Data Processing Agreement

Last updated: February 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Limitlesswealth Limited ("Processor", "we", "us") and the entity agreeing to the Terms of Service ("Controller", "you"). This DPA applies automatically when you use storq.io ("the Service") and do not need to be separately signed.

1. Definitions

Terms used in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. In addition:

  • Personal Data means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the Service as described in the Terms of Service. The categories of data and data subjects are:

  • Data subjects: the Controller's employees, customers, and suppliers whose data is entered into the Service
  • Categories of data: names, email addresses, physical addresses, phone numbers, order details, and other business information entered into the Service
  • Processing activities: storage, retrieval, display, transmission (email notifications, API responses), and deletion of the above data
  • Duration: for the term of the Controller's account, plus any applicable retention period described in the Privacy Policy

3. Controller and Processor Roles

You are the Controller of the Personal Data you enter into the Service. We are the Processor, acting on your instructions as defined by your use of the Service and these terms. We will not process Personal Data for any purpose other than providing the Service unless required by law.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorised to process Personal Data are bound by obligations of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Assist the Controller in fulfilling obligations related to data subject rights, data protection impact assessments, and prior consultations with supervisory authorities
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Security Measures

The Processor implements the following technical and organisational security measures:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest
  • Regular automated backups with point-in-time recovery
  • Role-based access controls for Processor personnel
  • Regular vulnerability assessments and security updates
  • Logging and monitoring of access to production systems
  • Incident response procedures

6. Sub-processing

The Controller provides general authorisation for the Processor to engage sub-processors. The current list of sub-processors is available on our Subprocessor List page.

The Processor shall:

  • Maintain an up-to-date list of sub-processors
  • Notify the Controller at least 30 days before adding or replacing a sub-processor
  • Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA
  • Remain liable for the acts and omissions of its sub-processors

If the Controller objects to a new sub-processor, the Controller may terminate the affected Service by providing written notice within 30 days of the notification.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

Where a data subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting the Controller's Personal Data. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of the Processor's point of contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

9. International Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, the Processor shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement or Addendum, where applicable
  • Adequacy decisions by the relevant authorities

Details of sub-processors and their jurisdictions are listed on our Subprocessor List page.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

Audit requests must be made in writing with at least 30 days notice and shall be conducted during normal business hours without unreasonably disrupting the Processor's operations.

11. Termination and Data Return

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days. The Controller may export their data at any time through the account settings before termination.

The Processor may retain Personal Data to the extent required by applicable law, in which case it shall isolate and protect the data and limit further processing to the purposes required by law.

12. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact

For questions about this DPA, contact us at:

Limitlesswealth Limited (Company No. 11015312)
[email protected]

We use cookies to keep you signed in and improve your experience. See our Cookie Policy for details.