Data Processing Agreement

Effective date: 2026-05-07 · Document version: 2026-05-07

This Data Processing Agreement ("DPA") supplements the Terms of Service and forms a contract under Article 28 of Regulation (EU) 2016/679 ("GDPR") between you (the "Controller") and the Operator (the "Processor") whenever the Operator processes personal data on your behalf in connection with the Service.

1. Parties

• Controller — you, the Service customer (typically an Estonian OÜ, AS, FIE or MTÜ).
• Processor — Xprofit OÜ, registry code 14662029, Pae tn 21, 11414 Tallinn, Estonia, contact info@xprofitx.com.

2. Subject matter, nature, purpose and duration

• Subject matter — processing of personal data necessary for the Operator to provide the Service.
• Nature — storage, structuring, computation, generation of declarations and reports, AI-assisted categorisation, transmission to authorities triggered by the Controller, hosting backups.
• Purpose — preparation and submission of the Controller's accounting reports and tax declarations.
• Duration — the term of the Service contract plus the statutory retention period (Raamatupidamise seadus § 12, currently 7 years), after which the data is deleted unless a longer period is required by law.

3. Categories of data subjects and personal data

• Data subjects: the Controller's employees, board members, contractors, customers and counterparties whose data the Controller uploads or which the Service receives from public registers on the Controller's behalf.
• Personal data: identification data (names, isikukood), contact details, employment data, salary and tax data, banking data (IBAN, transactions), invoice data, declaration content.

The Service is not designed to process special categories of personal data (GDPR Art 9). The Controller must not upload health data, biometric data, religious or political views, etc.

4. Processor's obligations (GDPR Art 28(3))

1. Process personal data only on documented instructions from the Controller, including transfers to third countries — instructions are given through the Service interface and these terms.
2. Ensure that personnel authorised to process personal data are bound by confidentiality.
3. Implement appropriate technical and organisational security measures (set out in Annex I).
4. Engage subprocessors only under the conditions set out in Section 6 below.
5. Assist the Controller in fulfilling its obligation to respond to data-subject requests (GDPR Art 12–22).
6. Assist the Controller in complying with Art 32–36 GDPR (security, breach notification, impact assessments).
7. On termination of the Service contract, delete or return all personal data, at the Controller's choice, in machine-readable format (CSV / JSON / PDF for declarations) within 30 days of receiving a written request, except as required by law to retain (notably Raamatupidamise seadus § 12 — 7-year retention of accounting records).
8. Make available to the Controller all information necessary to demonstrate compliance with Art 28 and allow for and contribute to audits, in line with Section 7.

5. Controller's responsibilities

• Ensure a lawful basis for the processing the Controller instructs the Processor to perform.
• Provide notices and obtain consents from data subjects as required by GDPR.
• Configure access controls inside the account responsibly.
• Notify the Processor without undue delay of any data-subject request that involves the Processor's actions.

6. Subprocessors

The Controller authorises the Processor to engage the subprocessors listed in Annex II. The Processor maintains the list and notifies the Controller (via this page or by email) at least 30 days before adding or replacing a subprocessor.

The Controller may object to a new subprocessor on reasonable, documented data-protection grounds within 30 days of the notification. In that case the parties will discuss in good faith for up to 14 days; if no resolution is reached, the Controller may terminate the affected portion of the Service and receive a pro-rata refund of pre-paid fees attributable to the period after termination. Failure to object within the 30-day window constitutes acceptance of the new subprocessor.

The Processor remains liable to the Controller for the performance of any subprocessor's GDPR obligations.

7. Audit rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, on at least 30 days' written notice, during business hours, subject to mutual NDA, and at the Controller's expense. The Processor may satisfy audit requests by providing recent third-party security certifications and reports (e.g. ISO 27001, SOC 2) where available.

Where audit requests fall on a single subprocessor, the Processor will use reasonable efforts to facilitate a coordinated audit through that subprocessor's standard audit programme.

8. Personal-data breaches

The Processor will notify the Controller without undue delay and in any event within 48 hours after becoming aware of a personal-data breach affecting Controller data. Notice will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. International transfers

Where personal data is transferred outside the European Economic Area, the parties rely on Standard Contractual Clauses (Decision (EU) 2021/914) executed with the relevant subprocessor, supplemented by encryption in transit and at rest. Module Two (Controller-to-Processor) and where applicable Module Three (Processor-to-Subprocessor) apply.

10. Liability

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits a data subject's rights under Art 82 GDPR.

11. Governing law

This DPA is governed by the law of the Republic of Estonia, with disputes subject to Harju Maakohus.

---

Annex I — Technical and organisational measures

The Processor implements at minimum the following measures, which are reviewed at least annually:

Encryption

• TLS 1.3 for all client transport, with HSTS and modern cipher suites only.
• AES-256-GCM application-layer encryption (via Cloak) for sensitive fields: isikukood, IBAN, TOTP secret. Encryption keys rotated when material changes occur to key handling.
• Encrypted disk-level storage for database and backups.

Access control

• Bcrypt password hashing for user credentials; optional TOTP 2FA available to all users.
• Role-based access control inside the Operator with least-privilege defaults; production access requires explicit named approval.
• Full audit log of every administrative action with actor, target and time, retained for 12 months.
• Personnel access restricted to authorised employees on a need-to-know basis; pre-employment screening and written confidentiality undertaking before any access to production data.

Network and infrastructure

• Network isolation between application and database tiers; database not exposed to the public internet.
• Production hosting in EU region; backups stay in EU region.
• Encrypted daily database backups with 30-day rotation; restoration drills run at least quarterly.

Vulnerability and incident management

• Continuous dependency monitoring (mix_audit) and static-analysis security scanning (sobelow) on every build.
• External penetration testing performed at least annually before any major release that materially expands attack surface.
• Documented incident-response runbook with 72-hour regulator-notification target (GDPR Art 33) and a parallel Controller-notification target of 48 hours under Section 8.
• Vulnerability disclosure: security@xprofitx.com; published in a security.txt file once available.

Data lifecycle

• Data minimisation: we collect only data needed to provide the Service and discard intermediate AI artefacts within 30 days.
• Right-of-erasure tooling: account deletion removes the account record and triggers cascade deletion of derived data; statutory retention (Raamatupidamise seadus § 12) is honoured separately and stored encrypted in a tamper-evident archive.

Annex II — Authorised subprocessors

Subprocessor	Purpose	Location
Stripe Payments Europe Ltd / Stripe Inc.	International card-payment processing.	Ireland / USA
EveryPay AS (LHV Group)	SEPA, Estonian card schemes, open banking.	Estonia
OpenAI Ireland Ltd / OpenAI L.L.C.	AI features (chat, parsing, categorisation). Enterprise data terms — no model training on submitted content.	Ireland / USA
Hosting infrastructure provider	Compute, storage and network for the production deployment.	EU region
Email delivery provider (when configured)	Transactional and notification email.	EU / EEA

If translations of this DPA are provided, the English-language version is the controlling text in case of conflict.