1. Data Processing Addendum (DPA) – Purpose & Legal Effect

This Data Processing Addendum (“DPA”) forms part of and supplements the TechBrot Inc. (“TechBrot”) Bookkeeping & Accounting Services Agreement, Terms & Conditions, applicable Order Forms, and any other executed scopes or addenda between TechBrot and the Client (“Client”).

This DPA governs TechBrot’s processing of Personal Data on behalf of the Client in compliance with applicable privacy and data protection laws, including (as applicable): GDPR, UK GDPR, CCPA/CPRA, U.S. state privacy laws, and sectoral privacy frameworks. If any conflict arises between this DPA and the Service Agreement, the executed DPA or Service Agreement controls.

2. Parties & Roles

Client: Acts as the “Controller,” determining purposes and means of processing.
TechBrot Inc.: Acts as the “Processor,” processing Personal Data only on documented Client instructions.

Role allocation may change to “joint controller” or “independent controller” for specific activities if required by law or mutually executed in writing.

3. Purpose, Nature & Scope of Processing

TechBrot processes Personal Data solely to deliver the contracted Services, including but not limited to:

• Bookkeeping, transaction categorization, reconciliations, and Deliverables.
• Accounting system setup/cleanup, chart of accounts mapping, and reporting.
• Payroll advisory, vendor/customer ledger management, and document handling.
• Secure communication with financial institutions, 3rd-party platforms, or vendors.
• Internal analytics, fraud prevention, evidence retention (Terms, Section 7.5).

No processing beyond the Service scope is permitted without Client’s documented authorization.

4. Categories of Personal Data

Processing may include the following categories of Personal Data:

• Client identification information (names, emails, phone numbers, addresses).
• Business information (company details, tax IDs, legal registrations).
• Financial data (bank account details, transaction history, invoices, payroll).
• Employee or vendor Personal Data (names, pay details, tax information).
• System, metadata & audit logs for tracking actions, access, or system performance.
• Payment authorization metadata for fraud prevention (IP address, session logs).

5. Categories of Data Subjects

• Client personnel
• Client customers and vendors
• Client employees and contractors (payroll processing)
• Authorized system users

6. Duration, Retention & Return/Deletion

TechBrot processes Personal Data only for as long as required to deliver Services or as directed by the Client.

Upon termination:

• Client may request return of Personal Data in machine-readable format.
• Client may request deletion; deletion is performed securely and certifiable.
• Backups are purged per TechBrot’s retention schedule.

Retention exceptions:

• Legal obligations (tax/audit laws require record retention up to 7 years).
• Payment/ACH mandates retained for at least 2 years (NACHA compliance).
• Evidence retention for disputes or chargebacks (Terms, Section 7.5).
• Security logs maintained based on regulatory requirements.

7. Security Measures

TechBrot implements industry-standard and reasonable security measures, including:

• TLS/HTTPS encryption in transit.
• Encryption at rest where supported.
• Strict role-based access controls & least-privilege security model.
• MFA and periodic credential rotation.
• Firewalling, IDS/IPS, endpoint protection, anti-malware.
• Vulnerability scanning, patch management, disaster recovery.
• Personnel confidentiality agreements & periodic security training.
• Monitoring, system logging, and traceability for audit support.

Security capabilities align with the obligations in Terms, Sections 9 & 10.

8. Subprocessors

TechBrot may engage verified subprocessors such as:

• Cloud hosting vendors
• Analytics providers
• Communication platforms
• Payroll systems & financial platforms
• Payment processors (e.g., Stripe)

Key rules:

• TechBrot remains fully liable for subprocessors.
• Subprocessors must agree to obligations equal to or stronger than those in this DPA.
• Client may request a current list of subprocessors.
• TechBrot will give 30 days’ notice for new subprocessors; Client may object with valid grounds.

9. International Transfers (GDPR, SCCs)

Personal Data may be transferred internationally, including to the U.S. Where required, TechBrot implements:

• Standard Contractual Clauses (SCCs)
• Transfer Impact Assessments (TIA)
• Required supplementary measures (encryption, access control, logs)

Client is responsible for informing TechBrot about specific jurisdictional requirements.

10. Assistance with Data Subject Requests

TechBrot will assist the Client in fulfilling rights requests (access, correction, deletion, portability, restriction, objection) consistent with applicable law and Terms, Section 9.

If TechBrot receives a request directly from a data subject, TechBrot will:

• Notify the Client promptly.
• Not respond unless instructed by Client (unless required by law).

11. Breach Notification & Incident Response

TechBrot maintains an incident response plan. In the event of a confirmed data breach involving Client Personal Data:

• TechBrot will notify the Client without undue delay (and within 72 hours where GDPR applies).
• Provide details of the breach, affected data types, and remediation steps.
• Provide continued cooperation for Client regulatory obligations.

12. Audits, Records & Demonstrating Compliance

TechBrot maintains documentation necessary to demonstrate compliance. Upon reasonable written request:

• TechBrot may provide audit summaries, security certifications, or reports.
• Where required, an independent auditor may conduct an on-site audit at Client’s expense.
• Audits must not interfere unreasonably with TechBrot operations.

For data subject, regulator, or dispute audits, TechBrot will maintain evidence as required under Terms, Section 7.5.

13. Processing Instructions & Conflicts of Law

TechBrot processes Personal Data only per Client’s documented instructions. If any instruction violates applicable law:

• TechBrot will notify the Client promptly.
• TechBrot may suspend processing until revised instructions are provided.

If legally compelled to disclose Personal Data, TechBrot will notify the Client unless prohibited by law.

14. Liability & Indemnification

Liability for data processing follows the Service Agreement and Terms, including:

• Limitation of Liability (Terms, Section 14)
• Indemnification (Terms, Section 13)
• Dispute Resolution & Arbitration (Terms, Section 21)

Liability for willful misconduct or statutory requirements is not limited.

15. Return/Deletion of Data on Termination

Upon termination:

• TechBrot will return Personal Data upon request.
• TechBrot will securely delete Personal Data if instructed.
• TechBrot will certify deletion if required.
• Backups will be removed in accordance with retention schedules.

16. Chargeback Protection, Evidence Use & Authorization

This DPA, in conjunction with the Terms & Refund Policy, provides strong evidence of:

• Client’s explicit service authorization.
• Defined scope, purpose, and lawful basis for processing Client data.
• Client’s consent to retain logs, records, IP data, signatures, and authorization metadata (Terms, Section 7.5).
• Clear dispute, review, and non-refund provisions (Refund Policy & Terms, Section 7).

For chargeback disputes: TechBrot may provide banks or processors with:

• Signed Service Agreements & Order Forms
• Click/tap acceptance logs, timestamps & IP address logs
• ACH mandates or card authorization records
• Copies of Deliverables and communication logs
• DPA terms showing consent for processing

These documents collectively form a strong evidentiary package to counter unauthorized or fraudulent chargebacks.

17. Miscellaneous, Governing Law & Amendments

This DPA is incorporated into the Service Agreement. If any provision is found invalid, the remaining provisions remain enforceable.

TechBrot may update this DPA where required by law or operational necessity. Material changes will be communicated with reasonable notice.

Governing Law: Delaware, USA. Dispute resolution follows the arbitration rules in Terms, Section 21.