Acodei Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement (the “Agreement”) between:

• Acodei Software, LLC (“Acodei”), and
• The customer using Acodei’s services (“User” or “Customer”),

each a “Party” and together the “Parties”.

To the extent Acodei processes User Personal Data (as defined below) on behalf of User in the course of providing the Services, the Parties agree to comply with this DPA.

1. Definitions

1.1 “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, which may include, as applicable:

• the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);
• the UK GDPR and UK Data Protection Act 2018;
• the Swiss Federal Act on Data Protection (FADP); and
• any other applicable data protection or privacy laws, including U.S. state privacy laws to the extent they apply to the Parties’ processing of Personal Data.

1.2 “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meanings given in the applicable Data Protection Laws.

1.3 “User Personal Data” means any Personal Data processed by Acodei on behalf of User under the Agreement, as further described in Annex A (Details of Data Processing).

1.4 “Subprocessor” means any third party engaged by Acodei that Processes User Personal Data on behalf of Acodei in connection with the Services.

1.5 “Services” means the Acodei services provided to User under the Agreement (including data synchronization between payment processors and accounting systems).

2. Roles of the Parties and Scope

2.1 Roles. For the purposes of Data Protection Laws, User is the Controller (or a Processor acting on behalf of its own controller) and Acodei is a Processor of User Personal Data.

2.2 Scope. This DPA applies solely to Acodei’s Processing of User Personal Data in the course of providing the Services, as described in Annex A.

2.3 Instructions. Acodei will Process User Personal Data only on documented instructions from User, including with regard to transfers of User Personal Data to a third country or international organization, unless required to do so by applicable law. In such case, Acodei will inform User of that legal requirement before Processing, unless the law prohibits such information. GDPR.eu

2.4 User Responsibilities. User is responsible for:

• ensuring it has a valid legal basis for Processing and providing User Personal Data to Acodei;
• the accuracy, quality, and legality of User Personal Data; and
• configuring the Services in a privacy-compliant manner.

3. Details of Processing

3.1 The subject matter, nature and purpose of the Processing, categories of Data Subjects, categories of Personal Data, and duration of Processing are set out in Annex A (Details of Data Processing), in accordance with Article 28(3) GDPR-style requirements. ICO+1

4. Confidentiality

4.1 Acodei will ensure that persons authorized to Process User Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).

4.2 Acodei will not disclose User Personal Data to any third party except as permitted under this DPA, the Agreement, or as required by law.

5. Security

5.1 Security Measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects, Acodei will implement and maintain appropriate technical and organizational security measures to protect User Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex C (Technical and Organizational Security Measures).

5.2 Security Obligations of User. User is responsible for maintaining appropriate security, including:

• safeguarding its account credentials;
• configuring its environment and integrations; and
• using available security controls within the Services.

6. Subprocessing

6.1 Authorized Subprocessors. User authorizes Acodei to engage the Subprocessors listed in Annex B (Subprocessors), as well as any additional Subprocessors that Acodei may engage in accordance with this Section 6.

6.2 Subprocessor Obligations. Acodei will:

• enter into a written contract with each Subprocessor that imposes obligations regarding data protection and security no less protective than those set out in this DPA; and
• remain responsible for each Subprocessor’s compliance with such obligations.

6.3 Changes to Subprocessors. Acodei may add or replace Subprocessors. Acodei will provide User with notice of any intended changes (e.g., via email, dashboard, or website posting) and give User an opportunity to object on reasonable grounds relating to data protection. If User reasonably objects, the Parties will discuss in good faith. If they cannot reach a mutually acceptable solution, User may terminate the affected Services on written notice (to the extent use of the new Subprocessor cannot be reasonably avoided).

7. International Data Transfers

7.1 Acodei may Process and transfer User Personal Data in and to locations where Acodei or its Subprocessors maintain operations, subject to this DPA and applicable Data Protection Laws.

7.2 Where required under Data Protection Laws for transfers of User Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, the Parties will enter into the applicable Standard Contractual Clauses (SCCs) or other valid transfer mechanism, as updated or replaced from time to time by the European Commission, the UK government, or other competent authorities.

7.3 In the event of conflict between the SCCs (if applicable) and this DPA, the SCCs will prevail to the extent necessary to comply with Data Protection Laws.

