Ledgers - The AI Financial Operating System

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Controller," or "you") and Ledgers Technology, Inc. ("Ledgers," "Processor," or "we") for the provision of the Ledgers platform and services. This DPA applies where and to the extent that Ledgers processes Personal Data on behalf of Customer in providing the services.

This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection legislation (collectively, "Data Protection Laws").

1. Definitions

In this DPA, the following terms have the meanings set out below.

"Controller" means the entity that determines the purposes and means of Processing Personal Data, which in the context of this DPA is the Customer.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Ledgers on behalf of Customer in connection with the services.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
"Processor" means the entity that Processes Personal Data on behalf of the Controller, which in the context of this DPA is Ledgers.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
"Sub-processor" means any third party engaged by Ledgers to Process Personal Data on behalf of Customer.

2. Roles and Responsibilities

2.1 Controller Responsibilities

Customer, as the Controller, is responsible for: (a) determining the purposes and means of Processing Personal Data; (b) ensuring that there is a valid legal basis for the Processing of Personal Data; (c) ensuring that Personal Data provided to Ledgers is accurate, complete, and lawfully collected; (d) complying with all applicable Data Protection Laws; and (e) ensuring that any instructions given to Ledgers comply with applicable Data Protection Laws.

2.2 Processor Responsibilities

Ledgers, as the Processor, is responsible for: (a) Processing Personal Data only in accordance with Customer's documented instructions; (b) implementing appropriate technical and organizational measures to ensure the security of Personal Data; (c) assisting Customer in meeting its obligations under Data Protection Laws; (d) notifying Customer of any Personal Data Breaches; and (e) engaging Sub-processors only in accordance with the terms of this DPA.

3. Scope of Processing

3.1 Subject Matter and Purpose

The subject matter of the Processing is the provision of the Ledgers platform and related services. The purpose includes storing and organizing Customer's financial data, generating insights, reports, and visualizations, synchronizing data with connected third-party integrations, providing customer support, and maintaining the security and integrity of the services.

3.2 Duration of Processing

Ledgers will Process Personal Data for the duration of the Agreement. Upon termination or expiration, Ledgers will handle Personal Data in accordance with Section 11 of this DPA.

3.3 Nature of Processing

Processing activities include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, alignment, combination, restriction, and erasure or destruction of Personal Data in connection with the services.

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data

The categories of Personal Data Processed under this DPA may include:

Contact information (names, email addresses, phone numbers, addresses)
Professional information (job titles, company names, business contact details)
Account credentials and authentication data
Financial information (transaction records, account balances, invoices, payment information)
Usage data and analytics (interactions with the platform, feature usage, preferences)
Device and technical information (IP addresses, browser type, device identifiers)
Communication content (support inquiries, feedback, correspondence)

4.2 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed include:

Customer's employees, contractors, and authorized users
Customer's clients, customers, and business contacts
Customer's vendors, suppliers, and service providers
Other individuals whose Personal Data is included in Customer's financial records or connected data sources

5. Processing Instructions

Ledgers will Process Personal Data only in accordance with Customer's documented instructions. If Ledgers believes that any instruction from Customer infringes Data Protection Laws, Ledgers will promptly notify Customer.

6. Confidentiality Obligations

Ledgers ensures that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations. Ledgers restricts access to Personal Data to those personnel who require access to perform their duties, and implements role-based access controls and the principle of least privilege.

7. Security Measures

7.1 Technical Measures

Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
Access Controls: Multi-factor authentication, role-based access controls, unique user identification, and automatic session timeouts.
Network Security: Firewalls, intrusion detection and prevention systems, DDoS protection, and network segmentation.
Application Security: Secure software development practices, code reviews, vulnerability scanning, and penetration testing.
Monitoring: Real-time security monitoring, logging, and alerting for suspicious activities.
Backup and Recovery: Regular automated backups, disaster recovery procedures, and business continuity planning.

7.2 Organizational Measures

Policies and Procedures: Documented information security policies, procedures, and standards.
Training: Regular security awareness training for all personnel with access to Personal Data.
Incident Response: Documented incident response procedures and a dedicated incident response team.
Vendor Management: Due diligence and ongoing monitoring of Sub-processors and vendors.
Physical Security: Data centers with physical access controls, surveillance, and environmental protections.
Audits: Regular internal and third-party security audits and assessments.

8. Sub-processors

8.1 Authorization to Engage Sub-processors

Customer provides general authorization for Ledgers to engage Sub-processors to Process Personal Data. Ledgers maintains a list of current Sub-processors available upon request.

