Legal
Data Processing Agreement
GDPR Article 28 terms governing how FinnAccountings processes Customer Data on your behalf.
Last updated: 15 July 2026
1. Parties & purpose
This Data Processing Agreement (“DPA”) forms part of the agreement between FinnAccountings Limited(“Processor”, “we”, “us”) and the customer entity that uses the FinnAccountingsService (“Controller”, “you”).
It applies where we process personal data on your behalf in providing the Service, in accordance with Article 28 of the GDPR and UK GDPR. By creating an Account or signing an order form that references this DPA, you agree to these terms.
2. Definitions
Terms such as “personal data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given in the GDPR. “Customer Data” means personal data contained in content you submit to the Service (for example financial records, payroll information, and documents).
3. Scope of processing
- Subject matter — hosting and processing Customer Data to provide bookkeeping, tax estimation, payroll support, AI insights, and related features;
- Duration — for the term of your Subscription plus the retention period in our Privacy Policy;
- Nature & purpose — storage, retrieval, analysis, transmission, and deletion as needed to operate the Service;
- Types of data — identity and contact data, financial and transaction data, employment/payroll data you upload, usage logs, and AI interaction content;
- Data subjects — your employees, contractors, customers, suppliers, and authorised users, as applicable.
4. Processor obligations
We shall:
- Process Customer Data only on your documented instructions, including via the Service;
- Ensure persons authorised to process Customer Data are bound by confidentiality;
- Implement appropriate technical and organisational measures (see our Security page and Privacy Policy);
- Engage subprocessors only under written contracts imposing equivalent protections, as listed at /subprocessors;
- Assist you with data subject requests, DPIAs, and breach notifications, taking into account the nature of processing;
- Delete or return Customer Data after the Service ends, subject to legal retention requirements;
- Make available information necessary to demonstrate compliance and allow audits as reasonably agreed (including SOC 2 reports under NDA where available).
5. Controller obligations
You warrant that:
- You have a lawful basis to collect and instruct us to process Customer Data;
- You have provided required notices to data subjects;
- Your instructions comply with applicable data protection law and do not cause us to infringe those laws.
6. International transfers
Where Customer Data is transferred outside the EEA or UK to a country without an adequacy decision, we rely on Standard Contractual Clauses (and the UK Addendum where applicable) and supplementary measures such as encryption and access controls.
7. Security incidents
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably required for you to meet your notification obligations under GDPR Arts. 33–34.
8. Liability
Liability arising under this DPA is subject to the limitations in our Terms of Service, except where prohibited by applicable data protection law.
9. Contact
Privacy / DPO: privacy@finnaccounts.com · dpo@finnaccounts.com
Enterprise customers may request a countersigned PDF DPA by contacting legal@finnaccounts.com.
