top of page

Data Processing Schedule

 

Last updated: 8th March 2026

​

1. Types of personal data processed 

1.1 Data held on the Contractor’s systems: 

  • Client contact details (names, email addresses, phone numbers, business addresses). 

  • Financial records (purchase orders and invoices between the Contractor and the Business). 

  • System login credentials (where access is granted by the Business). 

1.2 Data accessed within the Business’s systems only (not stored on the Contractor’s systems): 

  • Customer and supplier contact details (names, email addresses, phone numbers, addresses). 

  • Employee/staff contact details (names, email addresses, phone numbers – where included in email signatures). 

  • Business correspondence and communications. 

  • Financial information (sales invoices, accounting reports, bookkeeping records). 

1.3 Email inbox access and management: 

  • Monitoring, retrieving, opening and consulting emails in named inboxes, triaging and prioritising messages, and taking actions such as filing, flagging, forwarding or deletion in line with the Business’s documented instructions and email policies. 

1.4 Calendar and correspondence management: 

  • Drafting, sending and replying to emails on behalf of the Business using agreed templates and instructions, and managing calendar invitations and meeting requests sent via email. 

 

2. Categories of data subject 

  • The Business (client organisation and key contacts). 

  • The Business’s customers and clients. 

  • The Business’s suppliers and contractors. 

  • The Business’s employees and staff members. 

 

3. Scope, nature and purpose of processing 

3.1 The Contractor processes personal data solely for the purpose of providing virtual assistant services to the Business, including: 

  • Email management and correspondence. 

  • Diary and appointment management. 

  • Bookkeeping, invoice processing and financial administration. 

  • Customer service support. 

  • Project coordination and administrative support. 

  • Document management and filing. 

  • General administrative tasks as agreed from time to time. 

In addition, the Contractor may process limited personal data relating to the Business and, where applicable, its owners, officers or authorised contacts as necessary to comply with Anti‑Money Laundering and related legal obligations, including identity verification and ongoing monitoring, in accordance with the Contractor’s AML policies, controls and procedures. 

 

4. Duration of processing 

4.1 Personal data will be processed for the duration of this Agreement and for such period thereafter as is necessary to: 

  • complete any outstanding administrative tasks; 

  • comply with the Contractor’s legal obligations (including accounting and tax requirements); and 

  • resolve any disputes. 

4.2 The Contractor will retain the Business’s contact details and financial records (invoices, purchase orders) for a period of 7 years following termination of this Agreement, in accordance with HMRC requirements. All other personal data will be securely deleted or returned to the Business within 30 days of termination unless otherwise agreed. 

 

5. Technical and organisational measures

5.1 Access control 

  • Password‑protected devices and systems. 

  • Unique user credentials for all systems. 

  • Multi‑factor authentication where available. 

  • Access to the Business’s systems only via authorised login credentials. 

5.2 Data storage and transfer 

  • All devices encrypted (e.g. BitLocker encryption on the C drive). 

  • Secure file transfer methods (such as password‑protected documents where required). 

  • Any files downloaded from the Business’s systems are stored in a dedicated client folder with restricted access and deleted immediately after use. 

  • No storage of the Business’s customer/employee data on the Contractor’s local systems, unless strictly necessary and agreed. 

5.3 Software and security 

  • Operating system and software kept up to date with the latest security patches. 

  • Anti‑malware protection enabled. 

  • Secure, password‑protected email and system accounts. 

5.4 Physical security 

  • Devices secured with PIN protection and Microsoft account (or equivalent) authentication. 

  • Devices locked when not in use. 

  • Work conducted in a secure, private workspace. 

  • No unauthorised access to devices or data. 

5.5 Data minimisation 

  • Only personal data necessary for the Services is accessed or processed. 

  • Data accessed within the Business’s systems remains in those systems wherever possible. 

  • Personal data is not copied or downloaded unless strictly necessary for the task. 

5.6 Confidentiality 

  • All personnel accessing personal data are bound by confidentiality obligations. 

  • Personal data is not shared with third parties without explicit permission from the Business, except where required by law. 

5.7 Incident response 

  • Any suspected personal data breach affecting personal data processed under this Agreement (including data contained in email inboxes and email systems) will be reported to the Business without undue delay and, wherever possible, within 24 hours of the Contractor becoming aware of it. 

bottom of page