Data Processing Addendum

Last updated June 6, 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (the “Customer”) and Line Ledger, Inc. (“LineLedger”). It applies where LineLedger processes personal information on your behalf as a processor / service provider in providing the hosted Service. If any term here conflicts with the Terms of Service on the subject of data processing, this DPA controls.

1. Roles and scope

For the Customer Data you submit to the Service — your ledgers, invoices, contacts, documents, payroll, and similar content — you act as the controller (or “business”) and LineLedger acts as the processor (or “service provider”). LineLedger processes Customer Data only to provide, secure, and support the Service, and only on your documented instructions, including as set out in the Terms of Service, this DPA, and your configuration and use of the Service. LineLedger will not “sell” or “share” Customer Data, and will not use it for its own purposes or for cross-context behavioral advertising.

For account, billing, and usage information that LineLedger collects to run its business, LineLedger acts as an independent controller as described in the Privacy Policy.

2. Nature and purpose of processing

  • Subject-matter: provision of the hosted double-entry accounting Service.
  • Duration: for the term of your account, plus the limited retention and deletion periods described below.
  • Nature and purpose: hosting, storing, processing, transmitting, backing up, and displaying Customer Data to deliver the Service and support you.
  • Types of personal information: depending on what you enter — names, contact details, and identifiers of your customers, vendors, employees, and donors; tax identification numbers (for example SIN, SSN, EIN, or business numbers); payroll and compensation details; bank-account and payment information; and transaction records.
  • Categories of data subjects: your team members, customers, vendors, contractors, employees, donors, and other individuals you record in your books.

3. LineLedger’s obligations

LineLedger will:

  • Process on instructions. Process Customer Data only on your documented instructions, unless required by law (in which case, where permitted, LineLedger will inform you first).
  • Confidentiality. Ensure personnel authorized to process Customer Data are bound by confidentiality obligations.
  • Security. Implement appropriate technical and organizational measures to protect Customer Data, as summarized on our Security page — including encryption in transit, encryption at rest for backups, access controls and least privilege, support for passkeys and two-factor authentication, and a tamper-evident audit log.
  • Assist you. Taking into account the nature of the processing, provide reasonable assistance to help you respond to data-subject requests (access, correction, deletion, portability, and similar) and to meet your own security, breach-notification, and data-protection-assessment obligations.
  • Breach notification. Notify you without undue delay after becoming aware of a breach of security safeguards affecting Customer Data, with the information reasonably available to help you meet your notification obligations.
  • Deletion or return. On termination, allow you to export Customer Data for at least 30 days, then delete it from active systems within a reasonable period (typically within 90 days), except for copies in routine encrypted backups that rotate out on a normal schedule or where retention is required by law.

4. Sub-processors

You authorize LineLedger to engage the sub-processors listed on our Sub-processors page to process Customer Data. LineLedger will impose data-protection obligations on each sub-processor that are substantially similar to those in this DPA and remains responsible for their performance. When LineLedger adds or replaces a sub-processor in a way that materially affects the processing of Customer Data, it will update that page and, where required by applicable law, give you advance notice and an opportunity to object on reasonable data-protection grounds.

5. International transfers

Customer Data is hosted in Canada, with encrypted backups in Canada. Where a sub-processor processes Customer Data outside your jurisdiction, LineLedger will rely on a lawful transfer mechanism — including standard contractual clauses where applicable — to provide a comparable level of protection consistent with applicable privacy law.

6. Audits and information

On reasonable written request, and no more than once per year (unless required by a regulator or following a security incident), LineLedger will make available information reasonably necessary to demonstrate compliance with this DPA, and will respond to reasonable security questionnaires. The parties will agree in advance on the scope, timing, and confidentiality of any such review.

7. Your obligations

You are responsible for the lawfulness of the Customer Data you provide and your instructions, for having any required consents or legal bases, for configuring the Service and managing your team’s access appropriately, and for meeting your own obligations as controller — including your record-retention and filing obligations.

8. Liability and governing law

Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA is governed by the laws of British Columbia and the federal laws of Canada applicable therein, consistent with the Terms of Service.

9. Contact

To raise a data-protection matter or request a signed copy of this DPA, email hello@lineledger.ca, attention Privacy Officer, or write to Line Ledger, Inc., 205 – 50 Lonsdale Ave, Office #2404, North Vancouver, BC V7M 2E6, Canada.