Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Controller," or "you") and Ledgers Technology, Inc. ("Ledgers," "Processor," or "we") for the provision of the Ledgers platform and services (the "Agreement"). This DPA applies where and to the extent that Ledgers processes Personal Data on behalf of Customer in providing the services.

This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection legislation (collectively, "Data Protection Laws").

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given to them in the Agreement.

• "Controller" means the entity that determines the purposes and means of Processing Personal Data, which in the context of this DPA is the Customer.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Ledgers on behalf of Customer in connection with the services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Ledgers.
• "Processing" (and its cognates "Process" and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller, which in the context of this DPA is Ledgers.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended or replaced from time to time.
• "Sub-processor" means any third party engaged by Ledgers to Process Personal Data on behalf of Customer.

2. Roles and Responsibilities

2.1 Controller Responsibilities

Customer, as the Controller, is responsible for: (a) determining the purposes and means of Processing Personal Data; (b) ensuring that there is a valid legal basis for the Processing of Personal Data, including obtaining any necessary consents from Data Subjects; (c) ensuring that Personal Data provided to Ledgers is accurate, complete, and lawfully collected; (d) complying with all applicable Data Protection Laws with respect to the collection, use, and Processing of Personal Data; (e) implementing appropriate data governance policies and procedures; and (f) ensuring that any instructions given to Ledgers comply with applicable Data Protection Laws.

2.2 Processor Responsibilities

Ledgers, as the Processor, is responsible for: (a) Processing Personal Data only in accordance with Customer's documented instructions and the terms of this DPA; (b) implementing appropriate technical and organizational measures to ensure the security of Personal Data; (c) assisting Customer in meeting its obligations under Data Protection Laws; (d) notifying Customer of any Personal Data Breaches; (e) ensuring that persons authorized to Process Personal Data are bound by confidentiality obligations; and (f) engaging Sub-processors only in accordance with the terms of this DPA.

3. Scope of Processing

3.1 Subject Matter and Purpose

The subject matter of the Processing is the provision of the Ledgers platform and related services as described in the Agreement. The purpose of the Processing is to enable Customer to use the services, including but not limited to: storing and organizing Customer's financial data; generating insights, reports, and visualizations; synchronizing data with connected third-party integrations; providing customer support; and maintaining the security and integrity of the services.

3.2 Duration of Processing

Ledgers will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Upon termination or expiration of the Agreement, Ledgers will handle Personal Data in accordance with Section 11 (Termination and Data Deletion) of this DPA.

3.3 Nature of Processing

The nature of Processing activities includes: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, alignment, combination, restriction, and erasure or destruction of Personal Data in connection with the services. Processing may be performed by automated means.

4. Types of Personal Data and Data Subjects

4.1 Categories of Personal Data

The categories of Personal Data Processed under this DPA may include:

• Contact information (names, email addresses, phone numbers, addresses)
• Professional information (job titles, company names, business contact details)
• Account credentials and authentication data
• Financial information (transaction records, account balances, invoices, payment information)
• Usage data and analytics (interactions with the platform, feature usage, preferences)
• Device and technical information (IP addresses, browser type, device identifiers)
• Communication content (support inquiries, feedback, correspondence)

4.2 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed include:

• Customer's employees, contractors, and authorized users
• Customer's clients, customers, and business contacts
• Customer's vendors, suppliers, and service providers
• Other individuals whose Personal Data is included in Customer's financial records or connected data sources

5. Processing Instructions

Ledgers will Process Personal Data only in accordance with Customer's documented instructions. Customer's initial instructions are set forth in the Agreement, this DPA, and Customer's use and configuration of the services. Customer may provide additional instructions consistent with the Agreement through the designated account interface or by written notice to Ledgers.

If Ledgers believes that any instruction from Customer infringes Data Protection Laws, Ledgers will promptly notify Customer. Ledgers will not be required to comply with instructions that, in Ledgers' reasonable opinion, would cause Ledgers to violate applicable law. If Ledgers is required by applicable law to Process Personal Data other than in accordance with Customer's instructions, Ledgers will notify Customer of such requirement before Processing, unless prohibited by law from doing so.

6. Confidentiality Obligations

Ledgers ensures that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory. Ledgers maintains written confidentiality agreements with all employees, contractors, and agents who may have access to Personal Data. These confidentiality obligations survive the termination of employment or engagement.

Ledgers restricts access to Personal Data to those personnel who require access to perform their duties in connection with the services. Ledgers implements role-based access controls and the principle of least privilege to limit access to Personal Data. All access to Personal Data is logged and monitored.

7. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Ledgers implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:

7.1 Technical Measures

• Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Controls: Multi-factor authentication, role-based access controls, unique user identification, and automatic session timeouts.
• Network Security: Firewalls, intrusion detection and prevention systems, DDoS protection, and network segmentation.
• Application Security: Secure software development practices, code reviews, vulnerability scanning, and penetration testing.
• Monitoring: Real-time security monitoring, logging, and alerting for suspicious activities.
• Backup and Recovery: Regular automated backups, disaster recovery procedures, and business continuity planning.

7.2 Organizational Measures

• Policies and Procedures: Documented information security policies, procedures, and standards.
• Training: Regular security awareness training for all personnel with access to Personal Data.
• Incident Response: Documented incident response procedures and a dedicated incident response team.
• Vendor Management: Due diligence and ongoing monitoring of Sub-processors and vendors.
• Physical Security: Data centers with physical access controls, surveillance, and environmental protections.
• Audits: Regular internal and third-party security audits and assessments.