8.2 Notification of Changes

Ledgers will notify Customer at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, providing Customer the opportunity to object. If no solution can be found, Customer may terminate the affected services without penalty.

8.3 Sub-processor Agreements

Ledgers enters into written agreements with each Sub-processor that impose data protection obligations no less protective than those set forth in this DPA. Ledgers remains fully liable to Customer for the performance of its Sub-processors' obligations.

9. International Transfers

9.1 Transfers Outside the EEA/UK

Customer acknowledges that Ledgers may transfer Personal Data to countries outside the European Economic Area, United Kingdom, or Switzerland. Where such transfers occur, Ledgers ensures that appropriate safeguards are in place.

9.2 Standard Contractual Clauses

Where required by Data Protection Laws, Ledgers relies on Standard Contractual Clauses approved by the European Commission as the mechanism for lawful transfer of Personal Data to third countries.

9.3 Supplementary Measures

In addition to the SCCs, Ledgers implements supplementary technical and organizational measures including encryption, access controls, and data minimization practices.

10. Personal Data Breach Notification

In the event of a Personal Data Breach, Ledgers will notify Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification will include, to the extent known:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
The name and contact details of Ledgers' point of contact for further information
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach

11. Data Subject Requests

Where Ledgers receives a request from a Data Subject to exercise rights under Data Protection Laws, Ledgers will promptly notify Customer within five (5) business days and provide reasonable assistance to Customer in responding to such requests.

12. Audits and Compliance

12.1 Audit Reports

Upon Customer's written request, Ledgers will make available information necessary to demonstrate compliance with this DPA, including copies of relevant third-party audit reports subject to confidentiality obligations.

12.2 Customer Audits

Customer may, with at least 30 days advance notice, conduct audits to verify Ledgers' compliance with this DPA, no more than once per year and subject to confidentiality obligations.

13. Termination and Data Deletion

13.1 Data Return and Export

Upon termination of the Agreement, Ledgers will provide Customer with the ability to export Personal Data in a structured, machine-readable format. Customer has thirty (30) days from the date of termination to request such export.

13.2 Data Deletion

Following the export period, Ledgers will delete all Personal Data Processed on behalf of Customer within ninety (90) days, unless applicable law requires retention.

13.3 Certification

Upon Customer's written request, Ledgers will provide written certification that Personal Data has been deleted in accordance with this Section.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.

15. Miscellaneous

Conflicts. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to data protection.

Amendments. Ledgers may update this DPA from time to time to reflect changes in Data Protection Laws or our practices. Material changes will be notified to Customer in accordance with the Agreement.

Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

Governing Law. This DPA shall be governed by the same law that governs the Agreement, unless Data Protection Laws require otherwise.

16. Contact Information

For questions about this DPA or to request a signed copy, please contact:

Ledgers Technology, Inc.
Email: legal@getledgers.com
Address: New York, USA

1. Definitions

In this DPA, the following terms have the meanings set out below.

"Controller" means the entity that determines the purposes and means of Processing Personal Data, which in the context of this DPA is the Customer.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Ledgers on behalf of Customer in connection with the services.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
"Processor" means the entity that Processes Personal Data on behalf of the Controller, which in the context of this DPA is Ledgers.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
"Sub-processor" means any third party engaged by Ledgers to Process Personal Data on behalf of Customer.

2. Roles and Responsibilities

2.1 Controller Responsibilities

2.2 Processor Responsibilities

3. Scope of Processing

3.1 Subject Matter and Purpose

3.2 Duration of Processing

Ledgers will Process Personal Data for the duration of the Agreement. Upon termination or expiration, Ledgers will handle Personal Data in accordance with Section 11 of this DPA.

3.3 Nature of Processing

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data

The categories of Personal Data Processed under this DPA may include:

Contact information (names, email addresses, phone numbers, addresses)
Professional information (job titles, company names, business contact details)
Account credentials and authentication data
Financial information (transaction records, account balances, invoices, payment information)
Usage data and analytics (interactions with the platform, feature usage, preferences)
Device and technical information (IP addresses, browser type, device identifiers)
Communication content (support inquiries, feedback, correspondence)

4.2 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed include:

Customer's employees, contractors, and authorized users
Customer's clients, customers, and business contacts
Customer's vendors, suppliers, and service providers
Other individuals whose Personal Data is included in Customer's financial records or connected data sources

5. Processing Instructions

6. Confidentiality Obligations

7. Security Measures

7.1 Technical Measures

Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
Access Controls: Multi-factor authentication, role-based access controls, unique user identification, and automatic session timeouts.
Network Security: Firewalls, intrusion detection and prevention systems, DDoS protection, and network segmentation.
Application Security: Secure software development practices, code reviews, vulnerability scanning, and penetration testing.
Monitoring: Real-time security monitoring, logging, and alerting for suspicious activities.
Backup and Recovery: Regular automated backups, disaster recovery procedures, and business continuity planning.

