Data Processing Agreement

Last updated: 1 July 2026

This document was last updated on 1 July 2026 and is subject to change. Please check back regularly.
How this DPA works: When you create a PayMyReps account and tick the DPA checkbox, you enter into this Data Processing Agreement with us. No physical signature is required — your electronic acceptance (timestamped against your account) constitutes a binding agreement. If you require a countersigned PDF for your own records, use the Download PDF button above and return the signed copy to support@paymyreps.com.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • You (the organisation that has created a PayMyReps account), acting as the data controller(“Controller”); and
  • PayMyReps, a UK-based SaaS company, acting as the data processor (“Processor”).

This DPA supplements and forms part of the PayMyReps Terms of Service. In the event of any conflict between this DPA and the Terms, this DPA takes precedence with respect to data protection matters.

2. Definitions

  • “UK GDPR” means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
  • “Personal Data” has the meaning given in UK GDPR — any information relating to an identified or identifiable natural person.
  • “Processing” has the meaning given in UK GDPR — any operation performed on Personal Data.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Services” means the PayMyReps commission calculation and distribution platform as described in the Terms of Service.

3. Subject matter, nature, and purpose

The Processor will process Personal Data on behalf of the Controller for the following purposes only:

  • Calculating commission amounts for the Controller’s sales representatives based on data provided by the Controller
  • Storing commission run history to support audit and review by the Controller
  • Sending commission statements to sales representatives by email, where instructed by the Controller
  • Enabling the Controller to export commission data in formats suitable for payroll processing

Processing will take place for the duration of the Controller’s active subscription to the Services, and for up to 2 years thereafter for the purposes of audit retention, unless earlier deletion is requested.

4. Types of personal data processed

The Processor will process the following categories of Personal Data as directed by the Controller:

  • Sales representative names
  • Sales representative email addresses (where provided by the Controller)
  • Sales figures, deal counts, and commission amounts associated with named individuals
  • Any other personal data included in CSV files uploaded by the Controller (e.g. deal identifiers, product codes, role information)

The Controller is responsible for ensuring that all Personal Data provided to the Processor has been collected lawfully and that individuals have been informed of its use in accordance with UK GDPR.

5. Controller’s obligations

The Controller agrees to:

  • Ensure all Personal Data uploaded to the Services is collected and transferred to the Processor lawfully
  • Provide individuals (e.g. sales representatives) with appropriate notice about how their Personal Data will be used
  • Instruct the Processor in writing if any processing instruction differs from the default operation of the Services
  • Ensure that any instruction given to the Processor complies with applicable data protection law
  • Promptly inform the Processor of any changes that affect the lawfulness of the processing

6. Processor’s obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required to do otherwise by law
  • Ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental loss, destruction, alteration, or unauthorised access or disclosure
  • Not engage any Sub-processor without informing the Controller and, where required, obtaining the Controller’s prior written consent
  • Assist the Controller in responding to data subject rights requests as described in section 9 below
  • Notify the Controller without undue delay upon becoming aware of a Personal Data breach
  • Delete or return all Personal Data to the Controller at the end of the Services, and delete existing copies, unless required by law to retain them
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

7. Sub-processors

By accepting this DPA, the Controller provides general written authorisation for the Processor to engage the following Sub-processors. The Processor will notify the Controller of any intended changes (additions or replacements) to Sub-processors with reasonable advance notice, giving the Controller an opportunity to object.

  • Supabase / Neon (Database infrastructure) — Stores commission run data, account records, and all Personal Data processed through the Services. EU-based infrastructure.
  • Resend (Email delivery) — Processes sales representative email addresses and statement content for the purpose of email delivery. Processing occurs only when the Controller instructs PayMyReps to send statements.
  • Vercel (Application hosting) — Hosts and serves the PayMyReps web application. Vercel may process network-level data (including IP addresses) as part of serving requests.

Each Sub-processor is bound by data processing terms that impose obligations no less protective than those set out in this DPA.

8. Security measures

The Processor implements and maintains the following technical and organisational measures to protect Personal Data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted by the database infrastructure provider
  • Access to production systems is restricted to authorised personnel only
  • Authentication is required for all access to the platform
  • Admin access to customer accounts is logged via an immutable audit trail (impersonation log)
  • Passwords and credentials are managed using secrets management best practices

9. Data subject rights

Where a data subject (e.g. a sales representative) makes a request to exercise their UK GDPR rights directly with the Processor, the Processor will promptly notify the Controller and refer the request to them, as the data controller. The Processor will assist the Controller in fulfilling such requests where technically possible, within reasonable timeframes.

Data subjects should direct rights requests to the Controller in the first instance. The Controller remains responsible for responding to data subjects.

10. Personal data breaches

The Processor will notify the Controller without undue delay — and where possible within 72 hours — upon becoming aware of a Personal Data breach affecting Personal Data processed under this DPA. Notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and records concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

The Controller is responsible for notifying the ICO (and affected data subjects, if required) within the timeframes prescribed by UK GDPR.

11. International data transfers

Personal Data processed under this DPA is primarily stored within the EU/EEA. Where transfers to third countries occur (e.g. via Vercel’s global edge infrastructure), the Processor will ensure appropriate transfer mechanisms are in place, including UK International Data Transfer Agreements (IDTAs) or reliance on adequacy regulations, as applicable under UK GDPR.

12. Data retention and deletion

The Processor will retain Personal Data processed under this DPA for the following periods:

  • Commission run data: Up to 2 years from the date of the relevant run, to support audit requirements. This retention period reflects a legitimate business need and is proportionate to the risks involved.
  • Account data: For the duration of the subscription, plus up to 90 days after account closure, after which it will be permanently deleted.

The Controller may request early deletion of their data at any time by contacting support@paymyreps.com. We will process deletion requests within 30 days, subject to any legal retention obligations.

13. Audit rights

The Controller may, upon reasonable written notice (at least 30 days), request information from the Processor to verify compliance with this DPA. The Processor will provide reasonable assistance in responding to such requests, which may include documentation of security measures or Sub-processor arrangements.

Where an audit requires physical access to Processor systems or premises, this will be subject to mutual agreement on timing and scope to minimise disruption.

14. Liability

Each party will be liable for damage caused by its own breach of this DPA. The liability caps and exclusions set out in the Terms of Service apply to this DPA, except where otherwise required by UK GDPR.

15. Duration and termination

This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller. It will automatically terminate upon deletion of all Personal Data in the Processor’s systems pursuant to section 12 above.

16. Governing law

This DPA is governed by the laws of England and Wales. Disputes arising under this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.

17. Contact and questions

For any questions about this DPA, or to exercise rights relating to data processing, contact us at: support@paymyreps.com