1. Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) governs the processing of Personal Data by QBSimplify, Inc. (“qbsimplify”) on behalf of its clients (“Client”) in connection with bookkeeping, accounting, payroll advisory, and related services. This DPA supplements and forms part of the qbsimplify Bookkeeping & Accounting Services Agreement and applicable Order Forms. In the event of conflict, the executed DPA or Service Agreement controls.

2. Parties & Roles

Client: Controller — determines purposes and means of processing Personal Data.
qbsimplify: Processor — processes Personal Data only on documented Client instructions.
Role allocation may be modified in writing if required by law.

3. Purpose & Scope of Processing

qbsimplify will process Personal Data solely to provide the services described in the Service Agreement and Order Form, including:

• Bookkeeping, reconciliations, QuickBooks setup/cleanup, and payroll advisory.
• Reporting, transaction categorization, and production of Deliverables.
• Communication with financial institutions, vendors, or third-party service providers.
• No other purposes are permitted without written consent.

4. Categories of Personal Data

• Client contact and account information (names, emails, phone numbers, addresses)
• Business and registration details (company name, tax ID, licenses)
• Financial data (bank account numbers, routing numbers, invoices, payments)
• Employee payroll information (names, national IDs, pay rates, tax withholding)
• Vendor/customer contact and payment details
• System metadata, logs, and audit trails related to services performed

5. Duration & Retention

Personal Data will be processed only for the duration necessary to provide services or as instructed by the Client. Upon termination or Client request, Personal Data will be returned or securely deleted. Retention exceptions: legally required retention or backups. qbsimplify retains ACH mandates for 2 years and bookkeeping records per legal requirements; Clients are advised to retain financial records for at least 7 years.

6. Security Measures

• TLS encryption in transit and encryption at rest where feasible
• Role-based access and least-privilege principles
• Multi-factor authentication (MFA) for privileged accounts
• Patching, vulnerability management, anti-malware, and endpoint protection
• Temporary credential policies for remote access
• Automated backups, monitoring, and logging
• Periodic personnel security training and background checks
• Security certifications (SOC 2 / ISO 27001) where available

7. Subprocessors

qbsimplify may engage subprocessors (cloud hosting, payroll vendors, payment processors). Subprocessors must comply with obligations consistent with this DPA. qbsimplify will maintain a current list of subprocessors and provide upon request. Clients will receive notice of new or replacement subprocessors at least 30 days in advance, with the right to object on reasonable grounds. qbsimplify remains liable for subprocessors’ compliance.

8. International Data Transfers

Personal Data may be transferred across borders, including the U.S. qbsimplify will implement appropriate safeguards (e.g., Standard Contractual Clauses) when required. Clients must notify qbsimplify of specific transfer requirements.

9. Data Subject Requests

qbsimplify will assist Clients in responding to requests for access, rectification, deletion, or portability. If qbsimplify receives a direct request from a data subject, it will promptly notify the Client. qbsimplify will act only on documented Client instructions unless legally required otherwise.

10. Breach Notification & Incident Response

qbsimplify maintains a formal incident response program. Clients will be notified without undue delay, and where required by law, within 72 hours of discovering a confirmed breach affecting Personal Data. Notifications include details of the incident, remediation measures, and ongoing cooperation with Client investigations or regulatory reporting.

11. Audit, Records & Certifications

qbsimplify will provide, upon reasonable notice, information to demonstrate compliance with this DPA. Security reports or certifications may be provided instead of on-site audits. Client-requested audits may be conducted by an independent auditor at Client’s expense and with mutual agreement.

12. Controller Instructions & Lawful Requests

qbsimplify will process Personal Data only on documented Client instructions. If an instruction violates applicable law, qbsimplify will notify the Client. qbsimplify may comply with lawful requests from courts, regulators, or law enforcement, with prior notice to the extent permitted.

13. Liability

Liability for processing is governed by the Limitation of Liability and Indemnification sections of the Service Agreement. Liability for willful misconduct or statutory obligations is not limited.

14. Termination & Data Return/Deletion

Upon service termination, Personal Data will be returned in a commonly used, machine-readable format or securely deleted. qbsimplify will certify deletion upon request and ensure backups are disposed of according to retention policies.

15. DPA Acceptance

By engaging qbsimplify services, the Client acknowledges and accepts this DPA. Execution of a standalone DPA may be requested for processing sensitive data (e.g., payroll tax processing).

16. Chargeback Protection & Client Safeguard

This DPA, together with your Service Agreement, demonstrates that:

• Client explicitly authorized services and payment (ACH/credit card).
• Scope of services and data processing is documented, limiting disputes over “unauthorized services.”
• Breach and refund/review policies are clearly defined (review period, dispute procedure).

In the event of a chargeback, you can use:

• Signed Service Agreement + Order Form
• Signed ACH mandates or card authorization
• DPA showing scope, purpose, and consent for processing data
• Review period and refund policy documentation

Together, these form a strong evidentiary basis for the bank or payment processor to contest fraudulent or unauthorized chargebacks.

17. Miscellaneous

This DPA is part of the Service Agreement and Order Forms. Severability: invalid provisions do not affect the remainder. Amendments require written agreement or posting on the Site with notice. Governing law: Delaware, USA.