Data Processing Agreement

Bess Flower Project Management LLC · Last updated: June 2026 · Version 1.0

This Data Processing Agreement (DPA) forms part of the service agreement between Bess Flower Project Management LLC (the Processor) and the client engaging our services (the Controller). It governs the processing of personal data by Bess Flower on behalf of the client and is compliant with Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable UAE data protection law.

1. Definitions

In this Agreement the following terms have the meanings set out below:

"Controller" means the client engaging Bess Flower's services, who determines the purposes and means of processing personal data.
"Processor" means Bess Flower Project Management LLC, who processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR.
"Processing" means any operation or set of operations performed on personal data, including collection, recording, organisation, storage, use, disclosure, or deletion.
"Sub-Processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person to whom the personal data relates.
"Services" means the bookkeeping, financial reporting, accounting systems, and related business services provided by Bess Flower under the service agreement.
"GDPR" means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR as retained in UK law.

2. Subject matter and duration

This DPA governs the processing of personal data by Bess Flower as Processor on behalf of the Controller in connection with the provision of the Services. It applies for the duration of the service engagement and continues until all personal data has been returned or deleted in accordance with Clause 10.

3. Nature and purpose of processing

Bess Flower processes personal data solely for the purpose of delivering the Services to the Controller. Processing activities include: recording and categorising financial transactions; reconciling bank accounts; preparing management accounts and financial reports; filing VAT returns and coordinating tax compliance (where applicable); and providing bookkeeping system setup and training.

Processing is carried out only on the documented instructions of the Controller, unless required by applicable law.

4. Categories of personal data and data subjects

Types of personal data processed

Names, job titles, and contact details of the Controller's employees, directors, and authorised signatories
Employee payroll data including salary, bank account details, and tax reference numbers
Names, addresses, and payment details of the Controller's customers and clients
Names, addresses, and banking details of the Controller's suppliers and contractors
Bank account and transaction data
Invoice, receipt, and expense data
Any other personal data contained in financial records provided to Bess Flower

Categories of data subjects

The Controller's employees and contractors
The Controller's customers and clients
The Controller's suppliers and business partners
Directors and authorised representatives of the Controller

5. Obligations of the Processor

Bess Flower agrees to the following obligations as Processor:

5.1 Processing on instructions

Bess Flower will process personal data only on the documented instructions of the Controller. If Bess Flower is required by applicable law to process data in a way that goes beyond the Controller's instructions, Bess Flower will inform the Controller of that legal requirement before processing, unless prohibited by law.

5.2 Confidentiality

Bess Flower will ensure that all persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited strictly to those who need it to deliver the Services.

5.3 Security

Bess Flower will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: protection against unauthorised or unlawful processing; protection against accidental loss, destruction, or damage; use of encrypted communication where appropriate; and access controls limiting who can view client financial data.

5.4 Sub-Processors

The Controller authorises Bess Flower to engage the sub-processors listed in Schedule 1 below. Bess Flower will enter into a written agreement with each sub-processor imposing equivalent data protection obligations. Bess Flower remains fully liable to the Controller for the performance of each sub-processor. Bess Flower will inform the Controller of any intended changes to sub-processors and give the Controller a reasonable opportunity to object.

5.5 Data subject rights

Bess Flower will promptly notify the Controller of any request received from a data subject exercising their rights under applicable data protection law and will assist the Controller in fulfilling those requests, to the extent reasonably practicable given the nature of the processing.

5.6 Assistance with compliance

Bess Flower will assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, including security of processing, notification of personal data breaches, and data protection impact assessments, taking into account the nature of the processing and the information available to Bess Flower.

5.7 Data breach notification

Bess Flower will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. Notification will include, to the extent available: a description of the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.

6. Obligations of the Controller

The Controller agrees to: provide Bess Flower with clear and lawful instructions for processing; ensure that there is a lawful basis for the processing of personal data provided to Bess Flower; notify Bess Flower promptly of any changes to the processing instructions; and ensure that data subjects whose data is provided to Bess Flower have been informed of such processing in accordance with applicable law.

7. International data transfers

Where personal data is transferred outside the country of origin, including from the EEA or UK, Bess Flower will ensure that appropriate safeguards are in place, including standard contractual clauses where required. Bess Flower's principal place of operations is Dubai, UAE. Data may be processed by sub-processors in the UAE, India (Zoho), and the USA (Netlify), each under appropriate data transfer safeguards.

8. Audit rights

Bess Flower will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Bess Flower will allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor, provided that the Controller gives reasonable prior notice and that any audit is conducted in a manner that does not unreasonably disrupt Bess Flower's operations. The costs of any audit shall be borne by the Controller.

9. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties. Nothing in this DPA excludes or limits liability that cannot be limited under applicable law.

10. Return and deletion of data

Upon termination of the Services, Bess Flower will, at the Controller's choice, delete or return all personal data to the Controller and delete any existing copies, unless applicable law requires continued storage. Where legal accounting obligations require Bess Flower to retain certain records, Bess Flower will inform the Controller of this requirement and the data will be stored securely and used only for that legal purpose.

11. Governing law

This DPA is governed by the laws of the UAE. Where the Controller is established in the European Economic Area, the GDPR shall apply to the extent that it governs the processing of personal data. Where the Controller is established in the UK, the UK GDPR shall apply accordingly.

12. Incorporation into service agreement

This DPA forms part of and is incorporated into the service agreement between Bess Flower and the Controller. In the event of any conflict between this DPA and the service agreement on matters of data protection, this DPA shall prevail.

Schedule 1: Authorised Sub-Processors

The following sub-processors are authorised to process personal data on behalf of the Controller under this DPA:

FTA-registered accountancy partner (UAE) — Bookkeeping, VAT filing, and accounting services. Located in Dubai, UAE. Bound by a separate confidentiality and data processing agreement with Bess Flower.
Netlify Inc. (USA) — Website hosting and form submission storage. Processes contact form data. Data transferred under standard contractual clauses.
Zoho Corporation (India/UAE) — Email communications (Zoho Mail) and accounting software (Zoho Books where applicable). Subject to Zoho's data processing terms.
Xero Limited (New Zealand/UK) — Cloud accounting software, where used for client bookkeeping. Subject to Xero's data processing terms.

Bess Flower will notify the Controller of any proposed changes to this list and provide a reasonable opportunity to object before any new sub-processor begins processing.

Contact

For any questions relating to this Data Processing Agreement or our data protection practices:

Bess Flower Project Management LLC
Email: info@bf-pm.com
Website: bf-pm.com
Trade Licence No: 1063174, Dubai, UAE