Data Processing Agreement

Last Updated: 6 July 2026

High-level overview

LedgerBee is a SaaS platform that helps businesses and advisors manage accounting, invoicing, payroll, spend, projects, inventory, document storage and AI-assisted financial reporting. When processing personal data on behalf of your customers, LedgerBee acts as a data processor. This agreement sets out your obligations as data controller and the rights and duties of LedgerBee as data processor.

Parties

Data processor:

LedgerBee Technologies A/S (brand name "LedgerBee")
CVR 36958723 (VAT DK36958723), Edison Park 4, st., DK-6715 Esbjerg N, Denmark

The term "data processor" refers to LedgerBee Technologies A/S trading as LedgerBee, and the term "data controller" refers to each customer of LedgerBee. Each is a "party" and together they are the "parties".

The parties have agreed the following standard contractual clauses (the "Clauses") in order to comply with the General Data Protection Regulation and to protect the privacy and fundamental rights and freedoms of natural persons.

1. Preamble

These clauses set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.

They are designed to ensure compliance with Article 28(3) of Regulation (EU) 2016/679.

In connection with the provision of LedgerBee solutions, the data processor processes personal data on behalf of the data controller in accordance with these Clauses. With respect to the processing of personal data, these Clauses take precedence over any similar provisions in other agreements between the parties.

There are four annexes to these Clauses, and the annexes form an integral part of the Clauses:

  • Annex A – further information on the processing: purpose, nature of processing, type of personal data, categories of data subjects and duration of processing.
  • Annex B – data controller's conditions for the processor's use of sub-processors and a list of approved sub-processors.
  • Annex C – controller's instructions, minimum security measures and supervision of the processor and sub-processors.
  • Annex D – provisions regarding other activities not covered by the Clauses.

The provisions and annexes must be kept in writing, including electronically, by both parties.

These provisions do not release the data processor from obligations imposed under the GDPR or any other legislation.

2. Data types not processed

LedgerBee will not process the following types of personal data unless explicitly agreed in Annex A:

  • special categories of personal data as defined in Articles 9 and 10 of the GDPR (e.g. health, religious beliefs, political opinions, biometrics, genetic data, trade-union membership);
  • personal data regarding criminal offences;
  • other extremely sensitive personal data, such as medical diagnoses or detailed social-case information;
  • any other data types not required to deliver the services described in Annex A.

This clause clarifies that LedgerBee's services are not designed to handle highly sensitive categories of data, including patient and health data. For clarity: ordinary bookkeeping, payroll and receivables/payables data described in Annex A — including payroll-tax information, absence registration for payroll purposes, and debtor and creditor balances — is inherent to the services and is not excluded by this clause.

3. Rights and obligations of the data controller

The controller is responsible for ensuring that personal-data processing complies with the GDPR, other EU law and national law.

The controller has the right and obligation to make decisions about the purpose(s) and means of processing.

The controller is responsible for ensuring that there is a legal basis for the processing instructed to the processor.

4. The data processor acts on instructions

The processor may only process personal data on documented instructions from the controller, unless required by Union or national law. Such instructions shall be specified in Annexes A and C. Subsequent instructions must be documented and kept in writing.

The processor shall immediately inform the controller if an instruction, in its opinion, infringes the GDPR or other applicable data-protection laws.

5. Confidentiality

The processor may only grant access to personal data to persons subject to its instruction powers who have undertaken confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary.

The list of authorised persons shall be reviewed regularly and access closed when no longer necessary.

The processor must demonstrate compliance with this confidentiality obligation upon request.

6. Processing security

Pursuant to Article 32 of the GDPR, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks.

The controller must assess the risks to the rights and freedoms of natural persons represented by the processing and implement measures to address those risks. Depending on relevance, measures include pseudonymisation, encryption, ensuring confidentiality and integrity, restoring availability and access after incidents, and regular testing of effectiveness.

The processor must independently assess the risks and implement measures to address those risks. The controller shall provide the processor with the necessary information to assess such risks.

The processor shall assist the controller in complying with Article 32, including by providing information about technical and organisational measures already implemented.

