Skip to content
Legal

Data Processing Agreement

Effective date: 30 June 2026 · Version: 1.0

This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Olimey Terms of Service (the “Terms”) between Lex Sentinel Ltd, a company registered in England and Wales (company number 17069457), registered office 13 Lyndhurst Way, London SE15 5AG, trading as Olimey (the “Processor”), and the regulated firm that accepts the Terms (the “Controller” or “your firm”).

By accepting the Terms, your firm accepts this DPA. This DPA governs the Processor’s processing of personal data relating to your firm’s own clients. Where there is any conflict between this DPA and the Terms in relation to the processing of personal data, this DPA prevails.

1. Definitions

Data Protection Laws means all laws applicable to the processing of personal data under this DPA, including the UK GDPR and the Data Protection Act 2018.

UK GDPR means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018.

Customer Personal Datameans the personal data relating to your firm’s clients and to any third parties whose personal data your firm submits (the “Client Content” defined in the Terms) that the Processor processes on the Controller’s behalf under the Terms. It does not include account, billing or platform-usage data relating to your firm’s authorised users, for which the Processor is the controller and which is governed by the Olimey Privacy Policy.

Sub-processor means any third party engaged by the Processor to process Customer Personal Data.

Process, processing, controller, processor, personal data, personal data breach and data subject have the meanings given in the UK GDPR.

2. Roles and scope

2.1 In respect of Customer Personal Data, your firm is the controller and the Processor is the processor, acting only on your firm’s instructions.

2.2 Your firm is responsible, as controller, for the lawfulness of the Customer Personal Data it submits, including having a lawful basis to process it, providing any required privacy information to its clients, and ensuring that any special-category data (Article 9 UK GDPR) or criminal-offence data is processed lawfully and only as necessary for the anti-money-laundering purpose.

2.3 This DPA applies for as long as the Processor processes Customer Personal Data, and continues after termination of the Terms for as long as any such processing (including permitted retention) continues.

3. Processing on documented instructions

3.1 The Processor must process Customer Personal Data only on the Controller’s documented instructions, including in relation to transfers, unless required to do otherwise by law (in which case the Processor will, where lawful, inform the Controller first).

3.2 The Controller’s documented instructions are: this DPA; the Terms; the configuration and use of the Service by the Controller and its authorised users; and any further written instructions the parties agree. The authorisation in clause 12 (anonymised data) is a documented instruction of the Controller.

3.3 The Processor must inform the Controller if, in its opinion, an instruction infringes the Data Protection Laws.

3.4 The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Schedule 1.

4. Confidentiality

4.1 The Processor must ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality and access it only on a need-to-know basis.

5. Security

5.1 Taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, the Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Schedule 2.

6. Sub-processors

6.1 The Controller gives the Processor general authorisation to engage Sub-processors to process Customer Personal Data, of the categories set out in Schedule 3.

6.2 The Processor must impose on each Sub-processor, by written contract, data-protection obligations no less protective than those in this DPA, and remains fully liable to the Controller for each Sub-processor’s performance.

6.3 The Processor must make available, on request, a current list of Sub-processors and the categories of processing they perform. The Processor must give the Controller reasonable notice of any intended addition or replacement of a Sub-processor, and the Controller may object on reasonable data-protection grounds. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service.

7. Assistance with data subject rights

7.1 Taking into account the nature of the processing, the Processor must assist the Controller, by appropriate technical and organisational measures and insofar as possible, to respond to requests from data subjects exercising their rights under the Data Protection Laws.

7.2 If the Processor receives a request from a data subject in relation to Customer Personal Data, it must not respond directly (other than to acknowledge and redirect) and must forward the request to the Controller without undue delay.

8. Personal data breach

8.1 The Processor must notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data.

8.2 The notification must describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Where information is not all available at once, it may be provided in phases without undue further delay.

8.3 The Processor must assist the Controller in meeting the Controller’s own breach-notification and communication obligations under the Data Protection Laws.

9. Data protection impact assessments

9.1 Taking into account the nature of the processing and the information available to it, the Processor must provide reasonable assistance to the Controller with data protection impact assessments and any prior consultation with the Information Commissioner’s Office that the Controller is required to carry out.

10. International transfers

10.1 The Processor stores Customer Personal Data within the United Kingdom and performs AI inference within the European Economic Area. The Processor must not transfer Customer Personal Data outside the UK or the EEA without the Controller’s instruction and an appropriate transfer mechanism (such as the UK International Data Transfer Agreement or Standard Contractual Clauses) in place.

11. Audit and information

11.1 The Processor must make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA, including by providing relevant certifications and audit reports held by its Sub-processors where the Processor is permitted to share them.

11.2 The Controller may, on at least 30 days’ written notice, no more than once in any 12-month period (unless required by a regulator or following a personal data breach), audit the Processor’s compliance with this DPA. Audits must be conducted during business hours, must not unreasonably disrupt the Processor’s operations, are subject to confidentiality, and are at the Controller’s cost. Where a relevant, recent third-party certification or report addresses the matter, the Controller will rely on it rather than conducting an on-site audit.

