Data Processing Agreement

Last updated: July 16, 2026

DRAFT — pending legal review. This DPA is a working draft prepared to fulfill the commitment in our Data & Compliance summary. It must be reviewed and finalized by qualified counsel (and, for EEA/UK transfers, checked against the current Standard Contractual Clauses) before execution. Bracketed items marked [TBD] require confirmation.

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between LedgerBeaver, Inc. ("LedgerBeaver," "Processor") and the customer entity ("Customer," "Controller") that uses the Service. It governs LedgerBeaver's processing of Personal Data on Customer's behalf. Where this DPA conflicts with the Agreement on data-protection matters, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. "Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Supervisory Authority" have the meanings in the EU General Data Protection Regulation (GDPR). "Customer Data" means data Customer submits to the Service. "Data Protection Laws" means all privacy and data-protection laws applicable to a party's processing, including the GDPR, UK GDPR, and US state privacy laws such as the CCPA/CPRA. "Personal Data" under this DPA is the subset of Customer Data that identifies or relates to an identifiable individual.

2. Roles of the parties

For Personal Data contained in Customer Data, Customer is the Controller (or a processor acting for another controller) and LedgerBeaver is the Processor. LedgerBeaver processes such Personal Data only to provide and support the Service. LedgerBeaver is an independent Controller for a limited set of data it needs to run its business — account registration details, billing records, and Service usage/security logs — which it processes under its Privacy Policy.

3. Scope and processing instructions

LedgerBeaver will process Personal Data only: (a) to provide the Service in accordance with the Agreement; (b) as further documented in Customer's use and configuration of the Service; and (c) as otherwise instructed in writing by Customer, where consistent with the Service. The subject-matter, duration, nature, and purpose of processing, and the categories of Personal Data and Data Subjects, are described in Annex A. LedgerBeaver will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

No sale; no advertising; no model training. LedgerBeaver does not sell or share Personal Data, does not process it for cross-context behavioral advertising, and does not use Customer Data to train machine-learning or AI models. These are commitments made under this DPA and in our Data & Compliance statement.

4. Confidentiality

LedgerBeaver ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and process Personal Data only on a need-to-know basis.

5. Security measures

LedgerBeaver implements and maintains appropriate technical and organizational measures to protect Personal Data, described in Annex B. These include, at minimum:

6. Sub-processors

Customer provides general authorization for LedgerBeaver to engage the sub-processors listed in Annex A to process Personal Data. LedgerBeaver: (a) imposes data-protection obligations on each sub-processor no less protective than those in this DPA; (b) remains liable for each sub-processor's performance; and (c) will give Customer advance notice of any intended addition or replacement of a sub-processor that processes Personal Data, giving Customer the opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer may terminate the affected Service as its exclusive remedy.

7. Assistance with data-subject rights

Taking into account the nature of the processing, LedgerBeaver will assist Customer, by appropriate technical and organizational measures and insofar as possible, in responding to Data Subject requests to exercise their rights (access, correction, deletion, portability, restriction, objection). Where a Data Subject contacts LedgerBeaver directly regarding data LedgerBeaver processes for Customer, LedgerBeaver will refer them to Customer. Customer can also action many of these requests directly through the Service's export and account-deletion features.

8. Personal-data breach notification

LedgerBeaver will notify Customer without undue delay, and in any event within [TBD — e.g., 72] hours of becoming aware of a Personal Data breach affecting Customer's Personal Data. The notice will describe the nature of the breach, the categories and approximate number of Data Subjects and records affected (to the extent known), the likely consequences, and the measures taken or proposed. LedgerBeaver will reasonably assist Customer with its own breach-notification obligations.

9. International data transfers

LedgerBeaver processes and stores Customer Data on US-based infrastructure. Where LedgerBeaver processes Personal Data originating in the EEA, UK, or Switzerland, the parties agree that the applicable Standard Contractual Clauses (SCCs) — and the UK International Data Transfer Addendum where relevant — are incorporated into this DPA by reference and completed using the details in Annex A. [TBD: attach the operative SCC module and confirm transfer mechanism with counsel.]

10. Audits

LedgerBeaver will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable prior written notice, and no more than once per year (unless required by a Supervisory Authority or following a breach), Customer may audit LedgerBeaver's compliance, which may be satisfied by LedgerBeaver providing a then-current third-party audit report or security documentation (for example, a SOC 2 report once available) in lieu of an on-site audit.

11. Return and deletion of data

On termination or expiry of the Agreement, LedgerBeaver will, at Customer's choice, delete or return Customer's Personal Data, and delete existing copies within a commercially reasonable period, except to the extent retention is required by law. Customer can export its data from the Service at any time before termination. Certain immutable audit records may be retained where required to preserve the integrity of the financial ledger and to meet legal record-keeping obligations; such records are retained only for as long as required and remain protected under this DPA.

12. US state privacy laws (Service Provider terms)

To the extent the CCPA/CPRA or a comparable US state law applies, LedgerBeaver acts as a "service provider" (or "processor"/"contractor") and: (a) will not sell or share Personal Data; (b) will not retain, use, or disclose Personal Data outside the direct business relationship or for any purpose other than providing the Service; (c) will not combine Personal Data with data from other sources except as permitted; and (d) certifies that it understands and will comply with these restrictions.

Annex A — Details of processing

Subject matterProvision of the LedgerBeaver AP/AR/GL finance platform and MCP server.
DurationThe term of the Agreement plus any legally required retention period.
Nature & purposeHosting, storing, and processing financial and business records to deliver bookkeeping, invoicing, approvals, and ledger functionality.
Categories of data subjectsCustomer's authorized users; Customer's vendors, customers, and contacts named in invoices and records.
Categories of personal dataNames, business contact details, email addresses, and transaction/invoice details. Bank connectivity metadata via Plaid; payment-card last-four via Stripe. LedgerBeaver does not intend to process special-category data.
Sub-processorsStripe (payments), Plaid (bank connectivity), Supabase (database/auth hosting), Railway (application hosting), Cloudflare (edge/CDN/security), Resend (transactional email). [TBD: confirm and maintain the authoritative list in the Privacy Policy.]

Annex B — Technical & organizational measures

Encryption in transit (TLS 1.2+) and at rest (AES-256); database-level row-level security for tenant isolation; scoped and revocable API/agent tokens; least-privilege production access with logging; hash-chained tamper-evident financial audit log; secure software-development and dependency practices; incident-response process; sub-processor due diligence. A more detailed description is available to customers on request under NDA.

To request a countersigned copy of this DPA for your organization, email legal@ledgerbeaver.com. This draft does not replace advice from your own counsel.