Data Processing Agreement

Last updated: May 28, 2026 | Effective: May 28, 2026

This Data Processing Agreement (“DPA”) is entered into between OrgsLedger (“Processor”) and the organization or individual (“Controller” or “Customer”) using the OrgsLedger Service. This DPA governs OrgsLedger’s processing of personal data on behalf of the Controller and forms part of the OrgsLedger Terms of Service. This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent data protection laws.

Definitions
Scope and Purpose
Roles and Responsibilities
Details of Processing
Controller Obligations
Processor Obligations
Technical and Organizational Security Measures
Sub-processors
Data Subject Rights
Personal Data Breach Notification
International Data Transfers
Data Retention and Deletion
Audit and Compliance
Liability
Term and Termination
Governing Law
Contact and DPA Requests

1. Definitions

For the purposes of this DPA, the following definitions apply. Terms defined in the GDPR shall have the meaning ascribed to them therein.

“Applicable Data Protection Law” means all applicable laws and regulations relating to the processing of Personal Data and privacy, including the GDPR, the UK GDPR, the CCPA/CPRA, and any other applicable national or regional data protection laws, as amended or replaced from time to time.
“Controller” means the Customer (organization or individual) who determines the purposes and means of the processing of Personal Data and uses the OrgsLedger Service.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates (e.g., your organization’s members).
“GDPR” means the EU General Data Protection Regulation (Regulation (EU) 2016/679) and, as applicable, the UK GDPR.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by OrgsLedger on behalf of the Controller in connection with the Service.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.
“Processor” means OrgsLedger, which processes Personal Data on behalf of the Controller.
“Service” means the OrgsLedger platform and all features provided under the Customer’s subscription.
“Sub-processor” means any third-party data processor engaged by OrgsLedger who processes Personal Data in connection with providing the Service.
“Supervisory Authority” means an independent public authority responsible for monitoring compliance with applicable data protection laws.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by OrgsLedger as Processor on behalf of the Controller in connection with the provision of the Service as described in the OrgsLedger Terms of Service.

This DPA supplements and is incorporated into the OrgsLedger Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the subject matter of data protection, this DPA shall prevail.

This DPA covers all Personal Data processed by OrgsLedger on behalf of the Controller, including data relating to the Controller’s organization members, employees, and other individuals whose data is entered into the Service.

3. Roles and Responsibilities

3.1 Controller

The Customer acts as the Controller with respect to the Personal Data of its members, employees, and other individuals processed through the Service. The Controller is responsible for:

Ensuring there is a valid legal basis for processing Personal Data in the Service;
Providing required notices and obtaining required consents from Data Subjects;
Ensuring that instructions given to OrgsLedger comply with Applicable Data Protection Law;
Ensuring that Personal Data entered into the Service is accurate, complete, and up to date.

3.2 Processor

OrgsLedger acts as the Processor with respect to the Personal Data it processes on the Controller’s behalf. OrgsLedger will process Personal Data only on documented instructions from the Controller (including as set out in this DPA and the Terms of Service) and as required by applicable law.

4. Details of Processing

Element	Details
Subject Matter	Processing of Personal Data in connection with the provision of the OrgsLedger platform and related services
Duration	For the term of the Customer’s subscription, plus any post-termination retention period as described in this DPA
Nature and Purpose	Providing organization management, meeting management (including AI transcription and summaries), financial tracking, member management, document storage, and communication features
Categories of Data Subjects	Organization members, administrators, employees, and other individuals whose data the Controller enters into the Service
Categories of Personal Data	Names, email addresses, profile information, organizational roles, financial records, meeting audio/transcripts/summaries, communications, and other data entered into the Service by the Controller
Special Categories of Data	OrgsLedger does not intentionally process special categories of Personal Data. Controllers should not enter such data into the Service without prior written agreement with OrgsLedger.

5. Controller Obligations

The Controller represents and warrants that:

It has a lawful basis for processing the Personal Data it submits to the Service and has provided all required notices to Data Subjects;
It will not instruct OrgsLedger to process Personal Data in a manner that would violate Applicable Data Protection Law;
It will promptly inform OrgsLedger of any changes to its instructions that may affect OrgsLedger’s ability to comply with Applicable Data Protection Law;
It has obtained all necessary consents for OrgsLedger to record and transcribe meetings using AI features where required;
It will maintain records of processing activities as required by applicable law.

