1. Parties & Background
1.1 This Data Processing Agreement ("DPA") is entered into between:
- The Controller: You, the Provider registered on the Ace Services platform — the self-employed individual, partnership, or incorporated entity whose details are held on your Ace Services account; and
- The Processor: Ace Services Global Ltd, a company registered in England and Wales (no. 16447687), whose registered office is 1a Electric Parade, Seven Kings Road, Ilford, Essex, United Kingdom, IG3 8BY ("Ace Services", "we", "us").
1.2 This DPA applies where you use the Payment Services feature within the Ace Services app to create invoices for, and store contact details of, your own customers. In doing so, you (the Controller) direct Ace Services (the Processor) to store and process personal data belonging to your customers on your behalf.
1.3 This DPA forms part of, and should be read alongside, the Ace Services Provider Terms of Service. In the event of any conflict between this DPA and the Provider Terms of Service in respect of data processing matters, this DPA shall prevail.
1.4 By using the Payment Services feature, you acknowledge and agree to the terms of this DPA.
2. Definitions
- "Controller" has the meaning given in UK GDPR Article 4(7) — the natural or legal person who determines the purposes and means of processing personal data. In this DPA, the Controller is the Provider.
- "Processor" has the meaning given in UK GDPR Article 4(8) — the natural or legal person who processes personal data on behalf of the Controller. In this DPA, the Processor is Ace Services.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed — in this context, the customers of the Provider.
- "Personal Data" has the meaning given in UK GDPR Article 4(1).
- "Processing" has the meaning given in UK GDPR Article 4(2).
- "Personal Data Breach" has the meaning given in UK GDPR Article 4(12).
- "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended.
- "Payment Services" means the invoicing and payment link feature available within the Ace Services app, as described in the Provider Terms of Service.
- "Sub-processor" means any third party engaged by Ace Services to carry out processing activities on the Controller's personal data.
- "SCCs" means the International Data Transfer Agreement or Addendum approved by the Information Commissioner's Office for transfers of personal data outside the UK.
3. Scope & Role of the Parties
3.1 The subject matter, nature, purpose, duration, types of personal data processed, and categories of data subjects are set out in Schedule 1.
3.2 The parties acknowledge that:
- the Provider (Controller) determines the purposes and means of processing their customers' personal data within the Payment Services feature;
- Ace Services (Processor) processes that personal data only on the documented instructions of the Provider and solely to provide the Payment Services feature;
- Ace Services is an independent data controller in respect of personal data it collects about the Provider themselves (e.g. account details, transaction records, usage data) — that processing is governed by the Ace Services Privacy Policy.
3.3 The Provider warrants that they have a lawful basis under UK GDPR to collect and share their customers' personal data with Ace Services, and that they have provided their customers with appropriate privacy information in accordance with UK GDPR Articles 13 and 14.
4. Processor Obligations
Ace Services shall, in its capacity as Processor:
4.1 Process the personal data only on the documented instructions of the Provider, unless required to do so by applicable law, in which case Ace Services shall inform the Provider of that legal requirement before processing (unless prohibited by law).
4.2 Not process the personal data for any purpose other than providing the Payment Services feature to the Provider.
4.3 Not sell, rent, or otherwise transfer the personal data to any third party except as permitted under this DPA or required by law.
4.4 Promptly inform the Provider if, in Ace Services' opinion, an instruction given by the Provider infringes UK GDPR or any other applicable data protection law.
5. Instructions
5.1 The Provider's instructions to Ace Services are set out in Schedule 1 and in the Provider's use of the Payment Services feature within the app (for example, creating an invoice, saving a customer, or deleting an invoice).
5.2 The Provider may issue additional written instructions regarding the processing by contacting privacy@aceservices.app. Ace Services will confirm whether it is able to comply and within what timeframe.
5.3 Ace Services shall process personal data only within the scope of these instructions. If Ace Services is required by applicable law to process personal data beyond these instructions, it shall notify the Provider unless prohibited from doing so by law.
6. Confidentiality
6.1 Ace Services shall ensure that all personnel authorised to process the personal data are subject to appropriate obligations of confidentiality, whether by contract or statutory duty.
6.2 Access to the personal data will be limited to personnel who need access for the purposes of providing the Payment Services feature.
7. Security
7.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, Ace Services shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Schedule 3.
7.2 In assessing the appropriate level of security, Ace Services shall take into account the risks presented by processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
7.3 Ace Services shall not store, process, or have access to payment card numbers, bank account details, or any other payment credentials belonging to the Provider's customers. All such data is handled exclusively by Stripe Technology Europe Ltd under their PCI DSS compliance programme.
8. Sub-processors
8.1 The Provider grants Ace Services general authorisation to engage the sub-processors listed in Schedule 2 for the purposes set out therein.
8.2 Ace Services shall:
- impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA;
- remain fully liable to the Provider for the performance of the sub-processor's obligations to the extent that the sub-processor fails to fulfil its data protection obligations;
- notify the Provider of any intended changes to the list of sub-processors (additions or replacements) by updating Schedule 2 and providing at least 30 days' prior notice via the app or email. The Provider may object to such changes by notifying Ace Services in writing within 14 days of the notice.
