GG
GoldenGuide
Sign In

Data Processing Agreement — Version 1.0

March 2026  |  UK GDPR Article 28 Compliant

Download DPA (PDF)Request Signed Copy
Legal Document

Data Processing Agreement

Between GOLDENPAYS LTD (Data Processor) and Client (Data Controller)

Effective Date: March 2026  | Basis: UK GDPR Article 28

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the GoldenGuide Terms of Service for all paid plan subscribers. It sets out the obligations of GOLDENPAYS LTD as a Data Processor when processing personal data on behalf of the Client as Data Controller, as required by UK GDPR Article 28.

1. Parties

Data Controller

The Client — the company or individual subscribing to GoldenGuide services, hereinafter “Controller”.

Data Processor

GOLDENPAYS LTD, registered in England and Wales (Companies House: 16227513), ICO Registration ZC107226, registered office at Office 12, Initial Business Centre, Wilson Business Park, Manchester, M40 8WN, hereinafter “Processor”.

2. Subject Matter and Duration

2.1 This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of GoldenGuide services.

2.2 This DPA remains in force for the duration of the service agreement and terminates upon deletion of all Client Personal Data as described in Section 8.

3. Nature and Purpose of Processing

3.1 The Processor shall process personal data solely for the purpose of providing the GoldenGuide AI knowledge platform, including:

  • Storing and indexing documents uploaded by the Controller
  • Processing employee queries through the AI chat interface
  • Generating analytics and audit logs as described in the service documentation
  • Providing integrations with third-party communication tools (Slack, Microsoft Teams, WhatsApp) as configured by the Controller

3.2 The Processor shall not process Client Personal Data for any other purpose, including training AI models.

4. Type of Personal Data

Personal data processed may include:

  • Employee names and email addresses
  • Job titles and department information
  • Chat conversation content and queries
  • System access logs and timestamps
  • Any personal data contained within documents uploaded by the Controller

5. Categories of Data Subjects

Employees, contractors, and other individuals whose data is uploaded to or generated within the GoldenGuide platform by the Controller.

6. Obligations of the Processor

The Processor shall:

6.1 Process personal data only on the documented instructions of the Controller.

6.2 Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations.

6.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in our Security FAQ at app.goldenguide.uk/security-faq.

6.4 Not engage sub-processors without prior written authorisation of the Controller. Current sub-processors are listed in Section 7. The Controller hereby provides general authorisation for the sub-processors listed therein, subject to the conditions in Section 7.

6.5 Assist the Controller in responding to requests from data subjects exercising their rights under UK GDPR.

6.6 Notify the Controller without undue delay (and in any event within 24 hours) upon becoming aware of a personal data breach affecting Client Personal Data.

6.7 At the choice of the Controller, delete or return all personal data upon termination of services, and delete existing copies unless UK law requires storage.

6.8 Make available to the Controller all information necessary to demonstrate compliance with this Article, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

7. Sub-Processors

7.1 Current approved sub-processors:

Google Cloud PlatformEU (Frankfurt, europe-west3)

Infrastructure, hosting, AI inference

Qdrant CloudEU (GCP europe-west3)

Vector database for AI search

OpenAIUS

AI language model (inference only)

Standard Contractual Clauses apply. Client data is not used for model training.

StripeEU

Payment processing (billing data only)

7.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

8. Data Deletion

Upon termination of the service agreement, the Processor shall, within 30 days:

  • Delete all Client Personal Data from active systems
  • Delete all backup copies within the standard backup retention window
  • Provide a written confirmation of deletion upon request

9. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

10. Contact

GOLDENPAYS LTD

Office 12, Initial Business Centre, Wilson Business Park, Manchester, M40 8WN

DPA enquiries: enquiries@goldenpays.uk

Request a signed copy: enquiries@goldenpays.uk

ICO Registration: ZC107226

Privacy PolicyTerms of ServiceSecurity FAQBack to Home