Data Processing Agreement

Last updated: March 2026

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Controller" means you, the customer, who determines the purposes and means of Processing Personal Data.
• "Processor" means LMNTL.AI Inc., which Processes Personal Data on behalf of the Controller.
• "Sub-Processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor shall Process Personal Data on behalf of the Controller as necessary to provide the LMNTL.AI cloud accounting platform services as described in the Terms of Service.

2.2 Nature and Purpose of Processing

Processing activities include storage, organization, retrieval, and analysis of financial and accounting data entered by the Controller into the LMNTL.AI platform, including:

• General ledger management and financial record-keeping
• Accounts payable and accounts receivable processing
• Financial reporting and analytics
• Integration with third-party accounting systems (e.g., QuickBooks synchronization)
• AI-powered financial insights (TimeFlow), when enabled by the Controller
• Audit trail maintenance and compliance reporting

2.3 Types of Personal Data

The following categories of Personal Data may be Processed:

• Contact information (names, email addresses, phone numbers, mailing addresses)
• Employment information (job titles, department, employee identifiers)
• Financial data (account numbers, transaction records, payment details)
• Vendor and customer records
• Timesheet and labor cost data
• User account credentials (hashed and encrypted)
• Usage and access logs

2.4 Categories of Data Subjects

Data Subjects may include:

• Controller's employees and contractors
• Controller's customers and vendors
• Controller's business contacts
• End users of the LMNTL.AI platform

2.5 Duration of Processing

Processing shall continue for the duration of the service agreement between the Controller and Processor, plus any retention period required by applicable law or as described in Section 9 (Data Retention).

3. Obligations of the Processor

3.1 Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited from doing so.

3.2 Confidentiality

The Processor shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security (Article 28(3)(c))

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 (Security Measures).

3.4 Sub-Processing (Article 28(2))

The Processor shall not engage another processor (Sub-Processor) without prior specific or general written authorization of the Controller, as detailed in Section 6 (Sub-Processors).

3.5 Data Subject Rights (Article 28(3)(e))

The Processor shall assist the Controller in fulfilling its obligation to respond to requests for exercising Data Subject rights, as detailed in Section 7 (Data Subject Rights).

3.6 Assistance with Compliance

The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of Processing and information available to the Processor. This includes assistance with:

• Security of Processing
• Notification of personal data breaches to supervisory authorities
• Communication of personal data breaches to Data Subjects
• Data protection impact assessments
• Prior consultation with supervisory authorities

3.7 Deletion and Return of Data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and shall delete existing copies unless applicable law requires storage. The Controller may export data at any time via the platform's built-in export functionality.

3.8 Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis for Processing Personal Data and for instructing the Processor to Process on its behalf
• Provide documented instructions to the Processor regarding the Processing of Personal Data
• Ensure compliance with applicable data protection laws with respect to its use of the platform
• Notify the Processor without undue delay if it becomes aware of any data breach or security incident affecting Personal Data

5. Security Measures

5.1 Encryption

• Data in Transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted.
• Data at Rest: All stored data is encrypted using AES-256 encryption. Database volumes, backups, and object storage are encrypted using AWS-managed keys (AWS KMS).

5.2 Infrastructure

• Cloud Provider: Amazon Web Services (AWS), which maintains SOC 2 Type 2, ISO 27001, and FedRAMP certifications
• Compute: AWS ECS Fargate (serverless containers) with no shared tenancy at the infrastructure level
• Database: Amazon RDS PostgreSQL with automated backups, encryption at rest, and point-in-time recovery
• Content Delivery: Amazon CloudFront with HTTPS-only access
• Secrets Management: AWS Secrets Manager for all credentials and sensitive configuration

5.3 Access Controls

• Role-based access control (RBAC) with principle of least privilege across all platform tiers
• Multi-factor authentication (MFA) available for all user accounts
• Multi-tenancy with row-level data isolation enforced at the database layer via tenant-scoped queries
• Automated session management with configurable timeout policies
• Administrative access to production infrastructure requires VPN, MFA, and audit-logged approval

5.4 Monitoring and Logging

• Comprehensive audit logging of all data access, modifications, and administrative actions
• Immutable audit trail retained for 7 years (DCAA compliance)
• Real-time security monitoring and alerting via AWS CloudWatch and application-level logging
• Automated vulnerability scanning of application dependencies

5.5 Business Continuity

• Automated database backups with point-in-time recovery
• Multi-availability-zone deployment for high availability
• Disaster recovery procedures tested on a regular schedule
• Defined incident response procedures with escalation paths

6. Sub-Processors

6.1 Authorization

The Controller provides general written authorization for the Processor to engage Sub-Processors listed below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes within 30 days of notification.

