Data Processing Agreement

1.Definitions

“GDPR” means Regulation (EU) 2016/679 and, in Cyprus, Law 125(I)/2018. “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject” and “Sub-processor” have the meanings given in the GDPR. “Customer Data” means personal data processed by the Processor on behalf of the Controller through the service.

2.Roles and Scope

For Customer Data, the Controller determines the purposes and means of processing and LedgiFlow acts solely as Processor (Art. 4(7)–(8) GDPR). Each party will comply with its obligations under the GDPR.

3.Subject Matter, Duration, Purpose and Data Types

The Processor processes Customer Data for the duration of the subscription to provide bookkeeping, reconciliation, VAT-treatment and journal-export functionality. Categories of data may include contact details, financial and transactional data, and — where the Controller uploads it — payroll and employee data. Data subjects may include the Controller’s clients, suppliers and employees.

4.Controller Instructions

The Processor processes Customer Data only on the Controller’s documented instructions, including with regard to transfers, unless required to act otherwise by law (in which case it will inform the Controller, where legally permitted). Use of the service constitutes such instructions.

5.Processor Obligations

• ensure persons authorised to process data are bound by confidentiality;
• implement appropriate technical and organisational measures — including encryption in transit and at rest, access controls, multi-factor authentication and audit logging;
• notify the Controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting Customer Data;
• assist the Controller with data-subject requests and with its obligations under Articles 32–36 GDPR; and
• on termination, return or delete Customer Data within 30 days, save where retention is required by law (up to 7 years where required by applicable law).

6.Sub-processing

The Controller authorises the Processor to engage the Sub-processors listed in Schedule 1. The Processor imposes data-protection obligations on each Sub-processor equivalent to those in this DPA and remains liable for their performance. The Processor will give at least 30 days’ notice before adding or replacing a Sub-processor, allowing the Controller to object on reasonable grounds.

7.International Transfers

Where Customer Data is transferred outside the European Economic Area, the transfer is protected by the EU Standard Contractual Clauses together with supplementary measures (for example encryption and data minimisation), consistent with the “Schrems II” ruling.

8.Audit and Inspection

The Processor makes available information necessary to demonstrate compliance with this DPA. The Controller may audit no more than once a year on at least 30 days’ notice (or more frequently if required by a supervisory authority), subject to confidentiality and minimal disruption to the service.

9.Liability

Statutory liability under the GDPR is not excluded or capped. For all other claims under this DPA, liability is subject to the limitations set out in the Terms of Service.

10.Data Protection Impact Assessments

Where processing is likely to result in a high risk to data subjects, the Processor will provide reasonable assistance to the Controller with data protection impact assessments and any prior consultation with a supervisory authority under Articles 35–36 GDPR.

11.Precedence and Changes

In the event of a conflict regarding the processing of personal data, this DPA prevails over the Terms of Service. Any changes will be made in accordance with the change process in the Terms of Service. Questions about this DPA can be sent to privacy@ledgiflow.com or by telephone on +357 22397742.

12.Schedule 1 — Sub-processor Registry

The following Sub-processors are authorised to process Customer Data. This list is kept current; material changes are notified in advance as described in section 6.