Ledgeron

Data Processing Addendum (DPA)

Effective Date: February 26, 2026

1. Parties and Scope

This Data Processing Addendum ("DPA") forms part of the agreement between XPerf Inc. ("Processor") and the customer ("Controller") governing use of the Ledgeron platform and related services.

This DPA applies to the processing of Personal Data and Business Data where XPerf acts as a data processor on behalf of the Controller.

2. Roles of the Parties

Controller: Customer

Processor: XPerf Inc.

XPerf processes data solely on documented instructions from the Controller and in accordance with applicable data protection laws.

3. Nature and Purpose of Processing

Processing activities include:

  • Storage, transmission, and retrieval of bookkeeping and accounting data
  • Automated processing using AI and machine learning systems for transaction categorization, receipt extraction, and report generation
  • Reporting, analytics, and system monitoring
  • Customer support and security operations
  • Anonymized data aggregation for service improvement (only with removal of all personally identifiable information)

4. Categories of Data Subjects and Data

Data Subjects: Customers, their employees, contractors, vendors, and clients

Data Types: Financial records, transaction data, contact details, identifiers, bank account information, invoice data, receipt images, and usage metadata

5. Security Measures

XPerf implements technical and organizational safeguards, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Role-based access controls and least-privilege access
  • Logging, monitoring, and intrusion detection systems
  • SOC 2-aligned security controls
  • Multi-factor authentication for administrative access
  • Regular vulnerability assessments and penetration testing
  • Encrypted, geographically distributed backup systems
  • Documented incident response procedures

6. Sub-Processors

XPerf may engage sub-processors for infrastructure and service delivery (e.g., cloud hosting, analytics, payment processing). XPerf remains responsible for sub-processor compliance and maintains appropriate contractual safeguards.

XPerf will notify the Controller at least thirty (30) days in advance of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes.

A current list of sub-processors will be made available upon request.

7. Security Incident Notification

XPerf shall notify the Controller without undue delay and no later than seventy-two (72) hours after becoming aware of a confirmed Security Incident involving Personal Data. XPerf will provide available information necessary for the Controller to meet its legal obligations, including the nature and scope of the incident, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the incident.

8. Data Subject Rights

XPerf will reasonably assist the Controller in responding to data subject requests where required by law, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

9. Data Protection Impact Assessments

XPerf will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by applicable data protection law.

10. Audit Rights

Upon reasonable written request and subject to appropriate confidentiality obligations, XPerf will make available to the Controller information necessary to demonstrate compliance with this DPA. The Controller may conduct or commission an independent audit, no more than once per year, upon at least thirty (30) days' prior written notice, during normal business hours, and at the Controller's expense. XPerf may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II, when available).

11. International Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to jurisdictions without an adequate level of data protection, XPerf will ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms as required by applicable law.

12. Data Retention and Deletion

Upon termination of services, XPerf will delete or return Personal Data within sixty (60) days, unless retention is required by law. Upon request, XPerf will provide written certification of data deletion.

13. Data Localization

Business Data is primarily stored and processed in the United States. XPerf will inform the Controller of any changes to the geographic location of data processing.

14. Governing Law

This DPA is governed by the laws of the State of Texas, without regard to conflict-of-laws principles. For Personal Data subject to GDPR, this DPA is also subject to applicable EU data protection law.

Contact Information

XPerf Inc.
101 E Old Settlers Blvd, Suite 120
Round Rock, TX 78664
Email: support@everbranch.ai

© 2026 XPerf Inc. All rights reserved.