Acodei Data Processing Agreement

Updated February 1, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement (the “Agreement”) between:

Acodei Software, LLC (“Acodei”), and

The customer using Acodei’s services (“User” or “Customer”),

each a “Party” and together the “Parties.”

To the extent Acodei processes User Personal Data (as defined below) on behalf of User in the course of providing the Services, the Parties agree to comply with this DPA.

1. Definitions

1.1 “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, which may include, as applicable:

  • The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”);
  • The UK GDPR and UK Data Protection Act 2018;
  • The Swiss Federal Act on Data Protection (“FADP”);
  • The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); and
  • Any other applicable data protection or privacy laws, including U.S. state privacy laws to the extent they apply to the Parties’ processing of Personal Data.

1.2 “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” have the meanings given in the applicable Data Protection Laws.

1.3 “User Personal Data” means any Personal Data processed by Acodei on behalf of User under the Agreement, as further described in Annex A (Details of Data Processing).

1.4 “Sub-processor” means any third party engaged by Acodei that processes User Personal Data on behalf of Acodei in connection with the Services.

1.5 “Services” means the Acodei services provided to User under the Agreement, including data synchronization between payment processors and accounting systems.

2. Roles of the Parties and Scope

2.1 Roles. For the purposes of Data Protection Laws, User is the Controller (or a Processor acting on behalf of its own controller) and Acodei is a Processor of User Personal Data.

2.2 Scope. This DPA applies solely to Acodei’s processing of User Personal Data in the course of providing the Services, as described in Annex A.

2.3 Instructions. Acodei will process User Personal Data only on documented instructions from User, including with regard to transfers of User Personal Data to a third country or international organization, unless required to do so by applicable law. In such case, Acodei will inform User of that legal requirement before processing, unless the law prohibits such disclosure.

2.4 User Responsibilities. User is responsible for:

  • Ensuring it has a valid legal basis for processing and providing User Personal Data to Acodei;
  • The accuracy, quality, and legality of User Personal Data; and
  • Configuring the Services in a privacy-compliant manner.

3. Details of Processing

3.1 The subject matter, nature and purpose of the processing, categories of Data Subjects, categories of Personal Data, and duration of processing are set out in Annex A (Details of Data Processing).

4. Confidentiality

4.1 Acodei will ensure that persons authorized to process User Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).

4.2 Acodei will not disclose User Personal Data to any third party except as permitted under this DPA, the Agreement, or as required by law.

5. Security

5.1 Security Measures. Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, Acodei will implement and maintain appropriate technical and organizational security measures to protect User Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex C (Technical and Organizational Security Measures).

5.2 Security Obligations of User. User is responsible for maintaining appropriate security, including:

  • Safeguarding its account credentials;
  • Configuring its environment and integrations; and
  • Using available security controls within the Services.

6. Sub-processing

6.1 Authorized Sub-processors. User authorizes Acodei to engage the Sub-processors listed in Annex B, as well as any additional Sub-processors that Acodei may engage in accordance with this Section 6.

6.2 Sub-processor Obligations. Acodei will:

  • Enter into a written contract with each Sub-processor that imposes obligations regarding data protection and security no less protective than those set out in this DPA; and
  • Remain responsible for each Sub-processor’s compliance with such obligations.

6.3 Changes to Sub-processors. Acodei may add or replace Sub-processors. Acodei will provide User with at least 30 days’ prior notice of any intended changes (via email, dashboard notification, or posting at https://acodei.com/sub-processors) and give User an opportunity to object on reasonable grounds relating to data protection. If User reasonably objects, the Parties will discuss in good faith. If they cannot reach a mutually acceptable solution within 30 days of User’s objection, User may terminate the affected Services on written notice (to the extent use of the new Sub-processor cannot be reasonably avoided).

7. International Data Transfers

7.1 Acodei may process and transfer User Personal Data in and to locations where Acodei or its Sub-processors maintain operations, subject to this DPA and applicable Data Protection Laws.

7.2 Where required under Data Protection Laws for transfers of User Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, the Parties will rely on the applicable Standard Contractual Clauses (“SCCs”) adopted by the European Commission (Module 2: Controller to Processor), the UK International Data Transfer Addendum, or other valid transfer mechanism as updated or replaced from time to time by competent authorities. The Parties agree that by entering into this DPA, they are deemed to have executed the applicable SCCs, which are incorporated by reference.

7.3 In the event of conflict between the SCCs (if applicable) and this DPA, the SCCs will prevail to the extent necessary to comply with Data Protection Laws.

8. Assistance to User

8.1 Data Subject Requests. Taking into account the nature of the processing, Acodei will provide reasonable assistance to User, by appropriate technical and organizational measures, for User to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (for example, access, rectification, erasure, restriction, portability, and objection), to the extent such requests relate to User Personal Data stored within the Services.

