Data Processing Agreement
Article 28, UK GDPR — Controller ↔ Processor
Last updated: 6 July 2026
This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Distil Terms of Service (the “Agreement”). Where you process the personal data of individuals (your clients, suppliers, and the people named on their documents) using Distil, you are the Controller and Distil (Haisem Ltd) is the Processor. Capitalised terms not defined here have the meaning given in the UK GDPR and the Data Protection Act 2018.
Parties
- Processor: Haisem Ltd (trading as Distil), company 16663146, 5 Isaacs Close, Poole, BH12 5HE, United Kingdom. Contact: info@haisem.co.uk.
- Controller: the customer entity that accepts the Agreement.
1. Subject matter & duration
Distil processes personal data on the Controller’s behalf to provide the Distil service (document ingestion, OCR/AI data extraction, categorisation, reconciliation, reporting, and — at the Controller’s election — HMRC filing and accounting-software publishing). Processing continues for the term of the Agreement and the retention period in Clause 9.
2. Nature & purpose, data types, data subjects
As set out in Distil’s Records of Processing Activities. In summary: financial document content and extracted fields (names, addresses, amounts, VAT numbers, dates, line items, bank transaction data); data subjects are the Controller’s clients and the individuals named on their documents. No special-category data is requested or required.
3. Processor obligations (Article 28(3)(a)–(h))
Distil shall:
- (a) Process personal data only on the Controller’s documented instructions (including the Agreement and in-product configuration), including for international transfers, unless required by UK law — in which case it will inform the Controller unless legally prohibited.
- (b) Ensure personnel authorised to process the data are bound by a duty of confidentiality.
- (c) Implement the technical and organisational measures in Annex A (Article 32).
- (d) Respect the conditions in Clause 4 for engaging another processor (sub-processors).
- (e) Assist the Controller, by appropriate technical and organisational measures and insofar as possible, to respond to data-subject rights requests (access, rectification, erasure, portability, objection, restriction).
- (f) Assist the Controller in ensuring compliance with its security, breach-notification, DPIA and prior-consultation obligations (Articles 32–36).
- (g) At the Controller’s choice, delete or return all personal data at the end of the services and delete existing copies, unless UK law (e.g. HMRC record-keeping) requires retention. Distil will also notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Controller’s data.
- (h) Make available all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, subject to reasonable notice and confidentiality.
4. Sub-processors
The Controller provides general authorisation for Distil to engage sub-processors to deliver the service. Distil imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance. Distil will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor and a chance to object on reasonable data-protection grounds. Current sub-processors: AWS (S3, Textract), OpenAI, Supabase, Vercel, Stripe (billing only).
5. International transfers
Your documents are stored in the UK (AWS London, eu-west-2). Distil’s application database is hosted in the EU (Supabase, Paris, France, eu-west-3) under the UK’s data-adequacy regulations for the EEA, so no additional Article 46 safeguard is required for that transfer. Where personal data is transferred outside the UK/EEA to a sub-processor (e.g. OpenAI, Vercel or Stripe in the US), Distil relies on an appropriate Article 46 safeguard — the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU SCCs, or an equivalent mechanism — as reflected in each sub-processor’s own DPA.
6. Controller obligations
The Controller warrants it has a lawful basis to process the personal data it uploads, has provided any required privacy information to data subjects, and will issue only lawful instructions.
7. Liability & governing law
Liability is as set out in the Agreement. This DPA is governed by the laws of England and Wales.
Annex A — Technical & organisational measures (Article 32)
- TLS 1.2+ encryption in transit; AES-256 encryption at rest (document files); AES-256-GCM for integration tokens.
- Multi-tenant isolation: the primary control on the application path is application-layer practice scoping— every request resolves the caller’s practice and scopes all queries by
practice_id. This is backed at the database layer by row-level security policies and security-definer access functions for any direct database access. - Access control: authenticated, role-based; least-privilege infrastructure credentials; MFA available (TOTP).
- CSRF protection on all state-changing requests; signed, time-limited URLs for file access.
- Security audit logging of sensitive operations.
- Secure SDLC: dependency scanning, CI security pipeline, code review.
- Data minimisation to AI: only the fields needed for extraction/reconciliation are sent to our AI sub-processor; submissions are not used to train models; no document content is sent to analytics.
- Backups & resilience via managed infrastructure (Supabase, AWS).
Annex B — Sub-processor list
The current sub-processor list is maintained as part of Distil’s Records of Processing Activities and is available on request. See also Clause 4 above.
Acceptance
By accepting the Terms of Service at signup, the Controller accepts this DPA, which forms part of those Terms and governs Distil’s processing of personal data on the Controller’s behalf.