6. Processor Obligations

OrgsLedger shall:

Process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law (in which case OrgsLedger shall inform the Controller of such requirement before processing unless prohibited by law);
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Implement and maintain appropriate technical and organizational security measures as described in Section 7;
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, Data Impact Assessments, and prior consultation;
Delete or return all Personal Data to the Controller upon termination of the Service, as described in Section 12;
Make available all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 13;
Notify the Controller without undue delay if it receives a request from a Data Subject exercising their rights;
Notify the Controller without undue delay if it receives any request, correspondence, complaint, or communication from a Supervisory Authority relating to the Controller’s Personal Data.

7. Technical and Organizational Security Measures

OrgsLedger implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

7.1 Technical Measures

Encryption in Transit: TLS 1.2 or higher for all data transmitted between clients and servers.
Encryption at Rest: AES-256 encryption for data stored in databases and file storage systems.
Access Controls: Role-based access control (RBAC), principle of least privilege, and mandatory authentication for system access.
Multi-Factor Authentication (MFA): MFA available and encouraged for all user accounts; required for administrative access.
Network Security: Firewalls, intrusion detection systems, and network segmentation.
Vulnerability Management: Regular vulnerability scanning, patch management, and penetration testing.
Logging and Monitoring: Comprehensive audit logging and real-time security monitoring for anomaly detection.
Backup and Recovery: Regular automated backups with tested recovery procedures.

7.2 Organizational Measures

Data Protection Policies: Documented internal policies and procedures for data protection and privacy.
Employee Training: Regular data protection and security awareness training for all staff with access to Personal Data.
Confidentiality Agreements: All employees and contractors with access to Personal Data are bound by confidentiality obligations.
Incident Response Plan: A documented security incident response and breach notification procedure.
Vendor Management: Due diligence and contractual requirements for all Sub-processors and vendors with access to Personal Data.
Business Continuity: Business continuity and disaster recovery plans to ensure Service availability.

8. Sub-processors

8.1 Authorization

The Controller provides general authorization for OrgsLedger to engage Sub-processors to assist in providing the Service, subject to the requirements of this Section 8.

8.2 Current Sub-processors

OrgsLedger currently uses the following categories of Sub-processors:

Sub-processor	Role	Data Processed	Location
Cloud Infrastructure Provider(s)	Hosting, compute, database, and storage services	All platform data	United States / Varies
Deepgram, Inc.	Real-time audio transcription (speech-to-text AI)	Meeting audio, transcripts	United States
Payment Gateway Provider(s)	Payment processing	Payment and billing data	Varies
Email Service Provider(s)	Transactional email delivery	Email addresses, notification content	Varies
Security and Monitoring Provider(s)	Security monitoring, fraud detection, log analysis	Log data, security events	Varies

The current list of Sub-processors is available upon request at privacy@orgsledger.com.

8.3 New Sub-processors

Before engaging a new Sub-processor who will have access to Personal Data, OrgsLedger will inform the Controller with at least 30 days’ advance notice (e.g., by email or in-app notification). If the Controller objects to the addition of a new Sub-processor on reasonable grounds relating to data protection, it must notify OrgsLedger in writing within the 30-day notice period. OrgsLedger will work in good faith to address the Controller’s concerns.

8.4 Sub-processor Obligations

OrgsLedger shall impose data protection obligations on each Sub-processor no less protective than those set forth in this DPA, through binding written agreements. OrgsLedger remains fully liable to the Controller for the performance of Sub-processors’ obligations under this DPA.

9. Data Subject Rights

OrgsLedger shall provide the Controller with reasonable assistance and appropriate technical and organizational measures to help the Controller fulfill its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

If OrgsLedger receives a Data Subject rights request directly from a Data Subject in relation to the Controller’s Personal Data, OrgsLedger shall notify the Controller promptly and shall not respond to the Data Subject directly without the Controller’s prior written authorization, unless required to do so by applicable law.