8.2 Regulatory and DPIA Assistance. Acodei will provide User with reasonable cooperation and assistance, at User’s expense where applicable, with:

  • Data protection impact assessments;
  • Consultations with Supervisory Authorities; and
  • Other compliance obligations reasonably related to Acodei’s processing of User Personal Data.

9. Personal Data Breach Notification

9.1 Notification. Upon becoming aware of a Personal Data Breach affecting User Personal Data, Acodei will notify User without undue delay (and in any event within 72 hours of becoming aware) and provide information reasonably required for User to meet its obligations to notify affected individuals and/or Supervisory Authorities, taking into account any legitimate law-enforcement or security constraints.

9.2 Content of Notification. To the extent available, Acodei’s notification will include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate its effects; and
  • A contact point for further information.

9.3 Cooperation. Acodei will take reasonable steps to investigate, mitigate, and remediate the Personal Data Breach and will keep User informed of material developments, to the extent such information is available.

10. Return and Deletion of Data

10.1 During the Agreement. Throughout the term of the Agreement, User may export certain User Personal Data from the Services using available functionality, where provided.

10.2 At Termination. Upon termination or expiration of the Agreement, Acodei will, at User’s choice and to the extent technically feasible:

  • Delete User Personal Data; or
  • Return User Personal Data to User,

within 30 days, unless a longer retention period is required by applicable law or necessary to protect Acodei’s legitimate interests (for example, for legal claims). Encrypted backups may be retained for up to 90 days in accordance with Acodei’s standard backup policies and will be securely deleted in the ordinary course.

11. Audits and Information

11.1 Information. Acodei will make available to User all information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws in relation to User Personal Data.

11.2 Audits. Where required by Data Protection Laws and subject to reasonable notice, confidentiality, and security restrictions, User (or its independent auditor, not a competitor of Acodei) may conduct an audit of Acodei’s processing of User Personal Data. Audits will:

  • Occur no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach);
  • Be conducted during normal business hours; and
  • Be limited to facilities, systems, and records reasonably relevant to the Services.

11.3 If Acodei makes available third-party audit reports or certifications (such as SOC 2 or ISO 27001), User agrees that such materials may satisfy its audit needs where appropriate.

12. Liability

12.1 The limitations and exclusions of liability set out in the Agreement apply to this DPA, unless otherwise prohibited by applicable Data Protection Laws.

13. Governing Law

13.1 This DPA will be governed by the governing law specified in the Agreement. If the Agreement does not specify governing law, this DPA will be governed by the laws of the State of Utah, United States, excluding its conflict-of-law rules.

13.2 To the extent required by Data Protection Laws, the mandatory provisions of the applicable data protection laws of the EEA member state, the UK, or Switzerland in which User is established will apply.

14. Changes to This DPA

14.1 Acodei may modify this DPA as necessary to (a) reflect changes in the Services, (b) comply with applicable law or guidance, or (c) update Sub-processors or security practices. Acodei will provide at least 30 days’ notice of material changes, and such changes will become effective as stated in the notice or in accordance with the Agreement.

15. Order of Precedence

15.1 In the event of any conflict between this DPA and the Agreement, this DPA will govern with respect to Acodei’s processing of User Personal Data, unless otherwise expressly stated or required by Data Protection Laws.

Annex A – Details of Data Processing

A.1 Categories of Data Subjects

Depending on how User configures and uses the Services, User Personal Data may relate to:

User Personnel

Individuals who register for or access an Acodei account on behalf of User (for example, owners, admins, finance staff, and accountants).

Client Customers

End customers of User who have transacted via connected payment processors (such as Stripe) and whose data is synchronized into connected accounting platforms (such as QuickBooks Online).

Support and Contact Persons

Individuals who communicate with Acodei via support channels (such as Help Scout) in relation to the Services.

A.2 Categories of Personal Data

Exact data elements depend on User’s configuration and the data transmitted by integrated platforms (such as Stripe and QuickBooks).

User Personnel
  • Identification and contact data: Name, email address, role, business contact details, and login identifiers.
  • Account data: Organization name, subscription details, configuration settings, and usage metrics.
  • Authentication and technical data: IP address, device information, log data, and activity logs related to use of the Services.
Client Customers (End Customers of User)
  • Identification and contact data: Name, email address, billing and shipping address, customer IDs, and other identifiers provided via payment platforms.
  • Transactional and financial data: Transaction amounts, currencies, timestamps, payment method type (such as card or ACH), tax amounts, fees, refunds, payouts, settlement data, invoice and order identifiers, accounting categorizations, and similar financial metadata received from Stripe and synced to QuickBooks.

Note: Acodei processes only the payment details made available via User’s selected payment processors and accounting platforms and does not itself act as a payment processor.

Support Communications
  • Content of support tickets, emails, or other communications.
  • Related metadata (timestamps, email headers, internal notes) to the extent they contain Personal Data.
Usage and Analytics Data
  • Event data about how Users interact with Acodei’s web application (page views, clicks, feature usage, session replay data), IP addresses, device attributes, and browser information, where such data qualifies as Personal Data.