If addressing the identified risks requires additional measures beyond those implemented by the processor, the controller shall specify these additional measures in Annex C.

7. Use of sub-processors

The processor must meet the conditions in Article 28(2) and (4) of the GDPR when using sub-processors.

The processor may not use a sub-processor without prior general written approval from the controller.

The controller grants general approval for sub-processors listed in Annex B. The processor shall notify the controller at least 30 days in advance of any planned additions or replacements, allowing the controller to object.

The processor shall impose on any sub-processor the same data-protection obligations as those in these Clauses.

The processor remains fully liable to the controller for the performance of the sub-processor's obligations.

8. Transfer to third countries or international organisations

Any transfer of personal data to third countries or international organisations may only occur on documented instructions from the controller and must be in accordance with Chapter V of the GDPR.

If the processor is required by law to transfer data, it shall inform the controller unless prohibited for reasons of public interest.

Without documented instructions, the processor may not transfer personal data, entrust processing to a sub-processor in a third country or process data in a third country.

The controller's instructions on transfers, including the legal basis in Chapter V, shall be stated in Annex C.

These clauses should not be confused with Standard Contractual Clauses under Article 46(2)(c) and (d) and do not themselves constitute a transfer mechanism.

9. Assistance to the data controller

Taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organisational measures to respond to data-subject requests under Chapter III of the GDPR (information, access, rectification, erasure, restriction, notification, portability, objection and automated decision-making).

The processor shall also assist the controller in:

  • notifying a personal-data breach to the supervisory authority without undue delay and, if possible, within 72 hours of awareness;
  • notifying data subjects when a breach is likely to result in a high risk;
  • carrying out data-protection impact assessments;
  • consulting the supervisory authority when required.

Annex C specifies the measures with which the processor shall assist the controller and the scope of such assistance.

10. Notification of a personal data breach

The processor shall notify the controller without undue delay after becoming aware of a personal-data breach.

Notification shall, if possible, take place no later than 48 hours after becoming aware of the breach, so that the controller can report the breach to the competent supervisory authority.

The processor shall assist the controller in providing the information required under Article 33(3) (nature of breach, categories and approximate number of data subjects and records affected, likely consequences and remedial measures).

Annex C specifies the information that the processor shall provide in connection with breach notifications.

11. Deletion and return of information

Upon termination of the services relating to the processing of personal data, the processor is obliged to delete all personal data processed on behalf of the controller and confirm that the data has been deleted, unless EU or national law requires retention.

The Danish Bookkeeping Act mandates retention of accounting records for five years from the end of the accounting period. LedgerBee retains personal data for this statutory period plus four weeks for accounting purposes. After this period, data will be securely deleted or anonymised. If a customer terminates the agreement, data will be available for export and retained for four weeks after termination.

12. Audit, including inspection

The processor shall make all information necessary to demonstrate compliance with Article 28 and these Clauses available to the controller and allow for and contribute to audits, including inspections, by the controller or an authorised auditor.

Procedures for audits and inspections are set out in Annexes C.7 and C.8.

The processor shall grant supervisory authorities access to its facilities upon proper identification.

13. Additional assignments and costs

Tasks and assistance requested by the controller that are not obligations under this agreement (e.g. additional audits beyond those specified, bespoke data-processing tasks or bespoke reports) may incur additional charges.

The processor shall notify the controller of such tasks in advance, providing an estimate of the expected costs. If the parties cannot agree on the costs, either party may terminate the agreement governing the additional assignment with 30 days' written notice.

Tasks covered by the main service agreement remain included and are not subject to additional charges.

14. Agreement of the parties on other matters

The parties may agree on other provisions regarding the service, provided they do not conflict with these Clauses or impair the fundamental rights and freedoms of data subjects.

15. Entry into force and termination

These Clauses enter into force on the date the Customer signs the Order Form, or upon the Customer's electronic acceptance through LedgerBee.com or another approved LedgerBee ordering system. Such signature or electronic acceptance shall be deemed signature of this DPA.

Either party may request renegotiation if legal changes or inadequacies in the Clauses warrant it.

