Data processing agreement

1. Definitions

• "Customer Data" means any personal information that the Customer uploads, submits, or otherwise provides to LedgerSignal through the service, including documents, bank statements, and transaction records.
• "Data Protection Laws" means the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and any other applicable data protection legislation including the General Data Protection Regulation (EU) 2016/679 ("GDPR") to the extent applicable.
• "Personal Information" has the meaning given in the Privacy Act 1988 (Cth), and includes "personal data" as defined under the GDPR where applicable.
• "Processing" means any operation performed on Customer Data, including collection, storage, use, disclosure, analysis, and deletion.
• "Security Incident" means any unauthorised access to, or unauthorised disclosure of, Customer Data.
• "Subprocessor" means a third-party service provider engaged by LedgerSignal to process Customer Data on behalf of the Customer.

2. Scope and purpose of processing

LedgerSignal processes Customer Data solely to provide the service as described in our Terms of Service. The nature and purpose of processing includes:

• Storing and managing documents uploaded by the Customer (bank statements and financial records)
• Extracting and classifying transaction data from uploaded documents using AI services (OpenAI and Google Gemini) via API
• Providing the Customer with structured transaction data, analytics, and reports
• Authenticating users and managing organisation-level access control
• Sending service-related email notifications

Categories of data subjects: the Customer's employees, contractors, and authorised users, and the individuals whose personal information appears in documents uploaded by the Customer (such as bank account holders and transaction counterparties).

Categories of personal information: name, email address, organisation name, IP address, browser and device information, and the contents of uploaded financial documents (which may include names, bank account numbers, transaction descriptions, and monetary amounts).

3. Processor obligations

LedgerSignal will:

• Process Customer Data only in accordance with the Customer's documented instructions and as necessary to provide the service
• Not sell, share, or use Customer Data for any purpose other than providing the service
• Not use Customer Data to train AI models — our AI providers (OpenAI and Google Gemini) process data via API only and are contractually prohibited from using it for training
• Ensure that personnel authorised to process Customer Data are subject to confidentiality obligations
• Comply with applicable Data Protection Laws in relation to the processing of Customer Data
• Notify the Customer without undue delay if we receive a request from a data subject to exercise their rights under Data Protection Laws

4. Security measures

LedgerSignal implements appropriate technical and organisational measures to protect Customer Data from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption at rest — AES-256 encryption for all stored data via Neon PostgreSQL and Vercel Blob storage
• Encryption in transit — TLS 1.2+ on all connections
• Authentication — managed by Clerk (SOC 2 Type II certified) with multi-factor authentication support, session management, and bot detection
• Access control — organisation-level data isolation; each organisation's data is logically separated at the database level
• Backups — daily database backups with point-in-time recovery via Neon (encrypted at rest on AWS infrastructure)
• Document storage — uploaded files stored in encrypted blob storage with token-based access controls

For full details of our security practices, see our Trust & security page.

5. Subprocessors

The Customer provides general authorisation for LedgerSignal to engage the subprocessors listed below. We will notify the Customer by email at least 14 days before adding a new subprocessor. If the Customer objects to a new subprocessor, they may notify us within that 14-day period, and we will work to address the concern or offer a reasonable alternative. If no resolution is possible, the Customer may terminate the affected service.

LedgerSignal ensures that each subprocessor is bound by data protection obligations no less protective than those in this DPA. All subprocessors listed above maintain SOC 2 Type II or ISO 27001 certifications. For certification details, see our Trust & security page.

6. Cross-border data transfers

Customer Data is processed and stored in the United States by our subprocessors. LedgerSignal is an Australian company and acknowledges its obligations under APP 8 (cross-border disclosure of personal information). Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles information in accordance with the Australian Privacy Principles.

Where the GDPR applies, transfers are made in compliance with Chapter V of the GDPR, including reliance on Standard Contractual Clauses (SCCs) where required.

7. Data subject rights

LedgerSignal will assist the Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including rights of access (APP 12), correction (APP 13), and deletion. If LedgerSignal receives a request directly from a data subject, we will promptly redirect the request to the Customer unless legally required to respond directly.

8. Security incident notification

LedgerSignal will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer Data. The notification will include:

• A description of the nature of the incident
• The categories and approximate number of data subjects and records affected
• The likely consequences of the incident
• The measures taken or proposed to address the incident and mitigate its effects

LedgerSignal will cooperate with the Customer in investigating, mitigating, and remediating any Security Incident.

9. Audit and compliance

LedgerSignal will make available to the Customer, on request, information necessary to demonstrate compliance with this DPA. The Customer may request an audit of LedgerSignal's data processing practices once per year, at the Customer's expense, with reasonable advance notice. LedgerSignal may satisfy audit requests by providing relevant security documentation, certifications, or third-party audit reports (such as subprocessor SOC 2 reports).

10. Data return and deletion

During the term, the Customer may export their transaction data as CSV and delete individual cases, documents, and extracted data at any time from within the application.

Upon termination of the agreement or upon the Customer's written request, LedgerSignal will delete all Customer Data within 30 days, unless retention is required by applicable law. Upon request, LedgerSignal will provide written confirmation of deletion.

11. Term

This DPA takes effect when the Customer agrees to our Terms of Service and remains in effect for the duration of the Customer's use of the service. The obligations in this DPA relating to the protection of Customer Data will survive termination until all Customer Data has been deleted.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. LedgerSignal remains liable for the acts and omissions of its subprocessors to the same extent it would be liable if performing the processing directly.

13. Conflict

In the event of a conflict between this DPA and the Terms of Service, the terms of this DPA will prevail with respect to data protection matters.

14. Changes to this DPA

We may update this DPA from time to time. We will notify the Customer of material changes by email at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated DPA.