OrgsLedger provides the following tools to assist the Controller in responding to Data Subject requests:

Admin dashboard for viewing, exporting, and deleting member data;
Data export functionality for providing data portability to Data Subjects;
Account deletion capabilities for erasure requests.

10. Personal Data Breach Notification

OrgsLedger shall notify the Controller without undue delay, and in any event within 72 hours where feasible, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.

Such notification shall include, to the extent available at the time of notification:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
The name and contact details of a point of contact from whom more information can be obtained;
A description of the likely consequences of the breach;
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Where all information required is not available at the time of initial notification, OrgsLedger shall provide additional information in phases as it becomes available.

The Controller is solely responsible for determining whether and how to notify Data Subjects and Supervisory Authorities of any Personal Data Breach in compliance with applicable law.

11. International Data Transfers

Where the Processing of Personal Data involves a transfer of Personal Data to a country outside the EEA, UK, or Switzerland that has not been recognized as providing an adequate level of protection, OrgsLedger shall ensure such transfers are subject to appropriate safeguards, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Decision 2021/914);
UK International Data Transfer Agreements (IDTAs) or UK Addendum to EU SCCs where applicable;
Any other appropriate transfer mechanism recognized under Applicable Data Protection Law.

To request a copy of the applicable transfer mechanisms, contact privacy@orgsledger.com.

12. Data Retention and Deletion

12.1 During Service Term

OrgsLedger will retain Personal Data for as long as necessary to provide the Service and as directed by the Controller’s settings and instructions.

12.2 Upon Termination

Upon termination or expiry of the Service:

OrgsLedger will retain Personal Data for up to 90 days after termination to allow the Controller to export or retrieve data.
After the 90-day period, OrgsLedger will securely delete or anonymize all Personal Data, unless a longer retention period is required by applicable law.
Upon written request, OrgsLedger will certify the deletion of Personal Data in writing.

12.3 Legal Retention Obligations

Notwithstanding the above, OrgsLedger may retain certain Personal Data for longer periods where required by applicable law (e.g., financial records required to be retained for 7 years). Any such retained data will be processed solely for the purpose of meeting the legal obligation and will be protected by appropriate safeguards.

13. Audit and Compliance

Upon the Controller’s written request, OrgsLedger shall:

Make available all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA;
Allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days) and agreement on the scope and confidentiality of such audits.

Audits shall be conducted no more than once per year unless required by a Supervisory Authority, shall be conducted during regular business hours, shall not unreasonably disrupt OrgsLedger’s operations, and shall be subject to the Controller bearing all costs and expenses of such audits.

As an alternative to on-site audits, OrgsLedger may provide relevant certifications (e.g., SOC 2 Type II, ISO 27001) or audit reports from recognized third-party auditors as evidence of compliance.

14. Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the OrgsLedger Terms of Service.

If OrgsLedger processes Personal Data other than as instructed by the Controller and such processing gives rise to liability under Applicable Data Protection Law, OrgsLedger shall bear full responsibility for such excess processing and indemnify the Controller for any resulting damages, fines, or penalties.

If the Controller gives unlawful instructions to OrgsLedger, the Controller shall indemnify OrgsLedger against any resulting penalties, claims, or damages suffered by OrgsLedger due to compliance with such instructions.

15. Term and Termination

This DPA shall take effect on the date the Controller accepts the OrgsLedger Terms of Service or first uses the Service and shall remain in force for as long as OrgsLedger processes Personal Data on behalf of the Controller.

This DPA shall automatically terminate upon the termination or expiry of the OrgsLedger Terms of Service, subject to the post-termination obligations set forth in Section 12.

16. Governing Law

This DPA shall be governed by the same governing law as the OrgsLedger Terms of Service. For EEA or UK-based Controllers, the provisions of the GDPR and applicable national data protection laws shall apply and take precedence in the event of any conflict.

17. Contact and DPA Requests

For all matters relating to this DPA, data protection compliance, or to request execution of a signed DPA, please contact:

Data Protection: privacy@orgsledger.com
Legal/DPA Requests: legal@orgsledger.com
Security Incidents: security@orgsledger.com
Website: https://orgsledger.com

Organizations requiring a countersigned DPA for compliance purposes may request one at legal@orgsledger.com.