6.2 Current Sub-Processors

6.3 Sub-Processor Obligations

The Processor shall impose on each Sub-Processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

6.4 Notification of Changes

The Processor shall notify the Controller at least 30 days before authorizing any new Sub-Processor or replacing an existing one. If the Controller objects to a new Sub-Processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law, including:

• Right of Access: The Processor shall provide the Controller with the ability to access, export, and download all Personal Data via the platform's built-in data export functionality.
• Right to Rectification: The Controller may directly correct Personal Data through the platform interface.
• Right to Erasure: The Processor shall delete Personal Data upon the Controller's documented request, subject to legal retention requirements (see Section 9).
• Right to Restriction: The Processor shall restrict Processing upon the Controller's request by flagging affected records.
• Right to Data Portability: The platform supports data export in standard machine-readable formats (CSV, JSON, PDF).
• Right to Object: The Processor shall cease Processing for the specified purpose upon receiving the Controller's instruction.

The Processor shall respond to the Controller's assistance requests within 5 business days. If the Processor receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller without responding to the Data Subject directly, unless legally required to do so.

8. Personal Data Breach Notification

8.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. This notification shall be made to the Controller's designated contact via email and, where applicable, through the platform's notification system.

8.2 Breach Notification Content

The notification shall include, to the extent available:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
• A timeline of events related to the breach

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The Processor shall also assist the Controller in meeting its obligations to notify supervisory authorities (within 72 hours per GDPR Article 33) and affected Data Subjects where required.

9. Data Retention and Deletion

9.1 Retention Periods

• Active Account Data: Personal Data is retained for the duration of the service agreement and processed as necessary to provide the services.
• Financial Records: Retained for 7 years after creation to comply with regulatory requirements (DCAA, SOX, and applicable tax regulations), even after account termination.
• Audit Logs: Immutable audit trail entries are retained for 7 years for compliance purposes.
• Backups: Encrypted database backups are retained for 30 days and automatically purged thereafter.

9.2 Post-Termination

Upon termination of the service agreement, the Processor shall, at the Controller's election:

• Return all Personal Data in a standard machine-readable format (the Controller has 30 days to export data after termination)
• Delete all Personal Data within 90 days of the export period, except where retention is required by applicable law
• Certify in writing that all Personal Data has been deleted or returned, upon request

10. International Data Transfers

10.1 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, the Processor shall ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): The Processor incorporates the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to countries without an adequacy decision, including Module 2 (Controller to Processor) provisions.
• UK International Data Transfer Agreement: For transfers from the UK, the Processor relies on the UK Addendum to the EU SCCs as approved by the UK Information Commissioner's Office.
• Adequacy Decisions: Where applicable, transfers rely on adequacy decisions recognized by the European Commission or relevant authorities.

10.2 Supplementary Measures

In addition to legal transfer mechanisms, the Processor implements the following supplementary technical and organizational measures:

• AES-256 encryption for all data at rest and TLS 1.2+ for data in transit
• Pseudonymization of Personal Data where technically feasible
• Strict access controls limiting data access to authorized personnel on a need-to-know basis
• Regular assessment of the legal framework in the destination country

10.3 Data Localization

The primary data processing location is AWS us-east-1 (N. Virginia, United States). EU customers may request data localization within the EU through the platform settings (Settings > Privacy > Data Residency).

11. DCAA Compliance Provisions

For Controllers subject to DCAA audit requirements, the Processor provides the following additional measures:

• Immutable journal entries with complete audit trails, ensuring debit-credit balance validation on every transaction
• 7-year data retention in compliance with FAR 4.703 record retention requirements
• Comprehensive audit logging with tamper-evident records of all data access and modifications
• Segregation of costs by project, department, class, and location for compliant indirect cost allocation
• Export capabilities in formats suitable for DCAA audit submissions

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of its obligations under applicable data protection law.

13. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the Controller and Processor. The obligations of the Processor regarding data deletion, return of data, and confidentiality shall survive termination.

14. Governing Law

This DPA shall be governed by the laws applicable to the underlying service agreement, without prejudice to the mandatory provisions of applicable data protection law, including the GDPR and UK GDPR.

15. Amendments

The Processor may update this DPA to reflect changes in data protection law, regulatory guidance, or processing activities. Material changes will be communicated to the Controller at least 30 days before they take effect. Continued use of the services after such notice constitutes acceptance of the updated DPA.

16. Contact

For questions about this Data Processing Agreement or to exercise any rights described herein, please contact:

• Email: dpa@lmntl.ai
• Data Protection Officer: dpo@lmntl.ai
• Mailing Address: LMNTL.AI Inc., Legal Department, 548 Market St #35410, San Francisco, CA 94104, USA

To request a countersigned copy of this DPA, please email dpa@lmntl.ai with your company name and account details.