Data Processing Agreement

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by LedgerUp on behalf of the Controller.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Data Subject” means the individual to whom Personal Data relates.
• “Sub-processor” means a third party engaged by LedgerUp to process Personal Data on behalf of the Controller.

2. Scope of Processing

LedgerUp will process Personal Data only as necessary to provide the services described in the underlying agreement and in accordance with the Controller's documented instructions. The categories of data processed may include contact information, billing data, contract details, and usage information. Processing activities include storing, organizing, retrieving, and transmitting data as required to deliver our platform services.

3. Data Processor Obligations

As a Data Processor, LedgerUp shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with data protection obligations
• Delete or return all Personal Data upon termination of the agreement, at the Controller's choice
• Make available all information necessary to demonstrate compliance with this DPA

4. Sub-processors

LedgerUp may engage Sub-processors to assist in providing the services. A current list of Sub-processors is available at /legal/sub-processor-list. LedgerUp will notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object. LedgerUp will ensure that Sub-processors are bound by data protection obligations no less protective than those in this DPA.

5. Data Subject Rights

LedgerUp will assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws. This includes requests for access, rectification, erasure, restriction, portability, and objection. LedgerUp will promptly notify the Controller if it receives a request directly from a Data Subject.

6. Security Measures

LedgerUp implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication
• Regular security assessments and penetration testing
• Continuous monitoring and logging of system access
• SOC 2 Type II certified infrastructure

7. Data Breach Notification

LedgerUp will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach. The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), LedgerUp will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms. LedgerUp primarily processes data in the United States.

9. Term and Termination

This DPA shall remain in effect for the duration of the underlying services agreement. Upon termination, LedgerUp will, at the Controller's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. LedgerUp will certify deletion upon request.