Templio legal

Data Processing Addendum

Version v1.0Last updated 26 April 2026

This Data Processing Addendum ("DPA") forms part of the Customer Terms of Service between VectisFlow Limited and the Customer. It governs VectisFlow's processing of Customer Data as a processor on behalf of the Customer as controller, under UK GDPR, the Data Protection Act 2018, and applicable data protection laws.

VectisFlow Limited

Trading as Templio

Company number: [COMPANY NUMBER]

Registered office: 43 Fairfoot Rd, London E3 4EG

ICO registration: [ICO REGISTRATION]

Data Protection Officer: [DPO_EMAIL]

1. Subject matter, duration, nature, and purpose

Field	Value
Subject matter	Customer Data processed to provide the Templio service
Duration	The term of the Customer's subscription and any applicable post-termination retention period
Nature	Hosting, storage, processing, and transmission of timesheets, invoices, approvals, documents, and compliance records
Purpose	Provision of the contractual Service under the Customer Terms

2. Categories of data subjects

Agency staff (Authorised Users of the Customer)
Contractors (end-users submitting timesheets)
Clients and approvers of the Customer

3. Categories of personal data

Identity data (name, email)
Authentication metadata
Employment / engagement data (timesheet content, NI numbers where supplied, engagement references)
Financial data (bank details where required for self-billing, invoice line items)
Approval and audit records
Documents uploaded to the document vault

4. Roles of the parties

The Customer is the controller of Customer Data. VectisFlow Limited is the processor.

VectisFlow will:

Process Customer Data only on the documented instructions of the Customer, including in relation to international transfers, unless required to do so by law (in which case VectisFlow will inform the Customer unless the law prohibits);
Ensure personnel processing Customer Data are subject to appropriate confidentiality obligations;
Implement the technical and organisational measures described in Annex B;
Engage sub-processors only in accordance with section 6;
Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to respond to data subject rights requests;
Assist the Customer with security, data protection impact assessments, and prior consultations;
Notify the Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting Customer Data;
At the Customer's choice, return or delete Customer Data on termination, subject to retention obligations set out in this DPA;
Make available to the Customer all information necessary to demonstrate compliance with Art. 28 obligations.

6. Sub-processing

The Customer grants general written authorisation for VectisFlow to engage sub-processors, subject to:

The list in Annex A remaining current;
Written notice of any intended addition or replacement, at least 30 days in advance;
The Customer's right to reasonably object to a proposed change, in which case the parties will discuss in good faith and, failing agreement, the Customer may terminate the affected parts of the Service.

VectisFlow will impose data protection obligations on each sub-processor that are equivalent to those in this DPA.

7. International transfers

Where a sub-processor is located outside the United Kingdom and the transfer is not otherwise lawful under UK data protection law, transfers are made under the UK International Data Transfer Agreement ("IDTA") or the EU Standard Contractual Clauses with the UK International Data Transfer Addendum. The specific mechanism for each sub-processor is set out in Annex A.

8. Security

See Annex B.

9. Assistance, DSARs, and breach notification

VectisFlow will:

Acknowledge requests for assistance with data subject rights within five business days;
Provide reasonable support for DPIAs and prior consultations on request;
Notify the Customer of personal data breaches affecting Customer Data within 72 hours of becoming aware, providing available detail to enable the Customer to meet its own notification obligations.

10. Audits

The Customer has the right, not more than annually and on reasonable written notice of at least 30 days, to audit VectisFlow's compliance with this DPA. Audits are at the Customer's cost unless a material breach is identified. VectisFlow will make available third-party attestation reports (e.g., SOC 2 Type II, ISO/IEC 27001) to satisfy audit rights where such reports are available.

11. Return or deletion on termination

On termination of the Customer's subscription VectisFlow will, on the Customer's written request within 30 days:

Provide Customer Data in a commonly used, machine-readable format; and
Delete all production copies of Customer Data within 30 days of the request, subject to:
- Backups that are overwritten in the ordinary course within 90 days;
- The immutable audit log retained for six years. For GDPR Art. 17 erasure requests we pseudonymise affected entries rather than deleting, as we are required to retain the audit record.

