Legal
Data Processing Agreement
Last updated: 14 July 2026
1. Parties and roles
This Data Processing Agreement ("DPA") is entered into between the customer firm using the BrokerLync service (the "Customer") and Virtually Branded Ltd, trading as BrokerLync ("we", "us", "our"). It forms part of, and is subject to, our Terms of Service.
BrokerLync is a trading style of Virtually Branded Ltd, a company registered in England and Wales under company number 13132922, with its registered office at 31 Sunflower Lane, Stainton, Middlesbrough, TS8 9FS.
For the purposes of the UK GDPR and the Data Protection Act 2018, the Customer is the controller of personal data submitted to the service by the Customer and its clients, and BrokerLync is the processor acting on the Customer's behalf.
2. Subject matter and duration
The subject matter of the processing is the provision of the BrokerLync service to the Customer. This DPA applies for as long as BrokerLync processes personal data on behalf of the Customer under the Terms of Service.
3. Nature and purpose of processing
We process personal data to host, secure and operate the online fact-find and client data collection features of the service, and to provide related support to the Customer.
4. Categories of data subjects and personal data
- Data subjects — the Customer's staff and advisers, and the Customer's clients and their household members where relevant.
- Personal data — contact details, identity and demographic information, employment and income details, financial and mortgage-related information, protection needs, and any other information the Customer chooses to collect through the service.
5. Processor obligations (UK GDPR Article 28)
- Documented instructions — we process personal data only on the Customer's documented instructions, including as set out in the Terms of Service and this DPA, unless required to do otherwise by law.
- Confidentiality — we ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
- Security — we implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls and two-factor authentication.
- Sub-processors — we engage vetted sub-processors to help provide the service and impose data protection obligations on them equivalent to those in this DPA. A current list of sub-processors is available on request; we will give reasonable notice of any intended changes.
- Data subject rights — we assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects to exercise their rights under the UK GDPR.
- Breach notification — we notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, together with information reasonably required to meet the Customer's own notification obligations.
- Deletion or return — on termination of the service, we delete or return the Customer's personal data at the Customer's choice, save to the extent we are required by law to retain it.
6. International transfers
Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or adequacy regulations. Details are available on request.
7. Audits
We make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior notice, and subject to appropriate confidentiality obligations, we will respond to reasonable audit requests, which may be satisfied through up-to-date certifications, third-party reports or written responses to questionnaires.
8. Contact
For any questions about this DPA, please email info@brokerlync.io.