12. Anonymised and aggregated data

12.1 The Controller instructs and authorises the Processor to create irreversibly anonymised and aggregated data sets from Customer Personal Data processed under this DPA, and to use those data sets to operate, develop, evaluate, improve and train the Service and the Processor’s models.

12.2 Anonymisation is carried out so that data subjects are no longer identifiable and the data can no longer be attributed to any data subject. Once data has been irreversibly anonymised it no longer constitutes personal data and falls outside the Data Protection Laws, and the Processor’s use of such data is not subject to this DPA.

12.3 The Processor must not attempt to re-identify anonymised data, and must not use identifiable Customer Personal Data to train its models.

12.4 The authorisation in clause 12.1 applies by default. The Controller may exclude its matters from clause 12.1 at any time by notifying the Processor at dpo@olimey.ai (and, where available, through the Controller’s account settings). Exclusion does not affect anonymised data sets created before the exclusion took effect.

12.5 This clause records a documented instruction of the Controller for the purposes of Article 28(3)(a) UK GDPR.

13. Return and deletion

13.1 On termination of the Terms, the Processor must, at the Controller’s choice, return or delete Customer Personal Data, except to the extent the Processor or the Controller is required by law to retain it.

13.2 In particular, case records, evidence and audit-trail data are retained for six years following the end of the business relationship to which they relate, reflecting record-keeping obligations under the Money Laundering Regulations 2017 and applicable limitation periods, unless the Controller instructs a different period or a longer period is required by law. During any such retention the data remains subject to this DPA and is isolated from active processing except as required to comply with law or to establish, exercise or defend legal claims.

13.3 Anonymised data created under clause 12 is not Customer Personal Data and is not affected by this clause.

14. Liability

14.1 Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms.

15. Governing law

15.1 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it.

Schedule 1 — Details of processing

Subject matter:the Processor’s provision of the Service (AML, KYC and Source of Wealth checks) to the Controller.

Duration: the term of the Terms, together with any retention period required by law (see clause 13).

Nature and purpose of processing:collection and verification of identity data; collection of bank-source transaction data via an authorised open-banking provider; collection and analysis of supporting documents; AI-assisted analysis and the production of risk-rated assessments and reports for the Controller’s review; storage; audit logging; and the limited improvement and anonymisation uses set out in clause 12.

Types of personal data: identity and contact data; identity-document and biometric verification data; bank account and transaction data; financial information contained in uploaded documents (for example payslips, bank statements and gift letters); the AI-assisted assessments and reports produced; and any other personal data the Controller chooses to submit. The processing may involve financial information of a sensitive nature; the Controller is responsible for ensuring that any special-category or criminal-offence data is processed lawfully and only as necessary for the anti-money-laundering purpose.

Categories of data subjects:the Controller’s clients who are the subject of a check; and third parties whose personal data the Controller submits as part of a check (for example, persons gifting funds into a transaction).

Schedule 2 — Technical and organisational measures

The Processor maintains the following measures, appropriate to the risk:

  • Encryption. Customer Personal Data is encrypted in transit (TLS) and at rest (AES-256).
  • Access control. Access is role-based and granted on a least-privilege, need-to-know basis. Multi-factor authentication is required for administrative access. Data is isolated between firms at the database layer through row-level security.
  • Audit logging. Significant actions are recorded in append-only, tamper-evident audit logs that are protected against modification and deletion.
  • Data residency. Persistent Customer Personal Data is stored within the United Kingdom. AI inference is performed within the European Economic Area under terms that prohibit the inference provider from training its own models on the data or retaining it beyond the request.
  • Infrastructure security. The Service is hosted on infrastructure that is independently certified to SOC 2 Type II and ISO 27001. Secrets and credentials are held in secure secret management and are not exposed in client-side code.
  • Resilience. Customer Personal Data is backed up, and the Processor maintains the ability to restore the Service following an incident.
  • Personnel. Personnel with access to Customer Personal Data are bound by confidentiality obligations and receive appropriate training.

Schedule 3 — Sub-processors (by category)

The Processor engages Sub-processors in the following categories:

  • Cloud hosting and database services (United Kingdom / European Economic Area)
  • AI inference services (European Economic Area)
  • Identity verification services (authorised by the Financial Conduct Authority)
  • Open-banking services (authorised by the Financial Conduct Authority)
  • Payment-processing services

A current list of Sub-processors is available to the Controller on request.

Acceptance

This DPA is accepted by your firm when it accepts the Terms (including by ticking the acceptance box at registration) and forms part of the Terms. A counterpart of this DPA is available for signature on request for firms that require an executed copy for their records.

Lex Sentinel Ltd (trading as Olimey) — Processor
Registered office: 13 Lyndhurst Way, London SE15 5AG
Data protection: dpo@olimey.ai