12. Annex A — Subprocessors

Name	Purpose	Location	Transfer mechanism
Vercel Inc.	Application hosting, edge delivery	United States (EU/UK region pinning enabled)	UK IDTA + EU SCCs Addendum
Neon Inc.	PostgreSQL database	United Kingdom (eu-west-2, London)	No international transfer
Clerk Inc.	Authentication for agency staff	United States	UK IDTA + EU SCCs Addendum
Stripe Payments UK Ltd	Payment processing, billing	United Kingdom & United States	UK IDTA + EU SCCs Addendum
Upstash Inc.	Rate limiting cache	Ireland (primary), United States	EEA adequacy + UK IDTA for US failover
Inngest Inc.	Background job orchestration	United States	UK IDTA + EU SCCs Addendum
Xero (UK) Limited	Accounting integration (outbound invoice sync)	United Kingdom	No international transfer

13. Annex B — Technical and organisational measures

Access control and tenant isolation

Multi-tenant isolation enforced by agencyId scoping on every query that touches Customer Data, double-gated against the record's primary key.
Runtime database role templio_app with INSERT-only permission on the audit log, enforced by database grants and triggers. Migration-time access uses a separate privileged role.
Clerk Core 3 authentication for agency staff, with multi-factor authentication available and recommended.
Contractors authenticate by magic-link only; no passwords are stored.

Integrity

Append-only audit log at the database level (UPDATE and DELETE are rejected by database triggers).
Monetary values stored as integer pennies to prevent floating-point drift.
Every state-changing server action writes an audit entry.

Encryption and network

TLS 1.2+ required in transit.
Encryption at rest provided by the underlying storage providers (Neon managed Postgres, Vercel storage).
Secrets managed through environment variables; no secrets are logged.

Availability and resilience

Managed Postgres in the London region (eu-west-2) with automated point-in-time recovery.
Static assets served through a global edge network.
Background jobs orchestrated with at-least-once delivery semantics.

Monitoring and rate limiting

Request-level rate limits on authentication and timesheet submission endpoints via Upstash-backed rate limiting.
Structured logging with correlation IDs; personal data is minimised in logs.

Supplier management

Sub-processors engaged under contracts with data protection terms substantively equivalent to this DPA.
Annex A maintained as the current list.

Templio legal

Data Processing Addendum

Version v1.0Last updated 26 April 2026

VectisFlow Limited

Trading as Templio

Company number: [COMPANY NUMBER]

Registered office: 43 Fairfoot Rd, London E3 4EG

ICO registration: [ICO REGISTRATION]

Data Protection Officer: [DPO_EMAIL]

1. Subject matter, duration, nature, and purpose

Field	Value
Subject matter	Customer Data processed to provide the Templio service
Duration	The term of the Customer's subscription and any applicable post-termination retention period
Nature	Hosting, storage, processing, and transmission of timesheets, invoices, approvals, documents, and compliance records
Purpose	Provision of the contractual Service under the Customer Terms

2. Categories of data subjects

Agency staff (Authorised Users of the Customer)
Contractors (end-users submitting timesheets)
Clients and approvers of the Customer

3. Categories of personal data

Identity data (name, email)
Authentication metadata
Employment / engagement data (timesheet content, NI numbers where supplied, engagement references)
Financial data (bank details where required for self-billing, invoice line items)
Approval and audit records
Documents uploaded to the document vault

4. Roles of the parties

The Customer is the controller of Customer Data. VectisFlow Limited is the processor.

