About this Acceptable Use Policy

This acceptable use policy covers the products, services, and technologies (collectively referred to as the “Products”) provided by Paycada under any ongoing agreement. It’s designed to protect us, our customers and the general Internet community from unethical, irresponsible and illegal activity.

Paycada customers found engaging in activities prohibited by this acceptable use policy can be liable for service suspension and account termination. In extreme cases, we may be legally obliged to report such customers to the relevant authorities.

This policy was last reviewed on 9 September 2021.

Fair Use

We provide our facilities with the assumption your use will be “business as usual”, as per our offer schedule. If your use is considered to be excessive, then additional fees may be charged or capacity may be restricted.

We are opposed to all forms of abuse, discrimination, rights infringement and/or any action that harms or disadvantages any group, individual or resource. We expect our customers and, where applicable, their users (“end-users”) to likewise engage our Products with similar intent.

Customer Accountability

We regard our customers as being responsible for their own actions as well as for the actions of anyone using our Products with the customer’s permission. This responsibility also applies to anyone using our Products on an unauthorised basis as a result of the customer’s failure to put in place reasonable security measures.

By accepting Products from us, our customers agree to ensure adherence to this policy on behalf of anyone using the Products as their end-users. Complaints regarding the actions of customers or their end-users will be forwarded to the nominated contact for the account in question.

If a customer — or their end-user or anyone using our Products as a result of the customer — violates our acceptable use policy, we reserve the right to terminate any Products associated with the offending account or the account itself or take any remedial or preventative action we deem appropriate without notice. To the extent permitted by law, no credit will be available for interruptions of service resulting from any violation of our acceptable use policy.

Prohibited Activity

Copyright infringement and access to unauthorised material

Our Products must not be used to transmit, distribute or store any material in violation of any applicable law. This includes but isn’t limited to:

- any material protected by copyright, trademark, trade secret or other intellectual property right used without proper authorization, and
- any material that is obscene, defamatory, constitutes an illegal threat or violates export control laws.

The customer is solely responsible for all material they input, upload, disseminate, transmit, create or publish through or on our Products, and for obtaining legal permission to use any works included in such material.

SPAM and Unauthorised Message Activity

Our Products must not be used for the purpose of sending unsolicited bulk or commercial messages in violation of the laws and regulations applicable to your jurisdiction (“spam”). This includes but isn’t limited to sending spam, soliciting customers from spam sent from other service providers, and collecting replies to spam sent from other service providers.

Our Products must not be used for the purpose of running unconfirmed mailing lists or telephone number lists (“messaging lists”). This includes but isn’t limited to subscribing email addresses or telephone numbers to any messaging list without the permission of the email address or telephone number owner, and storing any email addresses or telephone numbers subscribed in this way. All messaging lists run on or hosted by our Products must be “confirmed opt-in”. Verification of the address or telephone number owner’s express permission must be available for the lifespan of the messaging list.

We prohibit the use of email lists, telephone number lists or databases purchased from third parties intended for spam or unconfirmed messaging list purposes on our Products.

This spam and unauthorised message activity policy applies to messages sent using our Products, or to messages sent from any network by the customer or any person on the customer’s behalf, that directly or indirectly refer the recipient to a site hosted via our Products.

Unauthorised Use of Paycada Property

We prohibit the impersonation of Paycada, the representation of a significant business relationship with Paycada, or ownership of any Paycada property (including our Products and brand) for the purpose of fraudulently gaining service, custom, patronage or user trust.

About this Policy

This policy outlines a non-exclusive list of activities and intent we deem unacceptable and incompatible with our brand.

We reserve the right to modify this policy at any time by publishing the revised version on our website.

The revised version will be effective from the earlier of:

- the date the customer uses our Products after we publish the revised version on our website;
- or 30 days after we publish the revised version on our website.

