Data Processing Addendum (DPA)

Last updated: February 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Lookuptax (“Processor”) and the customer using Lookuptax services (“Customer” or “Controller”). This DPA reflects the requirements of applicable data protection laws, including the GDPR, and is designed for use by enterprise customers evaluating Lookuptax as a low-risk validation utility.

1. Purpose and Scope

This DPA applies to the extent Lookuptax processes Personal Data on behalf of the Customer in connection with the provision of tax or business identification number validation services. This DPA supplements the main agreement between the parties and applies only where Personal Data is subject to applicable data protection laws.

2. Roles of the Parties

The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data.

Lookuptax acts solely as a Data Processor, processing Personal Data only on documented instructions from the Customer and only to provide the Lookuptax services.

Lookuptax does not act as a data controller with respect to Customer Personal Data and does not determine the purposes for which such data is processed.

3. Description of Processing

3.1 Subject Matter and Purpose

Processing of tax or business identification data for the purpose of validating tax or business identifiers on behalf of the Customer.

3.2 Categories of Personal Data

  • Country ISO code
  • Tax Identification Number (TIN) or Business Identification Number
  • Validation response from authoritative sources, which may include registered business name, registered address, and validation status

3.3 Categories of Data Subjects

  • Business entities
  • Sole proprietors or individual traders, where identifiers may constitute Personal Data

3.4 Nature of Processing

Point-in-time validation, temporary storage for operational reliability (including retries and support), and return of validation results to the Customer.

4. Customer Obligations

The Customer represents and warrants that:

  • It has the lawful right to provide Personal Data to Lookuptax for processing;
  • It has complied with applicable data protection laws in relation to the collection and disclosure of Personal Data;
  • Its instructions to Lookuptax comply with applicable data protection laws.

5. Lookuptax Obligations as Processor

Lookuptax shall:

  • Process Personal Data only on documented instructions from the Customer;
  • Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
  • Implement appropriate technical and organisational measures to protect Personal Data;
  • Not sell, rent, or monetise personal data processed on behalf of the Customer, or use such Personal Data for purposes other than providing the Lookuptax services. This does not affect Lookuptax’s use of customer contact information or basic website usage data for service communications and operational insights, in accordance with its privacy notice;
  • Promptly inform the Customer if an instruction infringes applicable data protection laws;
  • Assist the Customer, taking into account the nature of the processing, in fulfilling obligations related to data subject rights under applicable data protection laws.

6. Data Subject Requests

If Lookuptax receives a request from a data subject relating to Personal Data processed on behalf of the Customer, Lookuptax shall not respond directly to such request and shall forward the request to the Customer within a reasonable timeframe, providing reasonable assistance as instructed by the Customer.

7. Security Measures

Lookuptax implements appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption of data at rest using AES-256 via cloud-managed infrastructure;
  • Encryption of data in transit using HTTPS with industry-standard TLS;
  • Logical separation of customer accounts;
  • Restricted access to production systems and logs limited to a small internal team for operational and support purposes;
  • Hosting on cloud infrastructure providing physical data centre security and network protection.

8. Sub-processors

The Customer authorises Lookuptax to engage sub-processors as necessary to provide the services.

A current list of subprocessors used by Lookuptax, including their purpose and data processing locations, is available at https://www.lookuptax.com/sub-processors.

Lookuptax shall ensure that sub-processors are subject to data protection obligations no less protective than those set out in this DPA.

9. International Data Transfers

Where Personal Data is transferred outside the European Economic Area, Lookuptax shall ensure that such transfers are subject to appropriate safeguards in accordance with applicable data protection laws, including Standard Contractual Clauses where required.

10. Personal Data Breach Notification

Lookuptax shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer and shall provide reasonable information and cooperation to assist the Customer in meeting its legal obligations.

11. Data Retention, Deletion, and Return

Lookuptax retains Personal Data only for the duration necessary to provide the services and for limited operational purposes. Upon termination of the services or upon written request from the Customer, Lookuptax shall delete Personal Data from active systems within a reasonable operational timeframe, unless retention is required by law.

12. Audits and Compliance

Lookuptax shall make available information reasonably necessary to demonstrate compliance with this DPA. Any audits shall be limited to documentation review and shall not include on-site inspections or system access, unless required by applicable law.

13. Liability

Liability arising under this DPA shall be subject to the limitations of liability set out in the main agreement between the parties.

14. Governing Law and Precedence

This DPA shall be governed by the governing law specified in the main agreement. In the event of any conflict between this DPA and the main agreement, this DPA shall prevail with respect to data protection matters.

Contact for Data Protection Matters

📧 [email protected] 🏢 Kadalas Tech LLP (Lookuptax brand)