When your practice uses Cysoni to capture your clients' invoices, receipts and statements, you are the data controller and Cysoni is your data processor. We process that data only to provide the service, only on your instructions, with appropriate security, and we delete captured documents after processing — keeping only an audit record. This agreement sets out the legal detail required by UK GDPR.
This Data Processing Agreement (“DPA”) forms part of, and is subject to, the agreement between you (the “Customer” or “Controller” — the accountancy practice) and Cysoni (the “Processor”) for the use of the Cysoni service (the “Service”). Cysoni is a sole-trader business based in the United Kingdom, registered with the Information Commissioner's Office (ICO) under registration number ZB227633.
This DPA applies where, and to the extent that, Cysoni processes Personal Data on the Customer's behalf in connection with the Service. Where there is a conflict between this DPA and the main terms on the subject of data protection, this DPA prevails.
“UK GDPR”, “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject” and “Personal Data Breach” have the meanings given in UK Data Protection Law. “UK Data Protection Law” means the UK GDPR and the Data Protection Act 2018. “Sub-processor” means any third party engaged by Cysoni to process Personal Data on the Customer's behalf.
For Personal Data contained in the documents and inboxes the Customer connects to the Service (e.g. the Customer's clients' invoices, receipts and bank statements), the Customer is the Controller and Cysoni is the Processor. The Customer is responsible for having a lawful basis for the Processing and for the lawfulness of its instructions.
For Personal Data relating to the Customer's own account (its users' names, email addresses, login and billing information), Cysoni is the Controller, as described in our Privacy Policy.
Cysoni will process Personal Data only on the Customer's documented instructions, including as set out in this DPA and the main terms and as necessary to provide the Service, unless required to do otherwise by law (in which case Cysoni will, where lawful, inform the Customer first). Cysoni will inform the Customer if, in its opinion, an instruction infringes UK Data Protection Law.
Cysoni ensures that persons authorised to process the Personal Data are bound by an appropriate duty of confidentiality and process the data only as instructed.
Taking account of the state of the art, the costs of implementation and the nature, scope and purposes of Processing, Cysoni implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 2.
The Customer provides general authorisation for Cysoni to engage the Sub-processors listed in Schedule 3 to support delivery of the Service. Cysoni imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. Cysoni will give the Customer reasonable notice of any intended addition or replacement of a Sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds.
Taking into account the nature of the Processing, Cysoni will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under UK Data Protection Law. Where a Data Subject contacts Cysoni directly in relation to the Customer's data, Cysoni will direct them to the Customer.
Cysoni will assist the Customer, taking into account the nature of Processing and the information available to it, in ensuring compliance with the Customer's obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments and prior consultation (Articles 32–36 UK GDPR).
Cysoni will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide the information reasonably available to it to help the Customer meet its own breach-notification obligations.
Personal Data forming the captured accounting records is stored in the United Kingdom. Certain Sub-processors (see Schedule 3) may process Personal Data outside the UK. Where any transfer outside the UK occurs, Cysoni ensures an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures required.
Captured documents are deleted after they have been processed and delivered to the Customer's chosen destination, following a short grace period to confirm delivery. On termination of the Service, or on the Customer's written request, Cysoni will delete or return the Personal Data it processes on the Customer's behalf, save for the audit record and any data Cysoni is required by law to retain. Backups are overwritten in the ordinary course.
Cysoni will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a Personal Data Breach), and subject to confidentiality and to not compromising the security or data of other customers.
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the main terms between the parties.
This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
| Subject matter | Capture and processing of invoices, receipts and bank statements from the Customer's connected sources, and their delivery to the Customer's chosen accounting software or destination. |
| Duration | For the term of the Service, and as set out in clause 12. |
| Nature and purpose | Read-only collection from connected email inboxes and uploaded/photographed documents; AI-assisted identification and extraction of document details; forwarding or posting of documents and details to the destination the Customer configures; maintenance of an audit record. |
| Types of Personal Data | Names and contact details of suppliers, clients and the Customer's users; financial transaction details (supplier, dates, amounts, VAT, references, line items, bank transactions); and any personal data incidentally contained within captured documents. Ordinary, non-accounting email is not stored. |
| Categories of Data Subjects | The Customer's clients and their suppliers and contacts; the Customer's own staff/users. |
| Special category data | Not intentionally processed. The Customer should not use the Service to capture special-category data. |
| Sub-processor | Purpose | Location |
|---|---|---|
| Gmail API (read-only inbox access) and authentication | EU / US | |
| Anthropic | AI classification and field extraction from documents (not used to train its models) | US |
| Google Cloud / Firebase | Application database, file storage and infrastructure (primary data stored in the UK) | UK / EU |
| Vercel | Application hosting | US / global edge |
| Resend | Sending and forwarding of emails (links, notifications, forwarded documents) | US |
| Stripe | Subscription billing and payments (account/billing data only) | US / global |
The accounting software the Customer connects as a destination (e.g. Xero) acts as a separate controller for the data the Customer posts to it, under that provider's own terms, and is not a Cysoni Sub-processor. A current Sub-processor list is available on request.