Legal

Data Processing Addendum

Name: Cledo
Price: 9 GBP
Rating: 4.9 (12 reviews)

Effective: March 2026

This Data Processing Addendum ("DPA") supplements the Cledo Terms of Service and applies to the processing of personal data by Cledo on behalf of the Customer.

1. Definitions

"Personal Data", "Processing", "Controller", and "Processor" have the meanings given in the UK GDPR. The Customer is the Controller. Cledo is the Processor.

2. Scope of processing

Cledo processes Personal Data solely to provide the accounting and compliance services described in the Terms of Service. Data categories include: user account details, company officer information (from public Companies House records), bank transaction data (via Open Banking), and HMRC filing data.

3. Sub-processors

MongoDB Atlas — Database hosting (AWS eu-west-1)
Google Cloud Platform — Application hosting (europe-north2)
TrueLayer — Open Banking connectivity (FCA-regulated)
Stripe — Payment processing

4. Security measures

Cledo implements AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and regular penetration testing. Sensitive fields (HMRC tokens, bank credentials) are encrypted at the application layer using a dedicated field-encryption key.

5. Data retention

Financial records are retained for 6 years from the end of the relevant accounting period (per HMRC requirements). Account data is deleted within 30 days of account closure upon request.

6. Contact

For DPA-related enquiries, email privacy@cledo.co.uk.