Data Processing Agreement

Effective Date: April 2026

Version: 1.0

Framework: UK GDPR / Data Protection Act 2018

This Data Processing Agreement forms part of the Terms of Service between the Customer (Controller) and LedgerPro™ (Processor) and is governed by UK GDPR and the Data Protection Act 2018.

1. Parties

Party	Role
Customer (the law firm subscribing to LedgerPro™)	Data Controller
LedgerPro™	Data Processor

2. Scope of Processing

LedgerPro™ processes personal data solely for the purpose of providing the LedgerPro™ service as described in the Terms of Service. Processing is carried out only on documented instructions from the Customer.

Element	Detail
Subject matter	Legal accounts management and SRA compliance support
Duration	For the term of the subscription and applicable retention periods
Nature of processing	Storage, retrieval, display, and structured reporting of financial and user data
Types of personal data	Names, email addresses, IP addresses, financial transaction records, audit logs
Categories of data subjects	Law firm staff, clients (as referenced in matter records)

3. Processor Obligations

LedgerPro™ shall:

Process personal data only on documented instructions from the Customer
Ensure that persons authorised to process data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures
Assist the Customer in responding to data subject rights requests
Assist the Customer with Data Protection Impact Assessments where required
Delete or return all personal data upon termination of the service
Make available all information necessary to demonstrate compliance

4. Subprocessors

LedgerPro™ may engage the following subprocessors. All subprocessors are bound by data protection obligations equivalent to those in this DPA:

Subprocessor	Purpose	Location	Safeguards
DigitalOcean	Cloud infrastructure and database	UK/EU	SCCs / Adequacy
Cloudinary	Media and document storage	EU	SCCs
Stripe	Payment processing	EU	SCCs / PCI DSS
Resend	Transactional email	EU	SCCs

LedgerPro™ will notify the Customer of any intended changes to subprocessors, giving the Customer the opportunity to object.

5. Security Measures

LedgerPro™ implements the following security measures:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with least-privilege enforcement
Multi-factor authentication for administrative access
Immutable audit logging of all data access and modifications
Regular independent security scanning and penetration testing
Daily encrypted backups with tested recovery procedures

6. Personal Data Breach Notification

In the event of a personal data breach, LedgerPro™ will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include:

Nature of the breach and categories of data affected
Approximate number of data subjects affected
Measures taken or proposed to address the breach
Contact details for the LedgerPro™ point of contact

7. Data Return and Deletion

Upon termination of the service, LedgerPro™ will at the Customer's election:

Return all personal data to the Customer in a portable format, or
Securely delete all personal data

This is subject to any legal retention obligations that require LedgerPro™ to retain data for a longer period.

8. Audit Rights

The Customer may request reasonable evidence of LedgerPro™'s compliance with this DPA, including security documentation and audit reports. LedgerPro™ will respond to such requests within a reasonable timeframe.

9. International Transfers

Where personal data is transferred to countries outside the UK, LedgerPro™ ensures appropriate safeguards are in place in accordance with UK GDPR Article 46, including Standard Contractual Clauses approved by the ICO.

10. Contact

For DPA-related enquiries: legal@lawledgerpro.com