The Clauses are valid for the duration of the personal-data-processing service. They cannot be terminated during this period unless other terms governing the service are agreed.

If the service ceases and personal data is deleted or returned in accordance with Clause 11 and Annex C.4, the Clauses may be terminated by written notice by either party.

Annex A — Information about the processing

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller

Solution 1: LedgerBee Platform — SaaS solution that allows companies to manage their financial operations.

Solution 2: LedgerBee Advisor — SaaS solution for financial advisors where they can manage their clients.

A.2. The processing of personal data by the data processor on behalf of the data controller primarily concerns (the nature of the processing)

Solution 1: LedgerBee Platform

Accounting and bookkeeping, document storage, invoicing and e-invoicing, bank reconciliation, subscription management and recurring billing, spend management and corporate cards, bill pay, payroll and HR, project and field-service management, warehouse and production management, budgets and liquidity forecasting, group consolidation, and AI-assisted automation.

AI features comprise the Hivey AI layer: auto-booking that posts documents and applies accounting policies; HiveyChat, which answers questions and produces analyses from the customer's ledger (e.g. reports for boards, CFO chatbot); and MCP access, which allows the customer's own AI agents to interact with the platform. AI processing takes place within the EU/EEA, and customer data is not used to train foundation models.

Solution 2: LedgerBee Advisor

SaaS solution for financial advisors where they can manage their clients, bookkeeping for clients, storage of documents, transaction analysis, task management for clients, and the AI features described above.

A.3. The processing includes the following types of personal data about the data subjects:

Solution 1: LedgerBee Platform

  • Customer users: user information
  • Customers' employees: salary information, sick leave, pension, mileage, bank information, CPR number, etc.
  • Customers' job applicants (where the recruitment/ATS features are used): application and CV information, contact details
  • Customers' customers, suppliers, etc.: contact information for contact persons

Solution 2: LedgerBee Advisor

  • Customer users: user information
  • Customers' customers: salary information, sick leave, pension, mileage, bank information, CPR number, etc. Contact information for contact persons at customers, partners and suppliers.
  • Clients' job applicants (where the recruitment/ATS features are used): application and CV information, contact details

A.4. The processing includes the following categories of data subjects:

See A.3.

A.5. Duration

The processing of personal data by the Data Processor on behalf of the Data Controller may commence after these Clauses come into force. The processing continues until the main agreement is terminated.

Annex B — Sub-processors

B.1. Authorised sub-processors

Upon entry into force of the Clauses, the data controller has approved the use of the following sub-processors:

NAME VAT/Org. No. ADDRESS DESCRIPTION OF PROCESSING TRANSFER BASIS
Microsoft Ireland Operations Limited IE8256796U One Microsoft Place, Dublin, D18 P521, Ireland. Data centre location: Netherlands and Ireland Hosting of application server, database server and backup. Sending emails. Not applicable – processing within EU/EEA. Any onward US support access: EU-U.S. Data Privacy Framework
Microsoft Azure OpenAI Service (via Microsoft Ireland Operations Limited) IE8256796U EU data centres AI services (Hivey auto-booking, HiveyChat, MCP) Not applicable – processing within EU/EEA
Amazon Web Services EMEA SARL LU26888617 38 Avenue John F. Kennedy, L-1855 Luxembourg. EU data centres AI model hosting via Amazon Bedrock (EU regions), including Anthropic Claude models used by Hivey; build/CI infrastructure. Not applicable – processing within EU/EEA
Cloudflare, Inc. US EIN 27-0805829 101 Townsend Street, San Francisco, CA 94107, USA. Global edge network; EU data centres where available DNS, CDN and security services for hosted customer portals and hosted domains. Processing is limited to traffic-transit data (e.g. IP addresses and portal content in transit); no storage of customer ledger data. EU-U.S. Data Privacy Framework (active participant)
HubSpot Ireland Limited IE9849471F 1 Sir John Rogerson's Quay, Dublin 2, D02 CR67, Ireland Hosting of ticket solution. Not applicable – processing within EU/EEA
Bank Integration ApS 37534862 Lykkegaardsvej 54, 9210 Aalborg SØ, Denmark Bank transactions and supplier payments. Not applicable – processing within EU/EEA
Mastercard OB Services Denmark A/S 33509006 Arne Jacobsens Allé 13, 2300 Copenhagen, Denmark Bank transactions, Betalingsservice, Leverandørservice Not applicable – processing within EU/EEA
Pliant GmbH DE330969998 (HRB 217281 B) Prenzlauer Allee 242-247, 10405 Berlin, Germany Corporate-card issuing and processing (Spend & Corporate Cards) Not applicable – processing within EU/EEA
Sproom A/S 29403473 Gørtorvet 3, 1799 Copenhagen V, Denmark E-invoicing services Not applicable – processing within EU/EEA
Scrive AB SE556816-6804 Grev Turegatan 11A, 114 46 Stockholm, Sweden Electronic signature Not applicable – processing within EU/EEA