Data Processing Agreement

This Data Processing Agreement ("DPA") sets out the terms, requirements, and conditions on which you, Bluestone Consolidated Holdings Limited registered with company number 08753310, of 1 Station Square, Cambridge, England, CB1 2GA ("You", "Your") will process Personal Data when providing services to us, Fignum Limited registered with company number 11918733, of 1 Station Square, Cambridge, England, CB1 2GA ("We", "Us", "Our") when supporting us to provide the add-on services to our Paycada offering to our clients (the "Services").

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1. Definitions:

"Controller”, "Data Subject", "Personal Data", "Personal Data Breach", "processing, processes and process" and "Processor" are as defined in the GDPR.

"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and EU, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

1.2. A reference to writing or written [includes email but not fax].

1.3. In the case of conflict or ambiguity between any provisions contained in the body of this DPA and any provisions contained in the Schedule, the provisions in the body of this DPA will prevail.

2. Personal Data Types and Processing Purposes

2.1. The parties acknowledge that for the purpose of the Data Protection Legislation, our client instructing us to carry out the Services is the Controller, We are the Processor and You are our Sub-Processor. 

2.2. We retain control of the Personal Data and remain responsible for Our compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions We give to You. 

2.3. We warrant that Your expected use of the Personal Data for the provision of the Services and as specifically instructed by Us will comply with the Data Protection Legislation.

2.4 The Schedule describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which You may process to fulfil the Services.

3. Your Obligations

3.1. You will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Our written instructions. You will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. You will immediately notify Us if, in Your opinion, Our instruction would not comply with the Data Protection Legislation.

3.2. You will promptly comply with any request or instruction from Us requiring You to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3. You will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless We or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires You to process or disclose Personal Data, You will first use reasonable endeavours to inform Us of the legal or regulatory requirement and give Us an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4. You will reasonably assist Us with meeting Our compliance obligations under the Data Protection Legislation, taking into account the nature of Your processing and the information available to You, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

3.5. You will promptly notify Us of any changes to Data Protection Legislation that may adversely affect Your performance of the Services.

3.6. You will ensure that any and all employees:

  1. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
  2. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
  3. are aware both of Your duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

4. Security

4.1. You will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Schedule. 

4.2. You may update the measures in the Schedule from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. You will maintain an up-to-date written record of Your then-current security measures, which You shall provide to Us on request, and review at least on an annual basis to ensure they remain current and complete.

4.3. You will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. the pseudonymisation and encryption of Personal Data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

5. Personal Data Breach

5.1. You will promptly and without undue delay notify Us if any of the Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. You will restore such Personal Data at Your own expense.

5.2. You will without undue delay notify Us if You become aware of:

  1. any accidental, unauthorised or unlawful processing of the Personal Data; or
  2. any Personal Data Breach relating to the Personal Data.

5.3. Where You become aware of an event within the scope of clause 5.2, You shall, without undue delay, also provide Us with the following information:

  1. a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
  2. the likely consequences of the event; and
  3. a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.

5.4. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. You will reasonably co-operate with Us in Our handling of the matter, including:

  1. assisting with any investigation;
  2. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Us; and
  3. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

5.5. You will not inform any third party of any Personal Data Breach without first obtaining Our prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.

5.6. Subject to clause 5.5 We have the sole right to determine:

  1. whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Our discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6. Sub-Processors

6.1. You may only authorise a third party (sub-processor) to process the Personal Data if:

  1. You first notify Us of such intended authorisation; and
  2. You enter into a written contract with the sub-processor that contains terms substantially the same to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Our written request and at Your expense, provide Us with copies of such contracts (subject to redaction of any confidential information); and
  3. You maintain control over all Personal Data You entrust to the sub-processor.

6.2. We consent to You transferring Personal Data to sub-processors outside the United Kingdom and the European Economic Area provided that where such processing occurs, You:

  1. are processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; 
  2. participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that You (and, where appropriate, We) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
  3. otherwise ensure that the transfer complies with the Data Protection Legislation.

