Skip to content
FirmPulse

Data Processing Agreement

Last updated: 28 June 2026

This Data Processing Agreement (DPA) forms part of the agreement between FirmPulse Ltd and the accountancy firm that uses FirmPulse. It sets out how FirmPulse processes personal data on the firm's behalf under UK data protection law. For any data-protection question, contact hello@firmpulse.co.uk.

1. Parties and roles

For the personal data a firm holds about its own clients and their officers, the Firm is the controller and FirmPulse is the processor. FirmPulse processes that personal data only on the Firm's documented instructions, including the instructions given through normal use of the platform, unless it is required to do otherwise by law.

FirmPulse is the controller of the limited personal data it holds about the Firm's own staff for account administration, billing and support. That processing is described in our Privacy Policy at https://firmpulse.co.uk/privacy.

2. Subject matter and duration

FirmPulse processes personal data to provide the platform: proposals and quoting, client take-on, anti-money-laundering and identity verification, task and deadline management, the client portal, billing, and related practice-management functions. Processing continues for the duration of the Firm's subscription and the limited periods described in section 11.

3. Categories of data subjects and personal data

Data subjects include the Firm's clients, their directors, persons with significant control, and other client contacts, together with the Firm's own staff who use the platform.

Personal data includes contact and identity details, company and officer information drawn from Companies House, identity-verification data collected for statutory checks, service and deadline records, communications, and billing information. The platform does not require special category data; identity-verification and AML data are handled as described in section 12.

4. FirmPulse obligations

  • Process personal data only on the Firm's documented instructions.
  • Ensure that people authorised to process the data are under a duty of confidence.
  • Apply appropriate technical and organisational security measures (section 6).
  • Engage sub-processors only as set out in section 5.
  • Assist the Firm with data subject requests and with its own compliance obligations (sections 7 and 8).
  • Notify the Firm without undue delay of any personal data breach (section 7).
  • Return or delete personal data at the end of the engagement (section 11).

5. Sub-processors

The Firm authorises FirmPulse to engage the sub-processors listed below to help provide the platform. Each is bound by data-protection terms no less protective than this DPA.

  • Neon: PostgreSQL database hosting. Data region: London, United Kingdom.
  • Vercel: application hosting and content delivery. United Kingdom and European regions where available; company based in the USA.
  • Stripe: payment processing through the Firm's own Stripe account. United Kingdom and USA.
  • Microsoft 365 (Microsoft Graph): sending the Firm's own client emails from the Firm's mailbox. United Kingdom and European regions.
  • Postmark: delivery of FirmPulse system emails, such as invite and account notifications. USA.
  • Companies House: official UK company and officer data from the public register. United Kingdom.
  • Identity-verification provider (Xama): Companies House identity verification for the Verify module. United Kingdom.
  • Sentry: error monitoring, where enabled. European and USA regions.
  • Google (Google Ads API): upload of completed, paid conversions to the Firm's own Google Ads account, only where the Firm enables this. USA.

We will give the Firm reasonable prior notice, at least 30 days where practical, before adding or replacing a sub-processor, so the Firm can object on reasonable data-protection grounds.

6. Security measures

FirmPulse applies technical and organisational measures appropriate to the risk, including: encryption of data in transit; access controls and least-privilege administration; strict per-firm data separation enforced at the database level (row-level security), so one firm cannot see another firm's data; audit logging; and regular review of access and dependencies.

7. Personal data breaches

FirmPulse will notify the Firm without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Firm's data, with the information the Firm reasonably needs to meet its own notification duties.

8. Data subject rights and assistance

Taking into account the nature of the processing, FirmPulse will assist the Firm, by appropriate technical and organisational measures, to respond to requests from data subjects exercising their rights, and to meet the Firm's obligations on security, breach notification, and data protection impact assessments.

9. International transfers

The Firm's data is primarily hosted in the United Kingdom. Where a sub-processor processes personal data outside the UK, FirmPulse relies on an approved transfer mechanism, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with any additional safeguards required.

10. Audit

FirmPulse will make available the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Firm or an auditor it mandates, on reasonable notice and subject to confidentiality.

11. Return and deletion of data

On termination, FirmPulse will, at the Firm's choice, return or delete the Firm's personal data within a reasonable period, and delete existing copies within 30 days unless storage is required by law. Data held in routine backups is purged on the normal backup cycle.

12. Identity-verification and AML data

Identity-verification data collected through the Verify module is processed to perform statutory Companies House identity checks. Where the Firm relies on these checks for its anti-money-laundering obligations, records are retained for the period required by the Money Laundering Regulations 2017, which is five years from the end of the business relationship, after which they are deleted unless the law requires otherwise.

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the FirmPulse Terms of Service at https://firmpulse.co.uk/terms.

14. Changes and contact

We may update this DPA from time to time; material changes will be notified to the Firm. For any data-protection question, or to exercise audit rights, contact hello@firmpulse.co.uk. FirmPulse's ICO registration: to follow.

FirmPulse Ltd
C/O 3DOM.UK Accountants Ltd
Second Floor
61 Hamilton Square
Birkenhead
Merseyside
CH41 5AT