Accel BooksSign in

Legal

Data Processing Agreement

This DPA forms part of the Terms of Service and governs the processing of personal data by Accel Books on behalf of the Customer under Article 28 GDPR.

Last updated: 16 May 2026 · Governing law: Republic of Ireland

1. Definitions

Terms in this DPA have the meanings given in Regulation (EU) 2016/679 (the "GDPR") and the UK GDPR. "Customer" is the controller; "Accel Books" is the processor. "Customer Personal Data" means personal data within Customer Data processed by Accel Books on the Customer's behalf.

2. Roles and scope

  • The Customer is the controller (or processor for its end-customers) of Customer Personal Data.
  • Accel Books processes Customer Personal Data only on the documented instructions of the Customer, which include the Terms, this DPA and use of the Service in accordance with the documentation.
  • Accel Books will inform the Customer if an instruction infringes data protection law.

3. Subject matter, duration, nature and purpose

  • Subject matter: processing necessary to provide the Service.
  • Duration: for the duration of the subscription and until deletion as set out below.
  • Nature and purpose: hosting, storage, retrieval, analytics, support and other operations needed to deliver the Service.
  • Categories of data subjects: the Customer's employees, contractors, customers, suppliers, contacts and any individuals identified in Customer Data.
  • Categories of personal data: identification, contact, financial, transactional, communications and any other data the Customer chooses to upload.

4. Accel Books obligations

  • Process Customer Personal Data only on documented instructions, including for international transfers.
  • Ensure personnel authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Annex II).
  • Assist the Customer with data subject requests, DPIAs and consultations with supervisory authorities, taking into account the nature of processing and information available.
  • Notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting Customer Personal Data.
  • Make available all information necessary to demonstrate compliance and allow for audits as set out in Section 8.

5. Subprocessors

The Customer grants general authorisation to Accel Books to engage subprocessors listed at /legal/subprocessors. Accel Books will:

  • Maintain an up-to-date list of subprocessors and notify the Customer of intended changes at least 30 days in advance (Customer may object on reasonable data protection grounds).
  • Impose data protection obligations on each subprocessor that are no less protective than those in this DPA.
  • Remain liable to the Customer for the acts and omissions of its subprocessors.

6. International transfers

Where Accel Books or a subprocessor transfers Customer Personal Data outside the EEA or the UK to a country not covered by an adequacy decision, the transfer is made subject to the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable, hereby incorporated by reference, and the UK Addendum (issued by the ICO under s.119A DPA 2018) for UK-originating data. Where applicable, transfers to the United States may rely on the EU–US Data Privacy Framework.

7. Security measures (Annex II)

  • Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256).
  • Strict role-based access control with least privilege and MFA for administrators.
  • Network isolation, web application firewall, DDoS protection.
  • Continuous logging, monitoring and intrusion detection.
  • Regular vulnerability scanning and independent penetration testing.
  • Secure SDLC including code review, dependency scanning and segregated environments.
  • Documented incident response plan with 24×7 on-call.
  • Regular backups, tested restoration procedures and disaster recovery.
  • Personnel screening and mandatory security and privacy training.
  • Data centres certified to ISO 27001 within the EU.

8. Audits

Accel Books will, on reasonable written request and no more than once per year (except where required by a supervisory authority or after a personal data breach), provide a summary of its most recent third-party audit reports (e.g. ISO 27001, SOC 2). On-site audits will be agreed in advance, subject to confidentiality, conducted during business hours and at the requesting party's cost.

9. Return and deletion

On termination of the Service, the Customer may export Customer Data through the Service for up to 30 days. After this period, Accel Books will delete or anonymise Customer Personal Data within 90 days, unless retention is required by law (e.g. statutory accounting records).

10. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

11. Governing law

This DPA is governed by Irish law. For Customer Personal Data subject to the UK GDPR, the UK Addendum applies and references to the GDPR include the UK GDPR as appropriate.

12. Acceptance

This DPA is automatically incorporated into and forms part of the Terms of Service when the Customer creates an account or signs an order form. A counter-signed version is available on request to legal@accelbooks.io.