8. Assistance to User

8.1 Data Subject Requests. Taking into account the nature of the Processing, Acodei will provide reasonable assistance to User, by appropriate technical and organizational measures, for User to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (e.g., access, rectification, erasure, restriction, portability, objection), to the extent such requests relate to User Personal Data stored within the Services.

8.2 Regulatory and DPIA Assistance. Acodei will provide User with reasonable cooperation and assistance, at User’s expense where applicable, with:

• data protection impact assessments;
• consultations with Supervisory Authorities; and
• other compliance obligations reasonably related to Acodei’s Processing of User Personal Data.

9. Personal Data Breach Notification

9.1 Notification. Upon becoming aware of a Personal Data Breach affecting User Personal Data, Acodei will notify User without undue delay and provide information reasonably required for User to meet its obligations to notify affected individuals and/or Supervisory Authorities, taking into account any legitimate law-enforcement or security constraints.

9.2 Cooperation. Acodei will take reasonable steps to investigate, mitigate, and remediate the Personal Data Breach and will keep User informed of material developments, to the extent such information is available.

10. Return and Deletion of Data

10.1 During the Agreement. Throughout the term of the Agreement, User may export certain User Personal Data from the Services using available functionality, where provided.

10.2 At Termination. Upon termination or expiration of the Agreement, Acodei will, at User’s choice and to the extent technically feasible:

• delete User Personal Data; or
• return User Personal Data to User,

within 30 days, unless a longer retention period is required by applicable law or necessary to protect Acodei’s legitimate interests (e.g., for legal claims). Backups may be retained for a limited period in accordance with Acodei’s standard backup policies and will be securely deleted in the ordinary course of business.

11. Audits and Information

11.1 Information. Acodei will make available to User all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws in relation to User Personal Data.

11.2 Audits. Where required by Data Protection Laws and subject to reasonable notice, confidentiality, and security restrictions, User (or its independent auditor, not a competitor of Acodei) may conduct an audit of Acodei’s Processing of User Personal Data. Audits will:

• occur no more than once per year (unless required by a Supervisory Authority);
• be conducted during normal business hours; and
• be limited to facilities, systems, and records reasonably relevant to the Services.

11.3 If Acodei makes available third-party audit reports or certifications (e.g., SOC 2, ISO), User agrees that such materials may satisfy its audit needs where appropriate.

12. Liability

12.1 The limitations and exclusions of liability set out in the Agreement apply to this DPA, unless otherwise prohibited by applicable Data Protection Laws.

13. Governing Law

13.1 This DPA will be governed by the governing law specified in the Agreement. If the Agreement does not specify governing law, this DPA will be governed by the laws of the State of Utah, United States, excluding its conflict-of-law rules.

14. Changes to this DPA

14.1 Acodei may modify this DPA as necessary to (a) reflect changes in the Services, (b) comply with applicable law or guidance, or (c) update Subprocessors or security practices. Acodei will provide notice of material changes, and such changes will become effective as stated in the notice or in accordance with the Agreement.

15. Order of Precedence

15.1 In the event of any conflict between this DPA and the Agreement, this DPA will govern with respect to Acodei’s Processing of User Personal Data, unless otherwise expressly stated or required by Data Protection Laws.

Annex A – Details of Data Processing

A.1 Categories of Data Subjects

Depending on how User configures and uses the Services, User Personal Data may relate to:

1. User Personnel
   • Individuals who register for or access an Acodei account on behalf of User (e.g., owners, admins, finance staff, accountants).
2. Client Customers
   • End customers of User who have transacted via connected payment processors (e.g., Stripe) and whose data is synchronized into connected accounting platforms (e.g., QuickBooks Online).
3. Support and Contact Persons
   • Individuals who communicate with Acodei via support channels (e.g., Help Scout) in relation to the Services.

A.2 Categories of Personal Data

Exact data elements depend on User’s configuration and the data transmitted by integrated platforms (e.g., Stripe, QuickBooks).

