Data Processing Agreement
Last updated: March 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Double A Labs LLC, doing business as Ledgit ("Processor", "we", "us"), and the entity agreeing to these terms ("Controller", "you", "Customer"). This DPA applies to the extent that we process Personal Data on your behalf in providing the Service.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR, CCPA, and other applicable regulations.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Security Incident" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Roles
This DPA applies to Personal Data that you submit to the Service and that we process on your behalf. In this context:
- You are the Data Controller who determines the purposes and means of processing Personal Data.
- We are the Data Processor who processes Personal Data on your behalf according to your instructions.
- The subject matter of the processing is the provision of the Ledgit bookkeeping and accounting services.
- The duration of processing is for the term of your use of the Service plus any retention period required by law.
3. Categories of Data
Personal Data Processed
- Contact information (names, emails, addresses)
- Financial transaction data
- Bank account information
- Invoice and billing records
- Business identifiers (tax IDs)
Categories of Data Subjects
- Your employees and team members
- Your customers and clients
- Your vendors and suppliers
- Your contractors
- Other business contacts
4. Processing Instructions
We will process Personal Data only in accordance with your documented instructions, which include:
- Processing to provide, maintain, and improve the Service
- Processing to comply with your other reasonable instructions consistent with the Terms of Service
- Processing as required by applicable law (in which case we will inform you of that legal requirement before processing, unless prohibited by law)
If we believe that any instruction violates Data Protection Laws, we will promptly notify you and await further instructions.
5. Confidentiality
We will ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. We will ensure that access to Personal Data is limited to those personnel who need access to perform the Service.
6. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience
- Ability to restore availability and access to Personal Data in a timely manner
- Regular testing and evaluation of security measures
- Row-level security ensuring logical separation of customer data
- Access controls and authentication mechanisms
- Regular security assessments and monitoring
For more details, please review our Security page.
7. Sub-processors
You authorize us to engage Sub-processors to process Personal Data. We maintain an up-to-date list of Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | USA |
| Vercel | Application hosting | USA/Global |
| Plaid | Bank data aggregation | USA |
| Stripe | Payment processing | USA |
| Anthropic | AI categorization | USA |
We will notify you before adding or replacing Sub-processors, giving you the opportunity to object. We will impose data protection obligations on Sub-processors that are substantially similar to those in this DPA.
8. Data Subject Rights
We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access to their Personal Data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
If we receive a request directly from a Data Subject, we will promptly inform you unless prohibited by law.
9. Security Incidents
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting your Personal Data. The notification will include:
- Description of the nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Name and contact details of our data protection contact
- Description of likely consequences
- Description of measures taken or proposed to address the incident
We will cooperate with you and take reasonable steps to assist in the investigation and mitigation of each Security Incident.
10. International Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or the UK. Where such transfers occur, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or transfers to countries with an adequacy decision. Upon request, we will provide you with information about the specific safeguards applied.
11. Audits and Compliance
We will make available to you information necessary to demonstrate compliance with this DPA. We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable advance notice and during normal business hours. You agree that audits shall be limited to once per year unless required by a supervisory authority or in the event of a Security Incident.
12. Data Deletion and Return
Upon termination of the Service or upon your request, we will delete or return all Personal Data to you and delete existing copies, unless applicable law requires storage of the Personal Data. You may export your data at any time using the data export feature in Settings. We will delete your data within 30 days of account closure, except where retention is required by law.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects under Data Protection Laws.
14. Contact
For questions about this DPA or to exercise your rights, please contact:
Double A Labs LLC — Ledgit Data Protection
Email: dpo@ledgit.app