Data Processing Agreement

Last Updated:  September 26th  2025

High‑level overview

LedgerBee is a SaaS platform that helps businesses and advisors manage accounting, invoicing, payroll, inventory, document storage and AI‑assisted financial reporting. When processing personal data on behalf of your customers, LedgerBee acts as a data processor. This agreement sets out your obligations as data controller and the rights and duties of LedgerBee as data processor.

Parties

Data processor: 

LedgerBee Technologies A/S 
(brand name “LedgerBee”)

VAT: DK36958723
St. Lundgaard Vej 54
7400 Herning
Denmark

The term “data processor” refers to LedgerBee Technologies A/S trading as LedgerBee, and the term “data controller” refers to each customer of LedgerBee. Each is a “party” and together they are the “parties”.

The parties have agreed the following standard contractual clauses (the “Clauses”) in order to comply with the General Data Protection Regulation and to protect the privacy and fundamental rights and freedoms of natural persons.

1. Preamble

• These clauses set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
• They are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679.
• In connection with the provision of LedgerBee solutions, the data processor processes personal data on behalf of the data controller in accordance with these Terms. The provisions take precedence over any similar provisions in other agreements between the parties.
• There are four annexes to these Regulations, and the annexes form an integral part of the Regulations:
  • Annex A – further information on the processing: purpose, nature of processing, type of personal data, categories of data subjects and duration of processing.
  • Annex B – data controller’s conditions for the processor’s use of sub‑processors and a list of approved sub‑processors.
  • Annex C – controller’s instructions, minimum security measures and supervision of the processor and sub‑processors.
  • Annex D – provisions regarding other activities not covered by the Regulations.
• The provisions and annexes must be kept in writing, including electronically, by both parties.
• These provisions do not release the data processor from obligations imposed under the GDPR or any other legislation.

2. Data types not processed

LedgerBee will not process the following types of personal data unless explicitly agreed in Annex A:

• special categories of personal data as defined in Articles 9 and 10 of the GDPR (e.g. health, religious beliefs, political opinions, biometrics, genetic data, trade‑union membership);
• personal data regarding criminal offences;
• personal data relating to tax, debt, medical diagnoses, family relations or other extremely sensitive information;
• any other data types not required to deliver the services described in Annex A.

This clause clarifies that LedgerBee’s services are not designed to handle highly sensitive categories of data.

3. Rights and obligations of the data controller

• The controller is responsible for ensuring that personal‑data processing complies with the GDPR, other EU law and national law.
• The controller has the right and obligation to make decisions about the purpose(s) and means of processing.
• The controller is responsible for ensuring that there is a legal basis for the processing instructed to the processor.

4. The data processor acts on instructions

• The processor may only process personal data on documented instructions from the controller, unless required by Union or national law. Such instructions shall be specified in Annexes A and C. Subsequent instructions must be documented and kept in writing.
• The processor shall immediately inform the controller if an instruction, in its opinion, infringes the GDPR or other applicable data‑protection laws.

5. Confidentiality

• The processor may only grant access to personal data to persons subject to its instruction powers who have undertaken confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary.
• The list of authorised persons shall be reviewed regularly and access closed when no longer necessary.
• The processor must demonstrate compliance with this confidentiality obligation upon request.

6. Processing security

• Pursuant to Article 32 of the GDPR, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks.
• The controller must assess the risks to the rights and freedoms of natural persons represented by the processing and implement measures to address those risks. Depending on relevance, measures include pseudonymisation, encryption, ensuring confidentiality and integrity, restoring availability and access after incidents, and regular testing of effectiveness.
• The processor must independently assess the risks and implement measures to address those risks. The controller shall provide the processor with the necessary information to assess such risks.
• The processor shall assist the controller in complying with Article 32, including by providing information about technical and organisational measures already implemented.
• If addressing the identified risks requires additional measures beyond those implemented by the processor, the controller shall specify these additional measures in Annex C.

7. Use of sub‑processors

• The processor must meet the conditions in Article 28(2) and (4) of the GDPR when using sub‑processors.
• The processor may not use a sub‑processor without prior general written approval from the controller.
• The controller grants general approval for sub‑processors listed in Annex B. The processor shall notify the controller at least 30 days in advance of any planned additions or replacements, allowing the controller to object.
• The processor shall impose on any sub‑processor the same data‑protection obligations as those in these Regulations.
• The processor remains fully liable to the controller for the performance of the sub‑processor’s obligations.

8. Transfer to third countries or international organisations

• Any transfer of personal data to third countries or international organisations may only occur on documented instructions from the controller and must be in accordance with Chapter V of the GDPR.
• If the processor is required by law to transfer data, it shall inform the controller unless prohibited for reasons of public interest.
• Without documented instructions, the processor may not transfer personal data, entrust processing to a sub‑processor in a third country or process data in a third country.
• The controller’s instructions on transfers, including the legal basis in Chapter V, shall be stated in Annex C.
• These clauses should not be confused with Standard Contractual Clauses under Article 46(2)(c) and (d) and do not themselves constitute a transfer mechanism.