8. Sub-processors

8.1 Authorization to Engage Sub-processors

Customer provides general authorization for Ledgers to engage Sub-processors to Process Personal Data. Ledgers maintains a list of current Sub-processors, which is available upon request. The list includes the Sub-processor's name, the nature of the processing, and the location of processing.

8.2 Notification of Changes

Ledgers will notify Customer at least thirty (30) days in advance of any intended addition or replacement of Sub-processors, providing Customer the opportunity to object. If Customer objects to a new Sub-processor on reasonable grounds related to data protection, Customer and Ledgers will work together in good faith to find a mutually acceptable solution. If no solution can be found, Customer may terminate the affected services without penalty.

8.3 Sub-processor Agreements

Ledgers enters into written agreements with each Sub-processor that impose data protection obligations no less protective than those set forth in this DPA. These agreements require Sub-processors to implement appropriate technical and organizational measures and to Process Personal Data only in accordance with Ledgers' instructions. Ledgers remains fully liable to Customer for the performance of its Sub-processors' obligations.

9. International Transfers

9.1 Transfers Outside the EEA/UK

Customer acknowledges that Ledgers may transfer Personal Data to countries outside the European Economic Area, United Kingdom, or Switzerland that may not provide an adequate level of data protection as determined by the European Commission or other relevant authority. Where such transfers occur, Ledgers ensures that appropriate safeguards are in place to protect Personal Data.

9.2 Standard Contractual Clauses

Where required by Data Protection Laws, Ledgers relies on the Standard Contractual Clauses approved by the European Commission (and the UK Addendum where applicable) as the mechanism for lawful transfer of Personal Data to third countries. By entering into this DPA, the parties agree to be bound by the SCCs, which are incorporated by reference. For transfers subject to the SCCs: (a) Ledgers acts as the data importer and Customer acts as the data exporter; (b) Module Two (Controller to Processor) applies; and (c) the details required by the SCCs are set forth in this DPA and its annexes.

9.3 Supplementary Measures

In addition to the SCCs, Ledgers implements supplementary technical and organizational measures to ensure the protection of Personal Data during international transfers, including encryption, access controls, and data minimization practices.

10. Personal Data Breach Notification

In the event of a Personal Data Breach, Ledgers will: (a) notify Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects; (b) provide Customer with sufficient information to enable Customer to meet its obligations to notify supervisory authorities and Data Subjects, as required by Data Protection Laws.

The notification will include, to the extent known:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
• The name and contact details of Ledgers' point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Ledgers will cooperate with Customer in investigating and remediating any Personal Data Breach. Ledgers will document all Personal Data Breaches, including the facts surrounding the breach, its effects, and the remedial actions taken, and will make such documentation available to Customer upon request.

11. Data Subject Requests

Where Ledgers receives a request from a Data Subject to exercise rights under Data Protection Laws (such as access, rectification, erasure, restriction, portability, or objection), Ledgers will: (a) promptly, and in any event within five (5) business days, notify Customer of the request; (b) not respond directly to the Data Subject unless authorized by Customer or required by applicable law; and (c) provide reasonable assistance to Customer in responding to such requests.

Customer is responsible for responding to Data Subject requests. Ledgers provides functionality within the services that enables Customer to access, correct, export, and delete Personal Data. Where Customer cannot fulfill a Data Subject request using the self-service functionality, Ledgers will provide reasonable assistance upon request.

12. Audits and Compliance

12.1 Audit Reports

Upon Customer's written request, Ledgers will make available to Customer information necessary to demonstrate compliance with this DPA. This may include: (a) copies of relevant third-party audit reports (such as SOC 2 Type II reports), subject to confidentiality obligations; (b) responses to reasonable security questionnaires; and (c) documentation of Ledgers' security policies and procedures.

12.2 Customer Audits

Customer may, with reasonable advance notice (at least 30 days) and during normal business hours, conduct audits or inspections to verify Ledgers' compliance with this DPA, subject to the following conditions: (a) audits shall be conducted no more than once per year, unless required by a supervisory authority or following a Personal Data Breach; (b) Customer shall provide a detailed audit plan and scope in advance; (c) audits shall be conducted in a manner that minimizes disruption to Ledgers' operations; (d) Customer shall bear its own costs for conducting audits; and (e) Customer and its auditors shall be bound by confidentiality obligations.

13. Termination and Data Deletion

13.1 Data Return and Export

Upon termination or expiration of the Agreement, or upon Customer's written request, Ledgers will provide Customer with the ability to export Personal Data in a structured, commonly used, machine-readable format (such as CSV or JSON). Customer has thirty (30) days from the date of termination to request such export.

13.2 Data Deletion

Following termination of the Agreement and the expiration of the export period, or upon Customer's written request, Ledgers will delete all Personal Data Processed on behalf of Customer, including any copies, backups, or archives, within ninety (90) days, unless: (a) applicable law requires retention of the data; (b) retention is necessary to establish, exercise, or defend legal claims; or (c) the data has been anonymized or aggregated such that it can no longer be attributed to any Data Subject.

13.3 Certification

Upon Customer's written request, Ledgers will provide written certification that Personal Data has been deleted in accordance with this Section.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party's liability with respect to: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded or limited by applicable law.

15. Miscellaneous

Conflicts. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to data protection.

Amendments. Ledgers may update this DPA from time to time to reflect changes in Data Protection Laws or our practices. Material changes will be notified to Customer in accordance with the Agreement.

Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

Governing Law. This DPA shall be governed by the same law that governs the Agreement, unless Data Protection Laws require otherwise.

16. Contact Information

For questions about this DPA or to request a signed copy, please contact:

Ledgers Technology, Inc.
Email: legal@getledgers.com
DPO Email: dpo@getledgers.com
Address: New York, USA