Skip to main content
Excelerate

Data Processing Agreement

Last updated: May 2026

On this page

This Data Processing Agreement (“DPA”) supplements the Terms of Usebetween you (the “Customer” or “Controller”) and Excelerate Financial Modelling Limited (“Excelerate” or “Processor”) and applies where Excelerate processes personal data on the Customer’s behalf in connection with the Excelerate Service.

This DPA forms part of the agreement between Excelerate and any Customer subscribing to a Team plan or any plan otherwise designated by Excelerate as subject to this DPA. By subscribing to such a plan, the Customer accepts this DPA. A countersigned copy is available on request to support@exceleratefinancialmodelling.com.

1. Definitions

Capitalised terms not otherwise defined have the meaning set out in the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, or, where applicable, the EU General Data Protection Regulation (“EU GDPR”):

  • Personal Data- any information relating to an identified or identifiable natural person processed by Excelerate on the Customer’s behalf
  • Processing - any operation performed on Personal Data
  • Controller, Processor, Subprocessor, Data Subject, Personal Data Breach - as defined in UK GDPR Article 4
  • Service - the Excelerate Add-in, website, and authenticated portal
  • Standard Contractual Clauses- the EU Commission Decision 2021/914 SCCs and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office

2. Roles and Scope

For Personal Data submitted by the Customer or by users authorised by the Customer through the Service, the Customer is the Controller and Excelerate is the Processor. Excelerate processes such Personal Data only:

  • To provide and maintain the Service
  • On documented instructions from the Customer (including those given by configuring the Service or contacting support)
  • As required by applicable law, in which case Excelerate will inform the Customer of that legal requirement before processing unless prohibited from doing so

Where Excelerate determines the means and purposes of processing independently - for example, for billing, fraud prevention, and product analytics on the public website - Excelerate acts as an independent Controller and that processing is governed by the Privacy Policy, not by this DPA.

3. Subject Matter, Duration, Nature and Purpose

  • Subject matter: processing of Personal Data necessary for Excelerate to provide the Service to the Customer.
  • Duration:for the term of the Customer’s subscription, plus the data-retention periods set out in the Privacy Policy.
  • Nature and purpose: hosting, authentication, back-up, organisation membership management, brand and template storage, support, and audit logging.
  • Categories of Data Subject:Customer’s authorised users (employees, contractors, members of the Customer’s organisation).
  • Categories of Personal Data: name, email address, display name, organisation membership, role, hashed credentials, product interaction events, support correspondence, and any other data the Customer chooses to submit.

Excelerate does not process spreadsheet content from the Customer. Cell values, formulas, sheet names, and workbook content remain on the Customer’s device.

4. Confidentiality

Excelerate ensures that personnel authorised to process Personal Data are bound by confidentiality obligations and have undertaken appropriate training in data protection.

5. Security Measures

Excelerate implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit (HTTPS/TLS)
  • Encryption of Personal Data at rest in the production database
  • Role-based access controls and row-level security policies on customer data
  • Principle-of-least-privilege service credentials
  • Logical separation of customer organisations within the multi-tenant database
  • Regular security reviews and dependency vulnerability scanning
  • Audit logging for sensitive administrative actions
  • Regular automated back-ups of customer data with integrity checks
  • Incident-response procedures with defined notification thresholds

A detailed description of technical and organisational measures (“TOMs”) forms part of this DPA at Annex A and is available on request.

6. Subprocessors

The Customer authorises Excelerate to engage the subprocessors listed on our Subprocessors page. Excelerate ensures that each subprocessor is bound by data-protection obligations no less protective than those set out in this DPA.

Excelerate will notify the Customer of any intended addition or replacement of a subprocessor at least 30 days in advance via the notification mechanism described on the Subprocessors page. The Customer may object to the engagement on reasonable grounds within that notice period. If Excelerate is unable to address the objection, the Customer may terminate the subscription with a pro-rata refund of any pre-paid amount.

7. International Transfers

Where Personal Data is transferred outside the United Kingdom or the European Economic Area to a country not covered by an adequacy decision, Excelerate relies on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism. The transfer mechanism per subprocessor is set out on the Subprocessors page.

8. Assistance with Data Subject Requests

Excelerate will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures to fulfil its obligation to respond to requests from Data Subjects exercising rights under UK GDPR Articles 12 to 23 (access, rectification, erasure, restriction, portability, objection, automated decision-making).

Where Excelerate receives a request directly from a Data Subject of the Customer, Excelerate will, where lawful, redirect the Data Subject to the Customer.

9. Personal Data Breach Notification

Excelerate will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notification will, to the extent reasonably available at the time, describe the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the breach.

10. Data Protection Impact Assessments and Prior Consultation

Excelerate will provide reasonable assistance to the Customer with any Data Protection Impact Assessments and prior consultations with supervisory authorities required under UK GDPR Articles 35 and 36, in each case taking into account the nature of the processing and the information available to Excelerate.

11. Audits

Excelerate will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and UK GDPR Article 28. On reasonable advance written notice and no more than once per calendar year, Excelerate will permit a Customer audit (including inspections) conducted by the Customer or an independent third-party auditor mandated by the Customer. Excelerate may satisfy this obligation by providing independent third-party audit reports (such as ISO 27001 reports obtained from its subprocessors).

12. Return or Deletion of Personal Data

On termination or expiry of the Customer’s subscription, Excelerate will, at the Customer’s choice, delete or return all Personal Data processed on the Customer’s behalf, and delete existing copies, unless retention is required by applicable law. Default behaviour is deletion within 30 days of termination, subject to back-up retention windows that do not exceed 90 days.

13. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms of Use.

14. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA are subject to the exclusive jurisdiction of the courts of England and Wales, except where this would deprive a Data Subject of mandatory protections under UK GDPR or applicable EU member-state law.

15. Order of Precedence

In the event of any conflict between this DPA and the Terms of Use, this DPA prevails with respect to the processing of Personal Data on the Customer’s behalf.

Contact

For DPA queries, signed-copy requests, or notification of a Personal Data Breach affecting the Customer’s Personal Data, contact support@exceleratefinancialmodelling.com.

Annex A - Technical and Organisational Measures (Summary)

  • Access control: SSO via Microsoft and Google Identity Providers, role-based access in the portal, row-level security in the database
  • Encryption: TLS 1.2 or higher in transit; AES-256 at rest in the production database
  • Network security: WAF and DDoS protection at the edge, environment isolation between production and non-production
  • Application security: static analysis (TypeScript + ESLint), dependency vulnerability scanning, content security policy on all HTML surfaces, input sanitisation on user-generated content rendered into the Add-in
  • Operations: automated daily back-ups, point-in-time recovery on the database, incident-response runbook, structured audit logging for sensitive admin actions
  • Personnel: confidentiality obligations on all personnel with access to Personal Data, principle-of-least-privilege credential issuance
  • Subprocessor management: written DPAs with all subprocessors, public Subprocessors page, advance-notice change notifications
  • Vulnerability management: production dependencies monitored via npm audit; high and critical findings addressed on a documented timeline