Upon entry into force of the Clauses, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the written approval of the data controller – use a sub-processor for a processing activity other than the one described and agreed upon or use another sub-processor for this processing activity.

B.2. Notification for approval of sub-processors

30 days.

Annex C — Instructions regarding the processing of personal data

C.1. Subject matter/instructions of the processing

The data processor's processing of personal data on behalf of the data controller occurs by the data processor performing the following: delivery of the LedgerBee Platform or LedgerBee Advisor.

C.2. Processing security

The security level must reflect: the processing includes a large amount of confidential personal data, which is why a "high" level of security must be established.

The data processor is then entitled and obliged to make decisions about which technical and organisational security measures must be implemented to establish the necessary (and agreed) level of security.

However, the data processor must – in all circumstances and as a minimum – implement the following measures, which have been agreed with the data controller:

  • Pseudonymisation and encryption of personal data: All personal information must be encrypted using industry-standard encryption protocols (AES-256 or equivalent) when stored or transmitted. Pseudonymisation techniques must be used where practicable to replace identifiable information with pseudonyms and thereby minimise risk.
  • Ensuring confidentiality, integrity, availability and robustness: The data processor must implement robust access-control mechanisms, including role-based access control and two-factor authentication, to ensure confidentiality and integrity. There must be regular backup procedures to ensure availability. Systems must be continuously monitored and protected by up-to-date antivirus, firewall and intrusion detection/prevention systems.
  • Restoring availability and access to data: The data processor must maintain a disaster-recovery and business-continuity plan designed to restore data and access within 24 hours after an incident.
  • Regular testing, assessment and evaluation: Technical and organisational measures must be assessed regularly through quarterly vulnerability scans, annual penetration tests, and ongoing audits to ensure continued effectiveness and compliance with security requirements.
  • Access to information via the Internet: Remote access to personal data via the Internet must be encrypted with secure protocols such as HTTPS, VPN or other secure channels, and be protected by secure authentication mechanisms (two-factor authentication).
  • Protection of information during transmission: All transmissions of personal data must take place via encrypted channels (TLS 1.2 or higher) to ensure that personal data remains protected during transmission.
  • Protection of information during storage: Stored personal data must be encrypted at rest with industry-standard encryption algorithms and secured with robust key-management practices to prevent unauthorised access.
  • Physical security at data-processing locations: Data-processing locations must have limited physical access, secured with access-control systems such as key cards, biometric systems and/or security personnel. Server rooms and data centres must have environmental controls, monitoring and access logging.
  • Use of home working/teleworking: Teleworking or working from home must comply with the company's established security guidelines, including encrypted communications, secure remote connections (VPN), and physical security standards for equipment.
  • Logging requirements: The data processor must maintain secure, tamper-proof logs recording access to personal data, failed access attempts, changes to data and system operations, and these must be retained for at least 3 months. Logs must be reviewed regularly for unauthorised access or deviations.

C.3. Assistance to the data controller

The data processor shall, to the extent possible and within the scope and extent set out below, assist the data controller in accordance with Clause 9 by implementing the following technical and organisational measures:

  • Establish procedures for assistance to the data controller.
  • Ensure that delivered solutions have appropriate technical features to support assistance to data controllers.