8.3 Where the Provider objects to a new sub-processor and Ace Services cannot reasonably provide the Payment Services feature without engaging that sub-processor, either party may terminate this DPA (and the Provider's use of Payment Services) on reasonable written notice.
9. Assistance with Data Subject Rights
9.1 Taking into account the nature of the processing, Ace Services shall assist the Provider by implementing appropriate technical and organisational measures to fulfil the Provider's obligations to respond to requests from data subjects exercising their rights under UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
9.2 If Ace Services receives a request from a data subject that relates to personal data processed under this DPA, Ace Services shall promptly forward that request to the Provider and shall not respond to the data subject directly (except to confirm that the request has been forwarded), unless the Provider has authorised Ace Services to do so.
9.3 The Provider shall respond to data subject requests within the timescales required by UK GDPR (generally one calendar month). Ace Services shall provide reasonable assistance to enable the Provider to meet those timescales.
10. Personal Data Breach Notification
10.1 Ace Services shall notify the Provider without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting personal data processed under this DPA.
10.2 The notification shall, to the extent available at the time, include:
- a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records concerned;
- the name and contact details of the data protection contact at Ace Services;
- a description of the likely consequences of the breach;
- a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
10.3 Where it is not possible to provide all information at the time of initial notification, Ace Services shall provide the information in phases as it becomes available.
10.4 The Provider is responsible for determining whether the breach must be reported to the Information Commissioner's Office (ICO) and/or affected data subjects under UK GDPR Articles 33 and 34, and for making any such notifications within the applicable timeframes.
10.5 Ace Services shall co-operate with the Provider and take such reasonable steps as are directed by the Provider to assist in the investigation, mitigation, and remediation of the breach.
11. Data Protection Impact Assessments & Prior Consultation
11.1 Ace Services shall provide the Provider with reasonable assistance in carrying out data protection impact assessments (DPIAs) under UK GDPR Article 35, where the processing carried out under this DPA is likely to result in a high risk to the rights and freedoms of natural persons.
11.2 Ace Services shall provide reasonable assistance in relation to any prior consultation with the ICO required under UK GDPR Article 36.
11.3 Such assistance shall be limited to information and processing activities within Ace Services' reasonable knowledge and control.
12. Return and Deletion of Data
12.1 Upon termination of the Provider's Ace Services account, or upon written request from the Provider, Ace Services shall, at the Provider's election:
- delete all personal data processed under this DPA and confirm in writing that deletion has been completed; or
- where technically feasible, return the personal data to the Provider in a commonly used machine-readable format before deleting it.
12.2 Ace Services shall complete the deletion or return within 30 days of the relevant request or account termination.
12.3 Notwithstanding the above, Ace Services may retain personal data to the extent and for so long as required by applicable law (including for financial record-keeping under HMRC requirements, up to 6 years), provided that Ace Services shall ensure the confidentiality of such retained data and shall not process it for any other purpose.
12.4 Ace Services shall not be required to delete personal data held by sub-processors independently of Ace Services' systems (such as data held by Stripe Technology Europe Ltd as an independent data controller).
13. Audit Rights
13.1 Ace Services shall make available to the Provider all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.
13.2 Ace Services shall allow for and contribute to audits, including inspections, conducted by the Provider or a mandated auditor, provided that:
- the Provider gives Ace Services at least 30 days' written notice of any proposed audit;
- any audit is conducted during normal business hours, no more than once per year unless a Personal Data Breach has occurred, and in a manner that minimises disruption to Ace Services' operations;
- the auditor is subject to reasonable confidentiality obligations;
- the Provider bears all costs of the audit unless the audit reveals a material breach of this DPA by Ace Services.
13.3 Where Ace Services holds relevant third-party audit certifications (such as ISO 27001 or SOC 2), it may provide those reports to the Provider in lieu of a bespoke audit, at Ace Services' discretion.
14. International Transfers
14.1 Ace Services shall not transfer personal data processed under this DPA to a country or territory outside the United Kingdom unless one of the following conditions is met:
- the transfer is to a country covered by UK adequacy regulations;
- appropriate safeguards are in place in accordance with UK GDPR Article 46, such as the ICO's International Data Transfer Agreement (IDTA) or the ICO-approved Addendum to the EU Standard Contractual Clauses; or
- the transfer falls within one of the derogations in UK GDPR Article 49.
14.2 The sub-processors listed in Schedule 2 may process data outside the UK. The safeguards applicable to each transfer are identified in Schedule 2. By accepting this DPA, the Provider authorises those transfers subject to the safeguards described.
15. Liability
15.1 Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the Provider Terms of Service, to the extent permitted by applicable law.
15.2 Nothing in this DPA limits either party's liability to a data subject or to the ICO as required under UK GDPR.
15.3 Where a party has paid compensation to a data subject in circumstances where that party is not, or is only partly, responsible for the damage, that party may seek contribution from the other party in proportion to their respective responsibility for the damage, in accordance with UK GDPR Article 82(5).
