Data processing addendum
Last updated: July 2026
This summary describes how Fitzentic processes personal data on behalf of a customer firm when the firm uses the platform. It supplements the firm's service agreement. For a signed DPA, contact [email protected].
Roles
- The customer firm is the controller of the personal data it processes about its clients, matters and staff in the platform.
- Fitzentic Ltd is the processor, acting only on the firm's documented instructions.
Subject matter & duration
We process personal data for the purpose of providing the platform, for as long as the firm's account is active and for a limited period afterwards, then delete or return it.
Types of data & data subjects
Contact, identity, matter and financial information about the firm's clients, opposing parties, and the firm's own staff — as entered by the firm.
Our obligations
- Process only on the firm's instructions.
- Ensure staff are bound by confidentiality.
- Apply appropriate technical and organisational security (encryption, tenant isolation, access control, audit).
- Assist the firm with data-subject requests, security, breach notification and impact assessments.
- Use sub-processors only as listed on our Sub-processors page, under equivalent obligations, and give notice of changes.
Breaches
We notify the firm without undue delay after becoming aware of a personal-data breach affecting their data, with the information the firm needs to meet its own 72-hour ICO obligation.
International transfers
Data is hosted in the UK. Any transfer outside the UK relies on an approved mechanism.
Deletion & return
On termination, we delete or return the firm's personal data (subject to any legal retention), and delete existing copies unless the law requires otherwise.