VectisFlow will:

Process Customer Data only on the documented instructions of the Customer, including in relation to international transfers, unless required to do so by law (in which case VectisFlow will inform the Customer unless the law prohibits);
Ensure personnel processing Customer Data are subject to appropriate confidentiality obligations;
Implement the technical and organisational measures described in Annex B;
Engage sub-processors only in accordance with section 6;
Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to respond to data subject rights requests;
Assist the Customer with security, data protection impact assessments, and prior consultations;
Notify the Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting Customer Data;
At the Customer's choice, return or delete Customer Data on termination, subject to retention obligations set out in this DPA;
Make available to the Customer all information necessary to demonstrate compliance with Art. 28 obligations.

6. Sub-processing

The Customer grants general written authorisation for VectisFlow to engage sub-processors, subject to:

The list in Annex A remaining current;
Written notice of any intended addition or replacement, at least 30 days in advance;
The Customer's right to reasonably object to a proposed change, in which case the parties will discuss in good faith and, failing agreement, the Customer may terminate the affected parts of the Service.

VectisFlow will impose data protection obligations on each sub-processor that are equivalent to those in this DPA.

Acknowledge requests for assistance with data subject rights within five business days;
Provide reasonable support for DPIAs and prior consultations on request;
Notify the Customer of personal data breaches affecting Customer Data within 72 hours of becoming aware, providing available detail to enable the Customer to meet its own notification obligations.

10. Audits

11. Return or deletion on termination

On termination of the Customer's subscription VectisFlow will, on the Customer's written request within 30 days:

Provide Customer Data in a commonly used, machine-readable format; and
Delete all production copies of Customer Data within 30 days of the request, subject to:
- Backups that are overwritten in the ordinary course within 90 days;
- The immutable audit log retained for six years. For GDPR Art. 17 erasure requests we pseudonymise affected entries rather than deleting, as we are required to retain the audit record.

12. Annex A — Subprocessors

Name	Purpose	Location	Transfer mechanism
Vercel Inc.	Application hosting, edge delivery	United States (EU/UK region pinning enabled)	UK IDTA + EU SCCs Addendum
Neon Inc.	PostgreSQL database	United Kingdom (eu-west-2, London)	No international transfer
Clerk Inc.	Authentication for agency staff	United States	UK IDTA + EU SCCs Addendum
Stripe Payments UK Ltd	Payment processing, billing	United Kingdom & United States	UK IDTA + EU SCCs Addendum
Upstash Inc.	Rate limiting cache	Ireland (primary), United States	EEA adequacy + UK IDTA for US failover
Inngest Inc.	Background job orchestration	United States	UK IDTA + EU SCCs Addendum
Xero (UK) Limited	Accounting integration (outbound invoice sync)	United Kingdom	No international transfer

13. Annex B — Technical and organisational measures

Access control and tenant isolation

Multi-tenant isolation enforced by agencyId scoping on every query that touches Customer Data, double-gated against the record's primary key.
Runtime database role templio_app with INSERT-only permission on the audit log, enforced by database grants and triggers. Migration-time access uses a separate privileged role.
Clerk Core 3 authentication for agency staff, with multi-factor authentication available and recommended.
Contractors authenticate by magic-link only; no passwords are stored.

Integrity

Append-only audit log at the database level (UPDATE and DELETE are rejected by database triggers).
Monetary values stored as integer pennies to prevent floating-point drift.
Every state-changing server action writes an audit entry.

Encryption and network

TLS 1.2+ required in transit.
Encryption at rest provided by the underlying storage providers (Neon managed Postgres, Vercel storage).
Secrets managed through environment variables; no secrets are logged.

Availability and resilience

Managed Postgres in the London region (eu-west-2) with automated point-in-time recovery.
Static assets served through a global edge network.
Background jobs orchestrated with at-least-once delivery semantics.

Monitoring and rate limiting

Request-level rate limits on authentication and timesheet submission endpoints via Upstash-backed rate limiting.
Structured logging with correlation IDs; personal data is minimised in logs.

Supplier management

Sub-processors engaged under contracts with data protection terms substantively equivalent to this DPA.
Annex A maintained as the current list.