ANNOUNCEMENT: Lloyds Banking Group integrates our Benefits Calculator. Learn more.

Free Adviser Calculator

Data Processing Agreement (DPA)

Version 1.0 – 1 April 2025

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Inbest Terms & Conditions (the "Main Agreement"). Acceptance of the Main Agreement constitutes acceptance of this DPA.

1. Parties and Scope

"Customer" ("Data Controller") – any natural or legal person that has accepted the Main Agreement and uploads, transmits, or otherwise makes Personal Data available within an Inbest cloud service.

Investment Solver Ltd (t/a Inbest), company No. SC485527, 5 South Charlotte Street, Edinburgh, Scotland, EH2 4AN ("Data Processor").

This DPA governs Inbest's Processing of Personal Data on behalf of the Customer in connection with the provision of any Inbest cloud service (currently: (a) Case Management System (CMS), (b) Income & Expense Tool) and (c) Benefits Calculator, collectively the "Services".

2. Definitions

Capitalised terms not defined herein have the meanings given in the UK GDPR and, where applicable, the EU GDPR.

  • UK GDPR – the GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018.
  • Personal Data, Processing, Data Subject, Controller, Processor, Supervisory Authority – as defined in the GDPR.

3. Processor Obligations

  1. Instructions. Inbest will Process Personal Data only on documented instructions from the Customer (including this DPA and the Main Agreement) unless required by law.
  2. Confidentiality. Inbest ensures all authorised personnel are bound by confidentiality obligations.
  3. Security. Inbest implements the technical and organisational measures described in Schedule 2 (TOMs) and will maintain a level of security appropriate to the risk, as required by Article 32 GDPR.
  4. Sub‑processors. Customer provides a general authorisation for Inbest to engage Sub‑processors listed in Schedule 3 of this document.

    Inbest will:
    a. impose data‑protection obligations equivalent to this DPA on each Sub‑processor; and
    b. remain liable for the performance of its Sub‑processors.

    Inbest will notify Customer at least 14 days in advance of any addition or replacement, giving Customer the right to object on reasonable, data‑protection‑related grounds.

  5. Assistance. Taking into account the nature of Processing, Inbest will assist Customer (a) in responding to Data Subject requests, and (b) in meeting the obligations in Articles 32‑36 GDPR.
  6. Breach Notification. Inbest will notify Customer without undue delay after becoming aware of a Personal Data Breach and will provide information reasonably required for Customer to meet breach‑notification obligations.
  7. Audits. Inbest will make available information necessary to demonstrate compliance with this DPA and allow for audits by Customer or an independent auditor mandated by Customer at Customer's cost, subject to reasonable notice and confidentiality safeguards.
  8. Deletion or Return. Upon termination of the Services, Inbest will delete (within 30 days) or return all Personal Data save to the extent retention is required by law or for legitimate back‑up purposes (max 90 days), after which the back‑ups are automatically overwritten.

4. International transfers

Where Inbest or its Sub‑processors transfer Personal Data outside the UK or EEA, Inbest will ensure such transfers are protected by a valid data‑transfer mechanism (e.g., UK Addendum to the EU Standard Contractual Clauses ("SCCs") or another adequacy instrument). The SCCs (Modules 2 and 3) plus UK Addendum are hereby incorporated by reference.

5. Liability and Governing Law

The limitations of liability in the Main Agreement apply to this DPA. This DPA is governed by Scots law; disputes are subject to the exclusive jurisdiction of the Scottish Courts.

6. Term and Updates

This DPA remains in force for the duration of the Services. Inbest may update this DPA from time to time (e.g., to reflect legal changes). Material changes will be notified 30 days in advance; continued use of the Services after the effective date constitutes acceptance.

Schedule 1 – Description of Processing

Item Details
Subject Matter Provision of the Services under the Main Agreement.
Nature & Purpose Collection, storage, analysis, and transmission of Personal Data to: (i) enable Advisors to manage cases; (ii) compute Income & Expense assessments and benefits calculations; (iii) allow Customers to view and export results; (iv) maintain and secure the Services; (v) provide analytics in aggregated or pseudonymised form.
Categories of Data Contact details, household demographics, financial data, benefits received, housing status, disability information, questionnaire responses, identifiers (e.g., user ID), and any other data the Customer elects to upload.
Categories of Data Subjects End‑clients / residents served by the Customer; Customer's authorised users.
Retention For the subscription term plus 90 days for back‑up before automated deletion, unless otherwise agreed or required by law.

Schedule 2 – Technical & Organisational Measures (TOMs)

  1. Information Security Programme. Annual review by senior management; ISO 27001‑aligned policies.
  2. Access Control. Role‑based access, least‑privilege, MFA for privileged accounts; quarterly access reviews.
  3. Encryption. TLS 1.2+ for data in transit; AES‑256 encryption at rest.
  4. Vulnerability & Patch Management. Weekly automated scans; critical patches within 7 days.
  5. Incident Response. 24×7 monitoring; documented IR plan with post‑mortem reviews.
  6. Business Continuity & DR. Daily encrypted back‑ups, replicated cross‑region; RPO ≤ 24 h, RTO ≤ 12 h.
  7. Physical Security. Tier III data centres with 24×7 guards, CCTV, badge access.
  8. Supplier Management. Annual security assessment of critical Sub‑processors; contractual DP clauses.
  9. Training. Mandatory annual security & privacy training for all staff; specialised training for engineers.
  10. Audit & Compliance. Annual penetration test; SOC 2 Type II report available under NDA.

Schedule 3 – Sub‑processor List

Sub‑processor Service / Function Primary Processing Location
Google Cloud Platform Core hosting, compute, and storage services for all Inbest cloud products London (UK)
MongoDB Atlas Managed database service used for structured data storage and high‑availability backups London (UK)
Cloudflare Global content‑delivery network (CDN), web‑application firewall (WAF), and DDoS protection Cloudflare worldwide edge network (data in transit only)