Booklance.com

Data Processing Agreement

Last updated: May 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Booklance (Private) Limited ("Booklance", "Processor") and the customer ("Controller") when Booklance processes personal data on behalf of the Controller in connection with the Booklance.com bookkeeping platform.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Sub-processor" have the meanings given in the GDPR. "Customer Data" means personal data uploaded to or generated within the Service by the Controller or its end users.

2. Scope and roles

  • The Controller determines the purposes and means of processing Customer Data.
  • Booklance acts as Processor and processes Customer Data only on documented instructions from the Controller, which include the Terms of Service and use of the Service through its standard interfaces.
  • Categories of data subjects: Controller's employees, customers, suppliers and any individuals whose data the Controller chooses to enter.
  • Categories of personal data: contact details, business identifiers, invoice and billing data, and any other data the Controller submits.

3. Processor obligations

  • Process Customer Data only on the Controller's documented instructions.
  • Ensure that personnel authorised to process Customer Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures (Section 6).
  • Assist the Controller in responding to data subject requests, breach notifications, DPIAs and consultations with supervisory authorities, taking into account the nature of processing and the information available to Booklance.
  • At the Controller's choice, delete or return all Customer Data after the end of the provision of services, unless retention is required by law.

4. Sub-processors

The Controller authorises Booklance to engage sub-processors to provide the Service, including cloud infrastructure, email delivery, payment processing and AI providers. Booklance imposes data protection terms equivalent to those in this DPA on each sub-processor and remains liable for their performance. A current list of sub-processors is available on request to privacy@booklance.com. Booklance will give the Controller reasonable notice of any intended changes and the opportunity to object on reasonable data-protection grounds.

5. International transfers

Where Customer Data is transferred outside the Controller's jurisdiction, Booklance relies on appropriate safeguards, including the EU Standard Contractual Clauses or equivalent mechanisms recognised by applicable law.

6. Security measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Row-Level Security on every customer-data table, scoped to company membership.
  • Role-based access controls and least-privilege administration.
  • Audit logging of sensitive actions and destructive operations.
  • Regular backups and tested recovery procedures.
  • Vulnerability management and dependency monitoring.

7. Personal data breach

Booklance will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for the Controller to meet its own breach-notification obligations.

8. Audit rights

Booklance will make available to the Controller the information necessary to demonstrate compliance with Article 28 GDPR. Audits are satisfied through up-to-date third-party certifications, security questionnaires and written summaries of controls. On-site audits may be arranged on reasonable notice for legitimate regulatory reasons.

9. Return and deletion of data

Controllers can export their data through the Service at any time. On termination, Customer Data is deleted within 30 days unless retention is required by law. Self-serve account deletion is available from Account Settings.

10. Liability and term

This DPA is effective as of the date the Controller starts using the Service and remains in force for as long as Booklance processes Customer Data. Liability under this DPA is subject to the limitations set out in the Terms of Service.

11. Contact

Questions about this DPA, sub-processors, or data protection can be sent to privacy@booklance.com.