Data Processing Agreement

Last updated: 30 June 2026

This page sets out the terms on which Ferguson Technologies Ltd (“Processor”, “we”) processes personal data on behalf of a Firm using FT ClientFlow (“Controller”, “you”), in accordance with Article 28 of the UK GDPR. It applies automatically alongside our Terms of Service for any Firm that uploads or enters client personal data into the platform.

For a signed, countersigned copy for your firm’s compliance file, contact hello@fergusontech.co.uk.

1. Subject matter and duration

We process personal data on your behalf for the duration of your subscription to FT ClientFlow, for the purpose of providing the practice management platform you have subscribed to.

2. Nature and purpose of processing

We process client personal data to store, organise, and make available the records, documents, and communications you enter into the platform, and to generate AI-assisted outputs (such as suitability reports and meeting summaries) that you request.

3. Categories of data subjects

The clients, prospective clients, and connected individuals (e.g. joint account holders) of your Firm.

4. Categories of personal data

Names, contact details, financial and investment information, risk profiles, meeting notes, and documents uploaded by your Firm in the course of using the platform.

5. Processor obligations

  • Process personal data only on your documented instructions, including with regard to international transfers.
  • Ensure persons authorised to process the data are subject to confidentiality obligations.
  • Implement appropriate technical and organisational measures, as described in our Security page.
  • Engage sub-processors only with your general authorisation, and impose equivalent data protection obligations on them by contract.
  • Assist you in responding to data subject rights requests and regulatory enquiries relating to data we process on your behalf.
  • Notify you without undue delay after becoming aware of a personal data breach affecting your data.
  • Delete or return personal data at the end of the provision of services, except where retention is required by law.
  • Make available information necessary to demonstrate compliance with this Agreement.

6. Sub-processors

The current list of sub-processors is set out in our Privacy Policy and Security page. We will notify Firms of any intended changes to this list with the opportunity to object on reasonable grounds.

7. International transfers

Where personal data is transferred outside the UK to a sub-processor, we rely on UK adequacy regulations or the UK International Data Transfer Addendum to ensure an equivalent standard of protection.

8. Audit

On reasonable written notice, we will provide information reasonably necessary to demonstrate compliance with this Agreement, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and scheduling constraints.

9. Status of this document

This page is a good-faith standard-form template provided for convenience and has not been independently reviewed by external legal counsel. It does not constitute legal advice. Enterprise customers requiring a bespoke or countersigned Data Processing Agreement should contact hello@fergusontech.co.uk.