We handle sensitive data. We take that seriously.

UK accounting firms handle confidential client information. Before you work with any third party, you need to know how they handle data. Here's exactly what we do.

UK GDPR compliant by design.

Crownlark operates in full compliance with UK GDPR and the Data Protection Act 2018. As a data processor acting on behalf of your firm, we understand and take seriously our obligations under UK data protection law.

Your firm remains the data controller for your clients' personal data
Crownlark acts as a data processor under your instruction
We process only the data necessary to fulfil the document collection service
We do not sell, share, or use client data for any purpose beyond service delivery

A signed DPA before we touch any data.

Before your first document chasing sequence goes live, we sign a Data Processing Agreement (DPA) with your firm. This is a legal document that sets out:

  • What data we process on your behalf
  • How and where it is stored
  • How long it is retained
  • Your rights to audit, request deletion, and terminate processing
Download our standard DPA (PDF) →

Where your data lives.

  • All client documents uploaded through the Crownlark portal are stored on encrypted cloud infrastructure
  • Document storage is in EU/UK-region servers (Cloudflare R2 — EU region)
  • Data is encrypted at rest and in transit
  • Access to stored documents is restricted to your firm's authorised team members
  • Documents are retained for a configurable period agreed at onboarding, then securely deleted

Emails sent from your domain. Securely.

  • Crownlark sends all client-facing communications through your firm's own email domain, configured using industry-standard email authentication protocols (SPF, DKIM, DMARC) to ensure deliverability and prevent spoofing
  • At no point does Crownlark's own domain appear in communications to your clients

Access Controls

  • Crownlark team members access only the data needed to manage your specific document requests
  • Access is role-restricted and logged
  • We operate a principle of minimum necessary access at all times

We collect what's needed. Nothing more.

For each document request, we hold:

  • The client's name and email address (provided by your firm)
  • The name of the document requested
  • The upload status and timestamp

Once uploaded, documents are available only to your authorised team members.

If you have specific compliance questions — including questions relevant to ICAEW, ACCA, or other professional body requirements — contact us at:

[email protected]