9. Assistance to the data controller

• Taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organisational measures to respond to data‑subject requests under Chapter III of the GDPR (information, access, rectification, erasure, restriction, notification, portability, objection and automated decision‑making).
• The processor shall also assist the controller in:
  • notifying a personal‑data breach to the supervisory authority without undue delay and, if possible, within 72 hours of awareness;
  • notifying data subjects when a breach is likely to result in a high risk;
  • carrying out data‑protection impact assessments;
  • consulting the supervisory authority when required.
• Annex C specifies the measures with which the processor shall assist the controller and the scope of such assistance.

10. Notification of a personal data breach

• The processor shall notify the controller without undue delay after becoming aware of a personal‑data breach.
• Notification shall, if possible, take place no later than 48 hours after becoming aware of the breach, so that the controller can report the breach to the competent supervisory authority.
• The processor shall assist the controller in providing the information required under Article 33(3) (nature of breach, categories and approximate number of data subjects and records affected, likely consequences and remedial measures).
• Annex C specifies the information that the processor shall provide in connection with breach notifications.

11. Deletion and return of information

• Upon termination of the services relating to the processing of personal data, the processor is obliged to delete all personal data processed on behalf of the controller and confirm that the data has been deleted, unless EU or national law requires retention.
• Data retention for five years plus four weeks after the end of an accounting period is mandated by the Danish Bookkeeping Act. LedgerBee must retain personal data for this statutory period for accounting purposes. After this period, data will be securely deleted or anonymised. If a customer terminates the agreement, data will be available for export and retained for four weeks after termination.

12. Audit, including inspection

• The processor shall make all information necessary to demonstrate compliance with Article 28 and these Clauses available to the controller and allow for and contribute to audits, including inspections, by the controller or an authorised auditor.
• Procedures for audits and inspections are set out in Annexes C.7 and C.8.
• The processor shall grant supervisory authorities access to its facilities upon proper identification.

13. Additional assignments and costs

• Tasks and assistance requested by the controller that are not obligations under this agreement (e.g. additional audits beyond those specified, bespoke data‑processing tasks or bespoke reports) may incur additional charges.
• The processor shall notify the controller of such tasks in advance, providing an estimate of the expected costs. If the parties cannot agree on the costs, either party may terminate the agreement governing the additional assignment with 30 days’ written notice.
• Tasks covered by the main service agreement remain included and are not subject to additional charges.

14. Agreement of the parties on other matters

• The parties may agree on other provisions regarding the service, provided they do not conflict with these Clauses or impair the fundamental rights and freedoms of data subjects.

15. Entry into force and termination

• These Clauses enter into force on the date the Customer signs the Order Form, or upon the Customer’s electronic acceptance through LedgerBee.com, HubSpot or other approved LedgerBee ordering systems. Such signature or electronic acceptance shall be deemed signature of this DPA.
• Either party may request renegotiation if legal changes or inadequacies in the Clauses warrant it.
• The Clauses are valid for the duration of the personal‑data‑processing service. They cannot be terminated during this period unless other terms governing the service are agreed.
• If the service ceases and personal data is deleted or returned in accordance with Clause 11 and Annex C.4, the Clauses may be terminated by written notice by either party.

Appendix A         Information about the treatment

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller

Solution 1: LedgerBee Platform

SaaS solution that allows companies to manage their financial operations.

Solution 2: LedgerBee Advisor

SaaS solution for financial advisors where they can manage their clients.

A.2. The processing of personal data by the data processor on behalf of the data controller primarily concerns (the nature of the processing)

Solution 1: LedgerBee Platform

Accounting, document storage, invoicing, subscription management, payroll, inventory management, AI agents.

AI agents create reports for boards, automatically bookkeeping based on vouchers, CFO chatbot.

Solution 2: LedgerBee Advisor

SaaS solution for financial advisors where they can manage their clients, bookkeeping for clients, storage of documents, transaction analysis, task management for clients.

A.3. The processing includes the following types of personal data about the data subjects:

Solution 1: LedgerBee Platform

Customer users: user information

Customers' employees: Salary information, sick leave, pension, driving, bank information, CPR number, etc.

Customers' customers, suppliers, etc.: Contact information for contact persons

Solution 2: LedgerBee Advisor

Customer users: user information

Customers' customers: Salary information, sick leave, pension, driving, bank information, CPR number, etc. Contact information for contact persons at customers, partners and suppliers.

A.4. The processing includes the following categories of data subjects:

See A.3 

A.5. The processing of personal data by the Data Processor on behalf of the Data Controller may commence after these Terms and Conditions come into force. The processing has the following duration:

Until the main agreement is terminated.

Annex B    Sub-processors

B.1. Authorized sub-processors

Upon entry into force of the Regulations, the data controller has approved the use of the following sub-processors:

Upon entry into force of the Regulations, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the written approval of the data controller – use a sub-processor for a processing activity other than the one described and agreed upon or use another sub-processor for this processing activity.

