Data Processing Addendum

This page describes the standard ChartOfAccounts.ai Data Processing Addendum (the “DPA”) we offer to customers. By subscribing to a paid plan and using the Service to process Personal Data subject to the GDPR, UK GDPR, or the Swiss FADP, you and Aero CFO, LLC are deemed to have entered into the DPA on the effective date shown above, and the DPA forms part of the Agreement.

If your procurement process requires a signed countersigned copy on your paper, email legal@chartofaccounts.ai with the subject line “DPA request” and your customer account email. We will return a countersigned PDF, usually within 2 business days.

Capitalized terms not defined here have the meanings given in the Agreement and in Article 4 of the GDPR. “Customer” means the entity that has accepted the Agreement. “Customer Personal Data” means Personal Data within Customer Data that Customer submits to the Service.

The parties agree that, with respect to Customer Personal Data, Customer is the “controller” (or “business” under CCPA/CPRA) and ChartOfAccounts.ai is the “processor” (or “service provider”). ChartOfAccounts.ai will process Customer Personal Data only on documented instructions from Customer, which include the Agreement, this DPA, and Customer’s use of the Service.

Subject matter: Customer’s use of the Service to import, analyze, and optimize a chart of accounts. Duration: the term of the Agreement plus the retention periods stated in the Privacy Policy. Nature and purpose: hosting, displaying, analyzing (including via the AI subprocessor), exporting, and supporting Customer Personal Data. Categories of data subjects: Customer’s employees, contractors, and other individuals whose information may appear in Customer Personal Data. Categories of data: identifiers, professional information, and the financial-account-structure data Customer uploads.

We ensure that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and receive appropriate data protection training. Access is limited on a need-to-know basis.

We implement appropriate technical and organizational measures to protect Customer Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control with least-privilege provisioning and MFA on administrative accounts.
• Audit logging of administrative actions and privileged-access events.
• Hosted infrastructure with SOC 2 Type II certified providers.
• Routine vulnerability scanning, dependency monitoring, and code review.
• Documented incident response procedures with defined notification timelines.
• Regular backups and tested restoration procedures.
• Security awareness training for personnel and onboarding/offboarding controls.

We may update these measures from time to time provided that the updates do not materially reduce the overall protection of Customer Personal Data.

Customer authorizes ChartOfAccounts.ai to engage the subprocessors listed at /legal/subprocessors. We will:

• impose written data protection obligations on each subprocessor that are no less protective than this DPA;
• remain responsible for each subprocessor’s performance of those obligations;
• give Customer at least 30 days’ advance notice (by email or in-app) before adding or replacing a subprocessor that processes Customer Personal Data, during which Customer may reasonably object on data-protection grounds and, if the objection cannot be resolved, terminate the affected portion of the Service for a pro-rated refund.

The Service is hosted in the United States. Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties incorporate by reference:

• the European Commission’s Standard Contractual Clauses (Module 2: controller-to-processor) adopted by Commission Implementing Decision (EU) 2021/914, including the optional docking clause; and
• the UK International Data Transfer Addendum to the EU SCCs (IDTA Addendum, version B1.0) issued by the UK Information Commissioner’s Office.

Customer is the “data exporter”; ChartOfAccounts.ai is the “data importer.” Annex I (parties, processing, competent supervisory authority) is completed by reference to the Agreement, this DPA, and the Subprocessor List. Annex II is set out in Section 5 above. Annex III (subprocessors) is the list at /legal/subprocessors. The optional docking clause is included. The governing law is the law of Ireland; courts of Ireland have jurisdiction for the EU SCCs. For the UK Addendum, the governing law is the law of England and Wales.

We will provide reasonable assistance to Customer in responding to requests by data subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection, automated decision-making). Where a data subject contacts us directly, we will forward the request to Customer without undue delay and not respond except on Customer’s documented instructions or where required by law.

Taking into account the nature of processing and information available to us, we will provide reasonable assistance to Customer with security, breach notification, data protection impact assessments, and consultations with supervisory authorities under GDPR Articles 32–36.

We will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent then known.

We will make available to Customer the information necessary to demonstrate compliance with this DPA. On reasonable prior written notice and no more than once per 12 months (except following a confirmed Personal Data Breach or where required by a supervisory authority), Customer may audit our compliance with this DPA. To minimize disruption, the parties will first review available audit reports (e.g., SOC 2), security questionnaires, and answers to written questions. Any on-site audit will be conducted during business hours, subject to confidentiality, and at Customer’s expense.

On termination or expiration of the Agreement, we will delete or return Customer Personal Data in accordance with the retention periods stated in the Privacy Policy, unless retention is required by applicable law. Customer may export its Customer Data for 30 days after termination via the in-app export tools.

Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. To the extent of any conflict, the order of precedence is: (1) the EU SCCs and UK IDTA Addendum (for international-transfer matters they govern); (2) this DPA; (3) the Terms of Service; and (4) the Privacy Policy.

Data-protection notices to us under this DPA: legal@chartofaccounts.ai. Aero CFO, LLC has not designated a statutory Data Protection Officer; the privacy contact address above serves as the privacy point of contact.

ChartOfAccounts.ai does not target the Service to individuals in the EEA, UK, or Switzerland and is not, at this time, required to designate an Article 27 GDPR representative. If our processing later triggers Article 27, we will appoint a representative and update this DPA accordingly.