16. Term & Termination
16.1 This DPA takes effect when the Provider first uses the Payment Services feature and remains in force for as long as Ace Services processes personal data on behalf of the Provider under this DPA.
16.2 This DPA terminates automatically on the termination or expiry of the Provider's Ace Services account, subject to clause 12 (return and deletion).
16.3 Either party may terminate this DPA on written notice if the other party is in material breach of its obligations under this DPA and, where the breach is capable of remedy, has failed to remedy it within 30 days of written notice requiring it to do so.
16.4 Clauses that by their nature should survive termination (including clauses 6, 7, 12, 13, and 15) shall survive the termination of this DPA.
17. General
17.1 This DPA, together with the Provider Terms of Service and the Privacy Policy, constitutes the entire agreement between the parties relating to the processing of personal data described in Schedule 1.
17.2 This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction over any disputes arising under it.
17.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
17.4 Ace Services may update this DPA from time to time to reflect changes in applicable law or its processing activities. Material changes will be notified to the Provider via the app or email with at least 30 days' notice. Continued use of the Payment Services feature after the effective date of any change constitutes acceptance of the updated DPA.
17.5 Any notices under this DPA should be sent to privacy@aceservices.app.
Schedule 1 — Details of Processing
| Item | Details |
|---|---|
| Subject matter | Processing of personal data belonging to the Provider's own customers, entered by the Provider into the Payment Services (invoicing) feature of the Ace Services app. |
| Nature of processing | Collection, storage, retrieval, use, and deletion of personal data as directed by the Provider via the app. Specifically: creating and storing invoices; maintaining a customer book for repeat invoicing; generating Stripe payment links; sending push notifications to the Provider on payment events. |
| Purpose | To enable the Provider to create invoices, track payments, and manage their customer relationships through the Payment Services feature. Ace Services processes this data solely to provide this feature and for no other purpose. |
| Duration | For the duration of the Provider's Ace Services account, or until the Provider deletes the relevant data via the app or requests deletion in writing, subject to any applicable legal retention obligations. |
| Types of personal data |
|
| Categories of data subjects | The Provider's own customers — individuals or businesses who have engaged or are engaging the Provider for home services. These data subjects have no direct relationship with Ace Services. |
| Special category data | None. The Provider must not enter special category personal data (as defined in UK GDPR Article 9) into the Payment Services feature. |
| Provider's instructions | Create invoice records; store customer contact details for repeat invoicing; generate and deactivate Stripe payment links; send payment notifications to the Provider; delete invoice and customer records when instructed via the app or in writing. |
Schedule 2 — Approved Sub-processors
The following sub-processors are authorised to process personal data on Ace Services' behalf for the purposes of providing Payment Services:
| Sub-processor | Entity & Location | Purpose | Transfer Safeguard |
|---|---|---|---|
| Google Firebase / Firestore | Google Ireland Ltd (EU/EEA); Google LLC (US) | Cloud database storage of invoice and customer book records; push notification delivery (Firebase Cloud Messaging); serverless compute (Cloud Functions) | UK adequacy (EEA); ICO-approved IDTA / SCCs (US) |
| Stripe Technology Europe Ltd | Stripe Technology Europe Ltd (Ireland / EU); may process in US | Generation and deactivation of Stripe payment links; processing of card and bank payment transactions; dispatch of webhook events to Ace Services confirming payment status | Stripe is an independent data controller for payment data (FCA FRN: 900461); SCCs for any US transfers under Stripe's own DPA |
Ace Services will update this Schedule and provide 30 days' advance notice before engaging any new sub-processor or making material changes to an existing sub-processor's role.
Schedule 3 — Technical and Organisational Security Measures
Ace Services implements and maintains the following measures to protect personal data processed under this DPA:
Access Control
- All Firestore collections are protected by Firebase Security Rules that restrict read and write access to authenticated users acting on their own data only.
- Invoice and customer book data is accessible only to the Provider who created it (enforced by
providerIdfield matching on all queries and Cloud Function calls). - Administrative access to Firestore is restricted to named Ace Services personnel and is protected by multi-factor authentication.
Data in Transit
- All data transmitted between the app and Ace Services' backend is encrypted in transit using TLS 1.2 or higher.
- All Firebase SDK communications use HTTPS by default.
Data at Rest
- Data stored in Google Firestore is encrypted at rest by Google using AES-256 encryption by default.
Payment Data
- Ace Services never stores, processes, or accesses payment card numbers, bank account details, or other payment credentials. All such data is handled exclusively by Stripe under their PCI DSS Level 1 compliance programme.
Incident Response
- Ace Services maintains an internal incident response process. On discovery of a suspected Personal Data Breach affecting data processed under this DPA, Ace Services will notify the Provider within 48 hours as described in Section 10.
Vendor Management
- Sub-processors are subject to data processing agreements that impose obligations no less protective than those in this DPA.