Data Processing Agreement

Last updated on 1 May 2026. This DPA forms part of the Saldo Terms of Service and applies whenever Franchise Family Ltd (trading as Saldo) processes personal data on your behalf as a processor under UK GDPR / EU GDPR.

1. Definitions

“Customer” means the entity entering into the Saldo Terms of Service. “Saldo”, “we” and “us” mean Franchise Family Ltd. “Personal Data”, “Processing”, “Controller”, “Processor” and “Sub-processor” have the meanings set out in UK GDPR.

2. Roles

The Customer is the Controller of Personal Data processed through the Service (typically the names, work emails, hourly costs and worklogs of the Customer’s own staff). Saldo acts as Processor.

3. Scope of processing

Saldo will process Personal Data only:

  • To provide the Service as described in the Terms of Service.
  • On documented instructions from the Customer.
  • For the duration of the subscription, plus an off-boarding period of up to 30 days.

4. Confidentiality and access

All Saldo personnel with access to Personal Data are bound by written confidentiality obligations. Production access is limited to a small named group, controlled by SSO, logged, and reviewed quarterly.

5. Security measures

  • Encryption in transit (TLS 1.3) and at rest.
  • Network segmentation between application, database and operational tooling.
  • Separate environments for production, staging and development.
  • Daily encrypted backups with monthly restore tests.
  • Centralised audit logging with 12-month retention.
  • Vulnerability scanning and dependency monitoring.

6. Sub-processors

We use the following sub-processors. We will give the Customer at least 30 days’ notice before adding or replacing a sub-processor; the Customer may object on reasonable grounds.

  • Amazon Web Services (AWS) (cloud hosting and storage, EU / UK regions)
  • Cloudflare, Inc. (CDN and DDoS protection, UK IDTA in place)
  • Stripe Payments UK Ltd (subscription billing)
  • Postmark / SMTP provider (transactional and marketing email)
  • Atlassian Pty Ltd (Jira API access — initiated by Customer)

7. International transfers

Where Personal Data leaves the UK or the EEA, we rely on the UK IDTA, the EU Standard Contractual Clauses, or an adequacy decision, as appropriate.

8. Data subject rights

We will assist the Customer in responding to data subject requests (access, correction, deletion, portability, restriction, objection) within statutory deadlines. Most requests can be served from within the Saldo product directly.

9. Personal data breaches

We will notify the Customer without undue delay (and in any event within 48 hours of becoming aware) of any personal data breach affecting Customer Personal Data, with the information needed for the Customer to meet its own obligations under Article 33.

10. Audits

We will provide our latest security and compliance documentation (SOC 2 report once available, security questionnaire, sub-processor list) on request. Enterprise customers may request an annual audit subject to reasonable scope and notice.

11. Return or deletion

Within 30 days of termination of the subscription we will, at the Customer’s choice, return or irreversibly delete all Customer Personal Data, except where retention is required by law.

12. Governing law

This DPA is governed by the laws of England and Wales.

13. Contact

For all data protection matters, contact hello@saldo.team.