1. User Personnel
   • Identification & contact data: name, email address, role, business contact details, login identifiers.
   • Account data: organization name, subscription details, configuration settings, usage metrics.
   • Authentication/technical data: IP address, device information, log data, activity logs related to use of the Services.
2. Client Customers (end customers of User)
   • Identification & contact data: name, email address, billing/shipping address, customer IDs, and other identifiers provided via payment platforms.
   • Transactional & financial data: transaction amounts, currencies, timestamps, payment method type (e.g., card, ACH), tax amounts, fees, refunds, payouts, settlement data, invoice and order identifiers, accounting categorizations, and similar financial metadata received from Stripe and synced to QuickBooks.
   • Note: Acodei Processes only the payment details made available via User’s selected payment processors and accounting platforms and does not itself act as a payment processor.
3. Support Communications
   • Content of support tickets, emails, or other communications;
   • Related metadata (timestamps, email headers, internal notes) to the extent they contain Personal Data.
4. Usage and Analytics Data
   • Event data about how Users interact with Acodei’s web app (page views, clicks, feature usage, session replay data, etc.), IP addresses, device attributes, and browser information, where such data qualifies as Personal Data.

A.3 Sensitive Data

Acodei does not intentionally collect or Process special categories of Personal Data (e.g., health data, political opinions) or data relating to children, and the Services are not designed for such use. User is responsible for ensuring that special category data is not transmitted to the Services unless explicitly agreed in writing.

A.4 Frequency and Nature of Processing

• Frequency: Continuous and event-driven, as determined by User’s configuration, integrations, and automated synchronization tasks.
• Nature: Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, alignment, disclosure (to authorized recipients), and deletion.

A.5 Purpose of Processing

Acodei Processes User Personal Data for the following purposes:

• To provide and operate the Services, including data synchronization between payment processors (e.g., Stripe) and accounting platforms (e.g., QuickBooks).
• To maintain, secure, monitor, and improve the Services (including analytics and logging).
• To provide customer support and communicate about the Services (e.g., onboarding, incident notifications, product updates).
• To comply with User’s documented instructions and applicable laws.

A.6 Duration of Processing and Retention

• Acodei will Process User Personal Data for the duration of the Agreement, unless otherwise required by law.
• After termination, Acodei will delete or return User Personal Data in accordance with Section 10 of this DPA.
• Certain data may be retained in backups or logs for a limited period consistent with Acodei’s retention policies and applicable legal obligations.

Annex B – Acodei Subprocessors

Below is a non-exhaustive list of third-party Subprocessors that may Process User Personal Data in connection with the Services. Acodei may update this list from time to time in accordance with Section 6.

Note: Locations are general regions; each provider may use multiple sub-locations as part of their infrastructure.

1. Amazon Web Services, Inc. (AWS)
   • Purpose: Cloud infrastructure and hosting provider for storage, databases, and compute resources supporting the Acodei application.
   • Category: Infrastructure & hosting.
   • Location: Primarily United States (and other regions as configured for resilience and compliance).
2. PostHog, Inc.
   • Purpose: Product analytics, feature flags, and session tracking to understand and improve product usage and user experience. PostHog+1
   • Category: Product analytics and usage tracking.
   • Location: United States / global cloud infrastructure.
3. Loops (Loops email platform)
   • Purpose: Sending transactional and product-related emails (e.g., account notifications, onboarding flows, product updates) and managing email events (delivery, opens, clicks).
   • Category: Email delivery & marketing/transactional communications.
   • Location: United States / global cloud infrastructure.
4. Help Scout
   • Purpose: Customer support ticketing and helpdesk platform to manage and respond to support requests.
   • Category: Customer support services.
   • Location: United States / global cloud infrastructure.
5. Slack Technologies, LLC
   • Purpose: Internal communication platform used by Acodei for operational coordination, including receiving alerts or notifications that may include limited User Personal Data (e.g., user IDs or ticket references).
   • Category: Internal communications & operations.
   • Location: United States / global cloud infrastructure.
6. Stripe, Inc.
   • Purpose: Payment platform that User connects to the Services; Acodei retrieves transaction and customer information from Stripe’s APIs for synchronization into accounting software.
   • Category: Payment data source (User’s selected payment processor).
   • Location: Global operations with data Processing in multiple jurisdictions.
7. Intuit Inc. (QuickBooks)
   • Purpose: Accounting platform that User connects to the Services; Acodei writes synchronized financial data into User’s QuickBooks account via APIs.
   • Category: Accounting platform / data destination.
   • Location: Primarily United States.
8. New Relic, Inc.
   • Purpose: Application monitoring, logging, and observability platform used to monitor system performance and errors, which may involve Processing telemetry data that can include IP addresses and other identifiers.
   • Category: Monitoring, logging & observability.
   • Location: United States and EU data centers (region chosen by Acodei at account setup).