6.3. Where the sub-processor fails to fulfil its obligations under such written agreement, You remain fully liable to Us for the sub-processor’s performance of its agreement obligations.

6.4. On Our written request, You will audit a sub-processor's compliance with its obligations regarding the Personal Data and provide Us with the audit results. Where We conclude reasonably that the sub-processor is in default of its obligations regarding the Personal Data, We may in writing instruct You to instruct the sub-processor to remedy such deficiencies within five (5) working days.

7. Complaints, Data Subject Requests and Third-Party Rights

7.1. You will take such technical and organisational measures as may be appropriate, and promptly provide such information to Us as We may reasonably require, to enable Us to comply with:

  1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
  2. information or assessment notices served on Us by any supervisory authority under the Data Protection Legislation.

7.2. You will notify Us immediately if You receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

7.3. You will notify Us without undue delay if You receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

7.4. You will give Us Your full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

7.5. You will not disclose the Personal Data to any Data Subject or to a third party other than at Our request or instruction, as provided for in this DPA or as required by law.

8. Liability

8.1. Our total liability pursuant to this DPA shall be limited to £[5,000]. 

9. Term and Termination

9.1. This DPA will remain in full force and effect for so long as You retain any of Our Personal Data related to the Services in Your possession or control.

9.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.

9.3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements. 

10. Data Return and Destruction

10.1. At Our request, You will give Us a copy of or access to all or part of Our Personal Data in Your possession or control in a commonly accessible and electronic format determined by Us.

10.2. On termination of the Services for any reason or expiry of its term, You will promptly securely delete or destroy or, if directed in writing by Us, return and not retain, all or any Personal Data related to this DPA in Your possession or control. This requirement shall not apply to Personal Data which You have archived on Your backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by You using those backups to restore Your systems).

10.3. Clause 10.2 shall not apply to the extent any law, regulation, or government or regulatory body requires You to retain any documents or materials that You would otherwise be required to return or destroy.

11. Records

11.1. You will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data You carry out for Us ("Records") and provide Us with copies of the Records upon request.

12. Audit

12.1. You will permit Us and our third-party representatives to audit Your compliance with this DPA and your performance of the Services, on at least 5 working days' written notice, during the Term. You will give Us and our third-party representatives all necessary assistance to conduct such audits at no additional cost to Us. The assistance may include, but is not limited to:

  1. physical access to, remote electronic access to, and copies of the Records and any other information held at Your premises or on systems storing the Personal Data;
  2. access to and meetings with any of Your personnel reasonably necessary to provide all explanations and perform the audit effectively; and
  3. inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

12.2. The notice requirements in clause 12.1 will not apply if We reasonably believe that a Personal Data Breach has occurred or is occurring, or You are in material breach of any of Your obligations under this DPA or the Data Protection Legislation.

12.3. On Our written request, You will exercise relevant audit rights you have in connection with any sub-processors’ compliance with their obligations regarding Our Personal Data, and provide Us with a summary of the audit results.

12.4. Nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly You shall submit to any audits required by a Supervisory Authority or Data Protection Legislation. 

Data Processing Agreement

1. Description Of Data Processing

  1. Categories of data subjects: Our clients who use the Paycada service and our clients' debtors.
  2. Categories of personal data transferred: Our clients' names, phone numbers and email addresses, and our clients' debtors' names, email addresses, addresses and phone numbers.
  3. Sensitive data transferred: None.
  4. Nature and purpose of the processing: Personal data will be used by You to perform the Services.
  5. Duration of the processing: For the duration of your provision of the Services.

Lara Manton, Bookkeeper
“Paycada fits around your business and how you want to chase people.”

Lara Manton


play circle

Meet Lara

decorative hero banner element - large gradient bluedecorative hero banner element - blue square dotsdecorative hero banner element - yellow large xdecorative hero banner element - arrowdecorative hero banner element - yellow stardecorative hero banner element - large blue blockdecorative hero banner element - yellow half circledecorative hero banner element - thin nested lines
Start free trial