so; and
  • provide reasonable assistance, including appropriate technical and organisational measures, to enable the Customer to respond to the request.

10. Personal Data Breaches

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Sodium shall:

  • notify the Customer without undue delay;
  • provide available information regarding the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed; and
  • take reasonable steps to investigate, mitigate and remediate the breach.

Sodium's notification is not, and shall not be construed as, an acknowledgement of fault or liability.

11. Audits

11.1 Sodium shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

11.2 Any audit request must:

  • be reasonable in scope;
  • be conducted during normal business hours;
  • be subject to at least 30 days' prior written notice;
  • be subject to appropriate confidentiality obligations; and
  • not unreasonably interfere with Sodium's business operations.

11.3 Sodium may satisfy its audit obligations under this clause by providing security documentation, policies, certifications or independent (e.g. third-party) audit reports.

12. Return and Deletion of Data

On termination of the Services, and at the Customer's choice, Sodium shall:

  • make Customer data available for export where reasonably practicable; and
  • delete or return all Customer Personal Data and delete existing copies within a reasonable period following termination, unless retention is required by law or for legitimate backup and disaster recovery purposes (in which case Sodium shall continue to protect that data and process it only as necessary for those purposes).

Sodium shall, on written request, confirm to the Customer that it has complied with this clause.

13. Liability

The liability provisions contained within the Terms of Service apply to this DPA and are incorporated by reference.

14. Duration

This DPA shall remain in effect for as long as Sodium processes Personal Data on behalf of the Customer.

15. Contact

For any questions about this DPA or about how Sodium processes Personal Data, please contact us:

  • Email: hello@sodiumhq.com
  • Address: Amelia House, Crescent Road, Worthing, West Sussex, United Kingdom, BN11 1RL

Schedule 1 – Processing Details

Subject Matter

Provision of practice management, client management, workflow, document management, communication, compliance and related software services.

Nature and Purpose of Processing

Hosting, storage, organisation, retrieval, transmission, analysis and management of information necessary to provide the Services.

Categories of Data Subjects

  • Customer personnel
  • Customer's clients
  • Customer's prospects
  • Suppliers and contractors
  • Other individuals whose information is entered into the Services

Categories of Personal Data

  • Names
  • Addresses
  • Email addresses
  • Telephone numbers
  • Company information
  • Identification information (including information used for anti-money-laundering and identity verification)
  • Communications and correspondence
  • User account information
  • Documents uploaded to the Services
  • Any other Personal Data submitted by the Customer

Special Category Data

The Customer may submit Special Category Data at its discretion. Sodium does not require or intentionally collect Special Category Data unless provided by the Customer, and processes any such data only as part of providing the Services.

Processing Duration

For the duration of the Customer's use of the Services and any applicable retention period following termination.

Schedule 2 – Sub-processors

Sodium engages the following sub-processors to help deliver the Services. Each is bound by written data protection terms substantially equivalent to those in this DPA.

Sub-processorPurposeProcessing location
Microsoft (Azure)Cloud hosting, infrastructure, data storage and platform telemetry / diagnosticsUnited Kingdom / EU
Auth0 (Okta, Inc.)User authentication and identity managementEU / USA
GoCardless LtdDirect Debit and subscription payment processingUnited Kingdom
Sentry (Functional Software, Inc.)Application error monitoring and diagnosticsUSA
Xama TechnologiesAnti-money-laundering (AML) and identity verificationUnited Kingdom

Statutory data source

Sodium retrieves company and officer information from Companies House (the UK statutory register) to provide the Services. Companies House acts as a separate controller of the public register data it makes available.

Customer-enabled integrations

The Services allow the Customer to connect its own third-party accounts — for example document storage (such as Microsoft OneDrive / SharePoint, Google Drive, Dropbox or Box) and accounting software (such as Xero, QuickBooks Online or FreeAgent). Where the Customer chooses to enable these integrations, Personal Data is transferred to or from those providers under the Customer's own agreement with them, and the Customer is responsible for that processing. These providers are not engaged by Sodium as sub-processors.