1. Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between VaultLedge ("Processor") and the customer ("Controller") who uses VaultLedge to process personal data on behalf of their business, clients, or employees.
2. Scope & Purpose of Processing
The Processor processes personal data solely for the purpose of providing the VaultLedge accounting, bookkeeping, invoicing, and payroll services as described in the Terms of Service.
Categories of data subjects:
- Controller's employees (payroll data, W-4 information, bank account details)
- Controller's clients/customers (names, emails, addresses on invoices)
- Controller's vendors (contact information on bills)
- Controller's account users (email, display name)
Categories of personal data:
- Identity data (names, email addresses, mailing addresses)
- Financial data (bank transactions, invoice amounts, payroll figures)
- Tax data (SSN/EIN — encrypted at rest with AES-256-GCM, W-4 information)
- Employment data (pay rates, benefits, PTO balances)
- Bank account data (routing/account numbers — encrypted, display masked to last 4 digits)
3. Obligations of the Processor
- Process personal data only on documented instructions from the Controller (i.e., as directed by the Controller's use of the Service).
- Ensure that persons authorized to process personal data have committed to confidentiality.
- Implement appropriate technical and organizational security measures (see Section 5).
- Assist the Controller in responding to data subject access requests.
- Delete or return all personal data upon termination of the service, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and allow for audits.
4. Sub-Processors
The Processor uses the following sub-processors. The Controller consents to the use of these sub-processors by agreeing to this DPA:
| Sub-Processor | Purpose | Location |
|---|
| Supabase | Database hosting, authentication | USA (AWS) |
| Vercel | Application hosting, edge functions | USA (AWS) |
| Anthropic | AI categorization (zero data retention) | USA |
| Stripe | Payment processing, ACH transfers | USA |
| Plaid | Bank account connection (read-only) | USA |
| Resend | Transactional email delivery | USA |
The Processor will notify the Controller of any intended changes to the list of sub-processors, providing the Controller an opportunity to object.
5. Technical & Organizational Measures
- Encryption in transit: All data transmitted via TLS 1.2+.
- Encryption at rest: Database encrypted at the storage layer (Supabase/AWS). Sensitive fields (SSN, bank accounts) additionally encrypted with AES-256-GCM application-level encryption.
- Access control: Row-Level Security (RLS) on all database tables ensures data isolation between users. Supabase Auth with bcrypt password hashing.
- Masking: Sensitive data (SSN, account numbers) displayed with only last 4 digits visible.
- AI processing: Our third-party AI provider operates under zero data retention (ZDR) — no personal data is stored by the AI provider.
- Audit trail: All data modifications logged with user, timestamp, and action type.
- Backups: Automated database backups managed by Supabase with point-in-time recovery.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach. The notification will include the nature of the breach, categories of data affected, estimated number of data subjects impacted, and measures taken or proposed to mitigate the breach.
7. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests including:
- Access: Full data export available via Settings → Privacy → Export All Data.
- Rectification: Users can update their own data through the dashboard.
- Erasure: Account deletion permanently removes all data within 30 days (Settings → Privacy → Delete Account).
- Portability: Data exportable in JSON format.
- Restriction: Email notification preferences allow limiting certain processing activities.
8. International Transfers
All personal data is processed and stored in the United States. For transfers from the European Economic Area (EEA) or United Kingdom, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Copies are available upon request.
9. Duration & Termination
This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination, the Processor will delete all personal data within 30 days unless retention is required by applicable law. The Controller may request data export before account deletion.
10. Contact
For DPA-related inquiries, to request a countersigned copy, or to report a data breach: