Ticpoz Back to site

Data Processing Agreement

The terms under which TICPOZ Ltd processes personal data on behalf of a customer. Required for enterprise procurement; available on request as a signed PDF.

Last updated · May 2026
Need a signed DPA?
Email [email protected] with your registered entity name, registered office, and the named contact for data-protection matters. We'll send a PDF for counter-signature within 2 business days. The signed DPA forms an addendum to your Terms of Service contract.

1. Roles

  • Customer is the data controller for personal data they upload to or process through TICPOZ.
  • TICPOZ Ltd is the data processor — we process customer-controlled personal data on documented instructions to deliver the Service.
  • For data TICPOZ collects directly from end-users (account email, billing details, audit log), TICPOZ acts as data controller and that processing is governed by our privacy policy.

2. Scope of processing

Subject-matter
Provision of the TICPOZ trading-automation platform (the Service) under the Terms of Service.
Duration
For the term of the customer's subscription, plus the post-termination retention period in §6 below.
Nature
Storage, transmission, and computation of the personal data the customer chooses to upload or generate through the Service.
Purpose
Delivering the Service: authenticating users, running backtests, executing orders, managing broker connections, billing.
Data categories
Account credentials (hashed), broker tokens (encrypted), trade history, strategy artefacts, audit log, billing records, support correspondence.
Data subjects
Customer's users (typically the customer's employees, contractors, or — for B2C resale — the customer's own customers).

3. Processor duties

  • Process personal data only on documented instructions from the customer (the Terms + DPA + any in-app actions are the documented instructions).
  • Ensure personnel authorised to process personal data have committed themselves to confidentiality.
  • Implement technical and organisational security measures appropriate to the risk — see /security for the current measures.
  • Assist the customer in responding to data-subject requests (access, rectification, erasure, portability).
  • Notify the customer without undue delay (and in any case within 72 hours) of a personal-data breach affecting their data.
  • Delete or return personal data at the end of the relationship per §6.

4. Sub-processors

TICPOZ uses the sub-processors listed at /sub-processors. Customer grants TICPOZ general authorisation to engage these sub-processors. We give at least 30 days' notice before adding a new sub-processor that processes personal data, published on the sub-processors page and in the changelog. Customer may object on reasonable grounds; if we cannot resolve the objection, customer may terminate the affected portion of the Service.

5. International transfers

Where TICPOZ transfers customer personal data outside the EEA / UK, the transfer is governed by:

  • The EU Standard Contractual Clauses (Module 2 or 3 as applicable), and
  • The UK International Data Transfer Addendum to those SCCs.

Supplementary safeguards are documented in /security and our privacy policy.

6. Return + deletion

  • On termination of the Service, customer may export their data through the in-product export tooling for up to 30 days.
  • After day 30, TICPOZ deletes customer personal data, except items required to be retained by law (e.g. billing records under accounting retention requirements).
  • Backups are retained on a rolling 35-day cycle and are deleted in due course; backed-up data is not restored except for disaster recovery.

7. Audit

TICPOZ provides customer (or an independent auditor agreed by both parties, under NDA) with information reasonably necessary to demonstrate compliance with this DPA. Audit requests must be in writing, scoped to the customer's own data, and given with at least 30 days' notice. Frequency is no more than once per 12-month period unless a regulator requires more.

8. Liability

Liability arising from this DPA is subject to the limitation-of- liability cap in the Terms of Service §13. Nothing in this DPA excludes liability that cannot be excluded under the GDPR or the UK Data Protection Act 2018.

9. Order of precedence

In the event of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. On all other matters the Terms of Service prevail.

10. Contact