Legal

Data Processing Addendum (DPA)

Last updated: 01/01/2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service of AccessLedger ("Agreement") and applies where Sole Proprietor Vityuk V.G., tax ID 3225423979 ("Processor") processes Personal Data on behalf of the customer ("Controller").

1. Definitions

Terms such as Personal Data, Processing, Controller, and Processor have the meanings given in the GDPR.

2. Scope and Purpose

Processor processes Personal Data solely to provide and operate the AccessLedger service in accordance with the Agreement and documented instructions of the Controller.

3. Nature of Processing

Subject matter

Temporary access tracking and audit

Duration

For the term of the Agreement

Categories of data subjects

Employees, contractors, vendors

Types of personal data

Names, email addresses, access metadata

Processing activities

Storage, access control, notifications, audit logging

4. Controller Obligations

  • ensures a lawful basis for processing Personal Data;
  • provides required notices to data subjects;
  • is responsible for data accuracy and minimization.

5. Processor Obligations

Processor shall:

  • process Personal Data only on documented instructions from Controller;
  • ensure confidentiality of personnel;
  • implement appropriate technical and organizational security measures;
  • assist Controller with data subject requests where reasonably possible.

6. Subprocessors

Controller authorizes the use of the following subprocessors:

  • Supabase (hosting, database, authentication)
  • Payment provider (billing; merchant of record)
  • Resend (transactional emails)
  • Internal automation services (self-hosted n8n) - notification and workflow processing

Processor remains responsible for subprocessors' compliance.

7. International Transfers

Where Personal Data is transferred outside the EU/EEA, Processor ensures appropriate safeguards in accordance with GDPR.

8. Security Measures

Processor applies measures including:

  • encrypted data in transit;
  • access controls and least-privilege principles;
  • logical isolation of customer data.

9. Data Breach Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data breach.

10. Deletion or Return of Data

Upon termination of the Agreement, Processor will delete or return Personal Data, unless retention is required by law.

11. Audits

Upon reasonable request, Processor will provide information necessary to demonstrate compliance with this DPA.

12. Governing Law

This DPA is governed by the laws of Ukraine.

13. Contact

Privacy and data protection inquiries:

Email: help@access-ledger.com