7.2 Organizational Measures

Policies and Procedures: Documented information security policies, procedures, and standards.
Training: Regular security awareness training for all personnel with access to Personal Data.
Incident Response: Documented incident response procedures and a dedicated incident response team.
Vendor Management: Due diligence and ongoing monitoring of Sub-processors and vendors.
Physical Security: Data centers with physical access controls, surveillance, and environmental protections.
Audits: Regular internal and third-party security audits and assessments.

8. Sub-processors

8.1 Authorization to Engage Sub-processors

Customer provides general authorization for Ledgers to engage Sub-processors to Process Personal Data. Ledgers maintains a list of current Sub-processors available upon request.

8.2 Notification of Changes

8.3 Sub-processor Agreements

9. International Transfers

9.1 Transfers Outside the EEA/UK

9.2 Standard Contractual Clauses

Where required by Data Protection Laws, Ledgers relies on Standard Contractual Clauses approved by the European Commission as the mechanism for lawful transfer of Personal Data to third countries.

9.3 Supplementary Measures

In addition to the SCCs, Ledgers implements supplementary technical and organizational measures including encryption, access controls, and data minimization practices.

10. Personal Data Breach Notification

A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
The name and contact details of Ledgers' point of contact for further information
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach

11. Data Subject Requests

12. Audits and Compliance

12.1 Audit Reports

12.2 Customer Audits

Customer may, with at least 30 days advance notice, conduct audits to verify Ledgers' compliance with this DPA, no more than once per year and subject to confidentiality obligations.

13. Termination and Data Deletion

13.1 Data Return and Export

13.2 Data Deletion

Following the export period, Ledgers will delete all Personal Data Processed on behalf of Customer within ninety (90) days, unless applicable law requires retention.

13.3 Certification

Upon Customer's written request, Ledgers will provide written certification that Personal Data has been deleted in accordance with this Section.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.

15. Miscellaneous

Conflicts. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to data protection.

Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

Governing Law. This DPA shall be governed by the same law that governs the Agreement, unless Data Protection Laws require otherwise.

16. Contact Information

For questions about this DPA or to request a signed copy, please contact:

Ledgers Technology, Inc.
Email: legal@getledgers.com
Address: New York, USA

Data Processing Agreement

1. Definitions

2. Roles and Responsibilities

2.1 Controller Responsibilities

2.2 Processor Responsibilities

3. Scope of Processing

3.1 Subject Matter and Purpose

3.2 Duration of Processing

3.3 Nature of Processing

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data

4.2 Categories of Data Subjects

5. Processing Instructions

6. Confidentiality Obligations

7. Security Measures

7.1 Technical Measures

7.2 Organizational Measures

8. Sub-processors

8.1 Authorization to Engage Sub-processors

8.2 Notification of Changes

8.3 Sub-processor Agreements

9. International Transfers

9.1 Transfers Outside the EEA/UK

9.2 Standard Contractual Clauses

9.3 Supplementary Measures

10. Personal Data Breach Notification

11. Data Subject Requests

12. Audits and Compliance

12.1 Audit Reports

12.2 Customer Audits

13. Termination and Data Deletion

13.1 Data Return and Export

13.2 Data Deletion

13.3 Certification

14. Liability

15. Miscellaneous

16. Contact Information

Need a signed DPA?

Data Processing Agreement

1. Definitions

2. Roles and Responsibilities

2.1 Controller Responsibilities

2.2 Processor Responsibilities

3. Scope of Processing

3.1 Subject Matter and Purpose

3.2 Duration of Processing

3.3 Nature of Processing

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data

4.2 Categories of Data Subjects

5. Processing Instructions

6. Confidentiality Obligations

7. Security Measures

7.1 Technical Measures

7.2 Organizational Measures

8. Sub-processors

8.1 Authorization to Engage Sub-processors

8.2 Notification of Changes

8.3 Sub-processor Agreements

9. International Transfers

9.1 Transfers Outside the EEA/UK

9.2 Standard Contractual Clauses

9.3 Supplementary Measures

10. Personal Data Breach Notification

11. Data Subject Requests

12. Audits and Compliance

12.1 Audit Reports

12.2 Customer Audits

13. Termination and Data Deletion

13.1 Data Return and Export

13.2 Data Deletion

13.3 Certification

14. Liability

15. Miscellaneous

16. Contact Information

Need a signed DPA?