Back to Trust Centre

Data Processing Agreement

Version 1.0 — 29 June 2026

Download DPA (PDF)

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the agreement between Option To VAT Limited, trading as OneSixth ("Processor") and the customer entity that has subscribed to the OneSixth service ("Controller"). It applies whenever the Processor processes personal data on the Controller's behalf in connection with the service.

2. Roles

  • For the Controller's own account holders, employees, clients and end users: the Customer is the Controller; OneSixth is the Processor.
  • For OneSixth's own administrative data (billing contacts, account creation, support correspondence): OneSixth is the Controller and processing is governed by our Privacy Policy.

3. Subject matter and duration

The subject matter is the provision of the OneSixth service (margin VAT, TOMS and Partial Exemption calculations and journal posting) for the duration of the customer's subscription, plus any retention period required by law.

4. Nature and purpose of processing

Reading invoices, bills, transactions and reference data from the Controller's connected accounting platform; calculating VAT under HMRC margin schemes; posting journals back to the platform on the Controller's instruction; storing audit trails; and providing related support.

5. Categories of data and data subjects

  • Data subjects: the Controller's account users, the Controller's clients and contacts as recorded in the connected accounting platform.
  • Data categories: identification data (name, email, role); accounting data (invoices, bills, journal lines, contact references); technical data (IP address, browser, audit log entries); authentication data (OAuth tokens stored encrypted).
  • OneSixth does not knowingly process special category data. The Controller agrees not to upload or otherwise input special category data into the service.

6. Processor obligations

  • Process personal data only on documented instructions from the Controller, including with regard to international transfers, except where required by UK or EU law.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement the technical and organisational measures described on our Security page (Article 32).
  • Assist the Controller, taking into account the nature of processing, in responding to data subject rights requests (Articles 12–22).
  • Assist the Controller in complying with Articles 32–36 (security, breach notification, DPIAs, prior consultation).
  • At the Controller's choice, delete or return all personal data after the end of the service, except as required by law (e.g. 6-year HMRC retention for VAT records).
  • Make available all information necessary to demonstrate compliance and allow for audits, on reasonable notice and during business hours, subject to confidentiality.

7. Sub-processors

The Controller provides general written authorisation for the Processor to engage the sub-processors listed at /sub-processors. The Processor will inform the Controller of any intended changes via that page, giving the Controller an opportunity to object on reasonable data protection grounds before the change takes effect.

8. International transfers

Customer personal data is stored in the European Union. Where transfers outside the UK occur (for example to a US-based sub-processor), they are protected by the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses (SCCs), or an adequacy decision recognised by the UK government.

9. Personal data breach

The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Controller personal data, providing the information required under Article 33(3) UK GDPR.

10. Liability and governing law

Liability under this DPA is subject to the limitations and exclusions set out in our Terms & Conditions. This DPA is governed by the laws of England and Wales.

11. How to execute

This DPA is incorporated by reference into our Terms & Conditions and is effective from the date you accept those Terms. If your organisation requires a counter-signed copy on letterhead, email dpo@onesixth.app with your company details and we will arrange one.