Data Processing Agreement
1. Introduction and applicability
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer and Anton Desiatnykov ("Accordix"). It applies where Accordix processes Customer Personal Data on the Customer's behalf in connection with the Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.
2. Definitions
Terms such as "personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR (Regulation (EU) 2016/679). "Customer Personal Data" means personal data within Customer Content processed by Accordix on the Customer's behalf. "Subprocessor" means a third party engaged by Accordix to process Customer Personal Data.
3. Roles of the parties
For Customer Personal Data within Customer Content, the Customer is the controller (or a processor acting for its own customer) and Accordix is the processor. Accordix acts as an independent controller for the limited data it processes to operate, secure, bill, and support the Service (for example account data, authentication data, security logs, and support communications); that processing is described in the Privacy Policy, not this DPA.
4. Subject matter and duration
The subject matter is the provision of the Service. Accordix processes Customer Personal Data for the duration of the Customer's use of the Service and until deletion or return in accordance with section 18.
5. Nature and purpose of processing
Accordix processes Customer Personal Data to host, organize, transmit, and make available documents and workflow data so that the Customer and its authorised Users can collect, request, track, and review documents. Where the Customer enables the optional "find missing linked documents" feature on a request, Accordix additionally transmits the raw linked document to its AI subprocessor (Google Cloud Vertex AI, EU region) to generate suggestions of related documents that may be missing; that output is reviewed by a person and does not involve automated decision-making producing legal or similarly significant effects on a data subject (GDPR Art. 22). Further detail is in Annex 1.
6. Categories of data subjects
- Customer users (business members);
- accountants;
- client representatives;
- employees or contractors whose documents are uploaded;
- suppliers and customers appearing on invoices or receipts;
- other individuals appearing in accounting documents.
7. Categories of personal data
- names;
- email addresses;
- phone numbers;
- company identifiers;
- tax identifiers, where applicable;
- bank account numbers;
- invoice and receipt details;
- the contents of uploaded documents;
- metadata, timestamps, request status, and audit/log entries;
- support communications.
8. Special category data
Accordix is not designed for the intentional collection of special categories of personal data unless explicitly agreed in writing. Customers should avoid uploading health, biometric, criminal offence, or other highly sensitive data unless they have a valid legal basis and have assessed the associated risks. Uploaded documents may incidentally contain such data; the Customer remains responsible for assessing and lawfully handling it.
9. Processor obligations
Accordix will: process Customer Personal Data only on documented instructions from the Customer (section 10); ensure persons authorised to process it are bound by confidentiality; implement appropriate technical and organisational measures (section 12 and Annex 2); respect the conditions for engaging subprocessors (section 13); assist the Customer as described in sections 15–16; and, at the Customer's choice, delete or return Customer Personal Data as described in section 18.
10. Customer instructions
The Customer's use and configuration of the Service, together with the Terms and this DPA, constitute its documented instructions. Accordix will inform the Customer if, in its opinion, an instruction infringes applicable data protection law. The Customer is responsible for the lawfulness of the Customer Personal Data and of its instructions.
11. Confidentiality
Accordix will treat Customer Personal Data as confidential and ensure that personnel with access are subject to appropriate confidentiality obligations and access only what they need.
12. Security measures
Accordix implements reasonable technical and organisational measures appropriate to the risk, summarised in Annex 2 and described — with their current limitations — on the Security page. No system can be guaranteed to be completely secure.
13. Subprocessors
The Customer provides general authorisation for Accordix to engage subprocessors to process Customer Personal Data, provided Accordix imposes data protection obligations on them comparable to those in this DPA and remains responsible for their performance. Current subprocessors are listed on the Subprocessors page; these include, where the Customer enables the optional "find missing linked documents" feature, Google Cloud Vertex AI as an AI subprocessor that processes the raw linked documents. Accordix will update that page before adding a subprocessor that materially processes Customer Personal Data, so the Customer has the opportunity to object on reasonable data-protection grounds. Accordix will give notice of an intended change at least 30 days before the new subprocessor begins processing Customer Personal Data; the Customer may object in writing within that period on reasonable data-protection grounds.
14. International transfers
Accordix hosts the application within the EU (Frankfurt, Germany). Where a subprocessor processes Customer Personal Data outside the EU/EEA, Accordix relies on an appropriate transfer mechanism (such as an adequacy decision or Standard Contractual Clauses). The applicable mechanism per provider is recorded on the Subprocessors page.
15. Assistance with data subject requests
Taking into account the nature of the processing, Accordix will provide reasonable assistance through appropriate technical and organisational measures to help the Customer respond to data subject requests (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts Accordix directly about Customer Personal Data, Accordix will, where lawful, refer them to the Customer.
16. Assistance with security, DPIA, and consultations
Accordix will provide the Customer with reasonable assistance, taking into account the information available to Accordix, regarding: security of processing; personal data breach notification; data protection impact assessments; and prior consultation with a supervisory authority.
17. Personal data breach notification
Accordix will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Where reasonably possible, the notification will include the nature of the breach, affected data, likely consequences, and measures taken or proposed. Accordix's internal handling is described in its breach response plan. Notification is not an acknowledgement of fault.
18. Deletion or return of data
Upon termination of the Service, and at the Customer's choice, Accordix will delete or return Customer Personal Data, and delete existing copies, unless storage is required by law. Residual copies in routine backups are deleted in the ordinary course of backup rotation. Customer Personal Data is available for export for up to 30 days after termination, and residual copies in routine backups are overwritten within approximately 35 days. See the Data Export & Deletion page for the applicable windows.
19. Audits and information
Accordix will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and security conditions and reasonable notice. Audits are limited to once per twelve-month period unless a supervisory authority requires otherwise or a personal data breach has occurred.
20. Liability and order of precedence
Liability under this DPA is subject to the limitations of liability in the Terms of Service. In case of conflict on data protection matters, this DPA prevails over the Terms; otherwise the Terms govern.
Annex 1 — Processing details
| Item | Detail |
|---|---|
| Subject matter | Provision of the Accordix document-collection and shared-inbox Service |
| Duration | For the term of the Service plus the deletion/return period in section 18 |
| Nature and purpose | Hosting, organising, transmitting, and making available documents and workflow data on the Customer's instructions; and, where the Customer enables it per request, AI-assisted analysis of a linked document (via Google Cloud Vertex AI, EU region) to suggest related documents that may be missing — suggestions only, human-reviewed, no Art. 22 automated decisions |
| Types of personal data | As listed in section 7 |
| Categories of data subjects | As listed in section 6 |
| Frequency | Continuous, for the duration of use |
Annex 2 — Technical and organisational measures
A high-level summary (full and honest detail, including current limitations, is on the Security page; internal measures are tracked in the internal TOMs record):
- Encryption in transit (HTTPS/TLS).
- Hashed passwords (bcrypt); authentication via a signed, httponly session cookie.
- Role-based access control and organization-level data separation (tenant isolation).
- Access on a need-to-know basis; secrets held in environment configuration.
- No document contents, recipient addresses, tokens, or download links written to logs.
- EU-based application hosting with provider-managed infrastructure security and backups.
- Honest current limitations: no application-level encryption at rest, no multi-factor authentication, no self-service password reset, no login rate limiting, and audit logging covering inbound intake channels only. These are tracked as planned improvements.
Annex 3 — Subprocessors
The current list of subprocessors, with purpose, data processed, region, and transfer mechanism, is maintained on the public Subprocessors page and incorporated here by reference.