C.4. Retention period/deletion routine

Personal data is retained for 5 years + 4 weeks after the end of an accounting period for existing customers, after which it must be securely deleted or anonymised by the data processor. If a customer terminates the agreement, data will be made available for export and retained for 4 weeks after termination.

Upon termination of the service relating to the processing of personal data, the data processor shall either delete or return the personal data in accordance with Clause 11, unless otherwise instructed by the data controller. Changes shall be documented and stored in writing, including electronically, together with this agreement.

C.5. Location of processing

Processing of personal data covered by the Clauses may not take place at locations other than the following without the prior written approval of the data controller: see locations in Annex B.

C.6. Instructions regarding the transfer of personal data to third countries

If the data controller does not provide documented instructions in these Clauses or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to carry out such transfers within the framework of these Clauses.

C.7. Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The data processor must, at its own expense, continuously obtain documentation of supervision carried out by an independent third party regarding the data processor's compliance with the General Data Protection Regulation, data-protection provisions in other EU law or the national law of the Member States and these Clauses.

It is agreed between the parties that the following types of documentation may be used in accordance with these Clauses: audit reports containing control objectives from ISAE 3000 on GDPR.

The documentation will be forwarded without undue delay to the data controller upon request.

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data-protection provisions in other EU law or the national law of the Member States and these Clauses.

The controller or a representative of the controller shall also have access to carry out inspections, including physical inspections, of the premises from which the processor processes personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the controller deems it necessary.

Any costs incurred by the data controller in connection with a physical inspection shall be borne by the data controller itself. However, the data processor is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out its inspection.

C.8. Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

Based on a risk assessment of each sub-processor, the data processor shall determine what type of supervision should be conducted and how often. Where the risk assessment requires it, the data processor shall regularly obtain, at its own expense, a supervision report from an independent third party regarding the sub-processor's compliance with the General Data Protection Regulation, data-protection provisions in other EU law or the national law of the Member States and these Clauses.

It is agreed between the parties that the following types of documentation may be used in accordance with these Clauses: audit reports containing control objectives from ISAE 3000 on GDPR.

The documentation will be forwarded without undue delay to the data controller upon request.

Based on the documentation, the data controller is entitled to request the implementation of additional measures to ensure compliance with the General Data Protection Regulation, data-protection provisions in other EU law or the national law of the Member States and these Clauses.

The processor or a representative of the processor shall also have access to carry out inspections, including physical inspections, of the premises from which the sub-processor carries out the processing of personal data, including physical premises and systems used for or in connection with the processing. Such inspections may be carried out when the processor (or the data controller) deems it necessary.

Annex D — Provisions on other activities

D.1. Anonymisation and service improvement

The data controller instructs and authorises the data processor, as an integral part of the agreed service, to anonymise and aggregate personal data processed under these Clauses — including free-text transaction descriptions from banks and payment service providers (PSPs), and booking and reconciliation patterns and outcomes — such that no natural person is or can be identified, and to use the resulting anonymised and aggregated data to operate, analyse, maintain and improve the data processor's services, automatic functions and its own AI models, cf. Section 7 of the Terms & Conditions. This instruction forms an integral part of these Clauses for all customers; deviations require a signed addendum to the Order Form. If such a deviation (opt-out) is agreed, the automatic functions (including Hivey auto-booking and automatic bank reconciliation) will not be available to the data controller, as the anonymised learning is integral to the operation of those functions. Before any such use, the data processor shall remove or irreversibly transform any personal identifiers (for example, names of natural persons appearing in free-text transaction descriptions) and shall ensure that the anonymisation technique used is appropriate to prevent re-identification. Once effectively anonymised, such data is no longer personal data within the meaning of the GDPR and falls outside these Clauses, and the data processor may retain and continue to use it after termination of these Clauses.

The data processor shall not use personal data processed on behalf of the data controller to train third-party AI foundation models, and the customer's inputs to and outputs from the AI features are not used by the data processor's AI providers to train their models.

D.2. Other provisions

No further provisions have been agreed. Any customer-specific deviations must be set out in a signed addendum to the Order Form.