A.3 Sensitive Data

Acodei does not intentionally collect or process special categories of Personal Data (such as health data or political opinions) or data relating to children, and the Services are not designed for such use. User is responsible for ensuring that special category data is not transmitted to the Services unless explicitly agreed in writing.

A.4 Frequency and Nature of Processing

Frequency: Continuous and event-driven, as determined by User’s configuration, integrations, and automated synchronization tasks.

Nature: Collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, alignment, disclosure (to authorized recipients), and deletion.

A.5 Purpose of Processing

Acodei processes User Personal Data for the following purposes:

  • To provide and operate the Services, including data synchronization between payment processors (such as Stripe) and accounting platforms (such as QuickBooks);
  • To maintain, secure, monitor, and improve the Services (including analytics and logging);
  • To provide customer support and communicate about the Services (such as onboarding, incident notifications, and product updates); and
  • To comply with User’s documented instructions and applicable laws.

A.6 Duration of Processing and Retention

  • Acodei will process User Personal Data for the duration of the Agreement, unless otherwise required by law.
  • After termination, Acodei will delete or return User Personal Data in accordance with Section 10 of this DPA.
  • Certain data may be retained in encrypted backups or logs for up to 90 days, consistent with Acodei’s retention policies and applicable legal obligations.

Annex B – Sub-processors

Below is the current list of third-party Sub-processors that may process User Personal Data in connection with the Services. Acodei may update this list from time to time in accordance with Section 6.

Note: Locations are general regions. Each provider may use multiple sub-locations as part of their infrastructure.

Amazon Web Services, Inc. (AWS)
  • Purpose: Cloud infrastructure and hosting provider for storage, databases, and compute resources supporting the Acodei application.
  • Category: Infrastructure and hosting.
  • Location: Primarily United States (and other regions as configured for resilience and compliance).
PostHog, Inc.
  • Purpose: Product analytics, feature flags, and session tracking to understand and improve product usage and user experience.
  • Category: Product analytics and usage tracking.
  • Location: United States.
Loops
  • Purpose: Sending transactional and product-related emails (such as account notifications, onboarding flows, and product updates) and managing email events (delivery, opens, and clicks).
  • Category: Email delivery and transactional communications.
  • Location: United States.
Help Scout
  • Purpose: Customer support ticketing and helpdesk platform to manage and respond to support requests.
  • Category: Customer support services.
  • Location: United States.
Slack Technologies, LLC
  • Purpose: Internal communication platform used by Acodei for operational coordination, including receiving alerts or notifications that may include limited User Personal Data (such as user IDs or ticket references).
  • Category: Internal communications and operations.
  • Location: United States.
Stripe, Inc.
  • Purpose: Payment platform that User connects to the Services. Acodei retrieves transaction and customer information from Stripe’s APIs for synchronization into accounting software.
  • Category: Payment data source (User’s selected payment processor).
  • Location: Global operations with data processing in multiple jurisdictions.
Intuit Inc. (QuickBooks)
  • Purpose: Accounting platform that User connects to the Services. Acodei writes synchronized financial data into User’s QuickBooks account via APIs.
  • Category: Accounting platform and data destination.
  • Location: Primarily United States.
New Relic, Inc.
  • Purpose: Application monitoring, logging, and observability platform used to monitor system performance and errors, which may involve processing telemetry data including IP addresses and other identifiers.
  • Category: Monitoring, logging, and observability.
  • Location: United States and EU data centers.

Annex C – Technical and Organizational Security Measures

Acodei implements and maintains the following technical and organizational measures to protect User Personal Data. These measures are reviewed periodically and updated as appropriate.

Encryption

  • Data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using industry-standard encryption (such as AES-256) provided by the underlying infrastructure.

Access Control

  • Role-based access controls are applied to limit access to User Personal Data to authorized personnel on a need-to-know basis.
  • Least-privilege principles are followed when granting access to production systems and data stores.
  • Multi-factor authentication is required for access to production infrastructure and administrative accounts.

Infrastructure and Application Security

  • Services are hosted on reputable cloud infrastructure providers (such as AWS) that maintain their own security certifications and compliance programs.
  • System and application dependencies are monitored and updated to address known vulnerabilities.
  • Logging and monitoring are in place to detect unauthorized access or anomalous activity.

Incident Management

  • Acodei maintains incident response procedures to identify, investigate, and remediate security incidents, including Personal Data Breaches.
  • Notification obligations are handled in accordance with Section 9 of this DPA.

Data Minimization and Retention

  • Acodei processes only the User Personal Data necessary to provide the Services.
  • Data retention practices follow the timelines described in Section 10 and Annex A.6 of this DPA.

Personnel

  • Authorized personnel are bound by confidentiality obligations.
  • Access to User Personal Data is limited to individuals who require it to perform their responsibilities.