B.2. Notification for approval of sub-processors

30 days

Appendix C         Instructions regarding the processing of personal data

C.1. Subject matter/instructions of the processing

The data processor's processing of personal data on behalf of the data controller occurs by the data processor performing the following:

Delivery of LedgerBee platform or advisor.

C.2. Processing security

The security level must reflect:

The processing includes a large amount of confidential personal data, which is why a "high" level of security must be established.

The data processor is then entitled and obliged to make decisions about which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security.

However, the data processor must – in all circumstances and as a minimum – implement the following measures, which have been agreed with the data controller:

1. Requirements for pseudonymization and encryption of personal data:

All personal information must be encrypted using industry standard encryption protocols (AES-256 or equivalent) when stored or transmitted. Pseudonymization techniques must be used where practicable to replace identifiable information with pseudonyms and thereby minimize risk.

1. Ensuring confidentiality, integrity, availability and robustness:

The data processor must implement robust access control mechanisms, including role-based access control and two-factor authentication, to ensure confidentiality and integrity. There must be regular backup procedures to ensure availability. Systems must be continuously monitored and protected by up-to-date antivirus, firewall and intrusion detection/prevention systems.

1. Restoring availability and access to data:

The data processor must maintain a disaster recovery and business continuity plan that ensures restoration of data and access within a maximum of 24 hours (unsure of the exact number of hours) after an incident.

1. Regular testing, assessment and evaluation:

Technical and organizational measures must be assessed regularly through quarterly vulnerability scans, annual penetration tests, and ongoing audits to ensure continued effectiveness and compliance with security requirements.

1. Requirements for access to information via the Internet:

Remote access to personal data via the Internet must be encrypted with secure protocols such as HTTPS, VPN or other secure channels, and be protected by secure authentication mechanisms (two-factor authentication).

1. Protection of information during transmission:

All transmissions of personal data must take place via encrypted channels (TLS 1.2 or higher) to ensure that personal data remains protected during transmission.

1. Protection of information during storage:

Stored personal data must be encrypted at rest with industry-standard encryption algorithms and secured with robust key management practices to prevent unauthorized access.

1. Physical security at data processing locations:

Data processing locations must have limited physical access, secured with access control systems such as key cards, biometric systems and/or security personnel. Server rooms and data centers must have environmental controls, monitoring and access logging.

1. Use of home working/teleworking:

Teleworking or working from home must comply with the company's established security guidelines, including encrypted communications, secure remote connections (VPN), and physical security standards for equipment.

1. Logging requirements:

The data processor must maintain secure, tamper-proof logs recording access to personal data, failed access attempts, changes to data and system operations, and these must be retained for at least 3 months. Logs must be reviewed regularly for unauthorized access or deviations.

C.3 Assistance to the data controller

The data processor shall, to the extent possible and within the scope and extent set out below, assist the data controller in accordance with Clauses 9.1 and 9.2 by implementing the following technical and organisational measures:

• Establish procedures for assistance to the data controller
• Ensure that delivered solutions have appropriate technical features to support assistance to data controllers.

C.4 Retention period/deletion routine

Personal data is retained for 5 years + 4 weeks after the end of an accounting period for existing customers, after which it must be securely deleted or anonymized by the data processor. If a customer terminates the agreement, data will be made available for export and retained for 4 weeks after termination.

Upon termination of the service relating to the processing of personal data, the data processor shall either delete or return the personal data in accordance with clause 11.1, unless otherwise instructed by the data controller. Changes shall be documented and stored in writing, including electronically, together with this agreement.

C.5 Location of treatment

Processing of personal data covered by the Regulations may not take place at locations other than the following without the prior written approval of the data controller:

See locations in Appendix B.

C.6 Instructions regarding the transfer of personal data to third countries

If the data controller does not provide documented instructions in these Terms or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to carry out such transfers within the framework of these Terms.

C.7 Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The data processor must, at its own expense, continuously obtain documentation of supervision carried out by an independent third party regarding the data processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

It is agreed between the parties that the following types of documentation may be used in accordance with these Terms:

Audit reports containing control objectives from ISAE 3000 on GDPR

The documentation will be forwarded without undue delay to the data controller upon request.

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

The controller or a representative of the controller shall also have access to carry out inspections, including physical inspections, of the premises from which the processor processes personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the controller deems it necessary.

Any costs incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its inspection.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

Based on a risk assessment of each sub-processor, the data processor shall determine what type of supervision should be conducted and how often. Where the risk assessment requires it, the data processor shall regularly obtain, at its own expense, a supervision report from an independent third party regarding the sub-processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

It is agreed between the parties that the following types of documentation may be used in accordance with these Terms:

Audit reports containing control objectives from ISAE 3000 on GDPR

The documentation will be forwarded without undue delay to the data controller upon request.

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

The processor or a representative of the processor shall also have access to carry out inspections, including physical inspections, of the premises from which the sub-processor carries out the processing of personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the processor (or the data controller) deems it necessary.