Data Processing Agreement

pursuant to Article 28(3) of the General Data Protection Regulation (GDPR / EU 2016/679)

Whereas:

• Customer uses Ledger Botje, a SaaS platform that connects AI assistants to the Customer's Exact Online administration via the Model Context Protocol (MCP);
• in providing this service Processor processes personal data for which Customer is the controller within the meaning of Article 4(7) GDPR;
• Parties therefore agree, pursuant to Article 28 GDPR, to record their arrangements regarding the processing of such personal data in this agreement (hereinafter: «DPA»).

Article 1 — Definitions

The terms «personal data», «processing», «controller», «processor», «sub-processor», «data subject», «personal data breach» and «supervisory authority» have the meaning assigned to them by the GDPR. «Main Agreement» means the Ledger Botje subscription agreement and the applicable terms of use.

Article 2 — Subject and term

2.1 This DPA is inseparable from the Main Agreement and governs the processing of personal data by Processor on behalf of Customer.

2.2 In case of conflict between this DPA and the Main Agreement, this DPA prevails on matters of privacy and data protection.

2.3 This DPA enters into force on [DATE] and terminates automatically when the Main Agreement ends, without prejudice to provisions which by their nature continue to apply.

Article 3 — Nature, purpose and duration of processing

3.1 Processor processes personal data exclusively on instructions from Customer and exclusively for the following purposes:

• accessing, reading and — subject to the chosen subscription tier — mutating Customer data in Exact Online on behalf of Customer;
• caching such data within an isolated tenant database assigned to Customer in order to limit repeated round-trips to the Exact Online API;
• authenticating and authorising Customer users via Exact Online OAuth 2.0;
• security logging and incident response as referred to in Article 32 GDPR;
• providing support upon request of Customer.

3.2 Processor does not process personal data for its own purposes, except for (a) anonymous usage statistics and (b) processing for which Processor itself is the controller (subscription administration and marketing site).

Article 4 — Categories of personal data and data subjects

The following categories are — in principle — processed (full inventory: see Annex A):

Processor processes no special categories of personal data within the meaning of Article 9 GDPR and no Dutch BSN. The BSN field has actively been removed from the data model.

Article 5 — Obligations of Processor

5.1 Processor processes personal data only on the documented instructions of Customer. Subscription configuration, the set of activated MCP tools and synchronisation settings constitute such instructions.

5.2 Processor ensures that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Processor implements the technical and organisational measures described in Article 7 and Annex B.

5.4 Processor informs Customer without delay if, in its opinion, an instruction infringes the GDPR or other applicable law.

5.5 Processor makes available to Customer all information necessary to demonstrate compliance with Article 28 GDPR.

5.6 Processor is entitled to refuse instructions from Customer that fall outside the scope of the Main Agreement, that in Processor's reasonable judgement require disproportionate effort, or that conflict with applicable law. In case of refusal, Parties will consult without delay.

Article 6 — Obligations of Customer

6.1 Customer warrants that the processing instructed to Processor is lawful and that Customer has the required legal basis (Article 6 GDPR).

6.2 Customer is responsible for choosing the AI client (ChatGPT, Claude, Copilot, Gemini, Mistral, Perplexity, Grok, Cursor, OpenClaw or any other MCP client) and for accepting that client's terms of use and privacy notice. Processor is not a party to that relationship.

6.3 Customer determines within Ledger Botje whether the MCP integration operates in read-only or in read-and-write mode. By default, the MCP integration is read-only.

6.4 Customer is responsible for the accuracy and currency of the personal data held in Exact Online.

Article 7 — Security measures

Processor implements the technical and organisational measures described in Annex B, including at minimum:

• encryption in transit (HTTPS / TLS, with HSTS);
• encryption at rest of customer databases at the hosting provider;
• OAuth 2.1 with mandatory PKCE for MCP clients and OAuth 2.0 for Exact Online; no password storage at Processor;
• tenant separation: each Customer is assigned an isolated database;
• strict access restriction for production databases;
• audit logging with bounded retention (see Article 13);
• data minimisation: tokens and secrets are not stored in recognisable form in logs;
• automated daily enforcement of retention on audit and security logs.

Article 8 — Sub-processors

8.1 Customer hereby grants general prior authorisation for the engagement of sub-processors, provided they comply with Article 28(4) GDPR and are listed in Annex C.

8.2 Processor will inform Customer via the Ledger Botje website or by email of any change to the list of sub-processors at least 30 days before the change takes effect. Customer may object in writing and with reasons within that period, solely on reasonable grounds related to GDPR compliance; Parties will then enter into discussions and Customer ultimately retains the right to terminate the Main Agreement.

8.3 Customer expressly acknowledges and accepts that Exact Online B.V. (source system on instruction of Customer), Mollie B.V. (independent controller for payment processing) and the AI platforms chosen by Customer are not regarded as sub-processors of Processor for the purposes of this DPA.

Article 9 — International transfers

9.1 Processor does not transfer personal data outside the European Economic Area (EEA). Production hosting is located exclusively in data centres within the EEA operated by EU-established sub-processors (at the time of signing: the Netherlands and France).

9.2 Customer acknowledges that if a Customer end-user chooses an AI client outside the EEA, that data flow falls within the relationship between Customer and the AI platform and is not covered by Article 9.1 of this DPA. Processor informs Customer of this through its terms of use and this DPA.

Article 10 — Confidentiality

Processor and its personnel are required to treat all personal data received or processed strictly confidentially. This obligation continues to apply after termination of this DPA.

Article 11 — Personal data breaches (notification)

11.1 Processor will notify Customer in writing without undue delay upon becoming aware of a personal data breach, taking into account the nature and scope of the incident. Suspicions that are not confirmed as a personal data breach following triage will not be notified but will be documented internally in accordance with Article 33(5) GDPR.

11.2 Such notification will contain at minimum (insofar as known): the nature of the breach, the categories of data subjects and data affected, the likely consequences, and the measures taken or proposed.

11.3 Customer remains responsible for notifying the supervisory authority (Article 33 GDPR) and any affected data subjects (Article 34 GDPR). Processor will provide reasonable assistance.

Article 12 — Assistance with data subject rights

12.1 Processor will, where reasonably possible, provide technical and organisational assistance to Customer in responding to requests from data subjects under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection).

12.2 Requests received directly by Processor and concerning Customer will be forwarded to Customer without delay.

12.3 Processor will respond to a Customer assistance request within 10 working days for requests concerning access (Art. 15 GDPR), rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR), and within 30 days for any other request, in each case so as to enable Customer to meet its own deadline under Article 12 GDPR.

12.4 Assistance that by its nature constitutes regular product support is included in the subscription. For extensive or recurring assistance (for example large numbers of requests, formal case work, or assistance during a supervisory authority investigation) Processor may, with prior written notice, charge reasonable hours at market rates.

Article 13 — Retention periods

The following retention periods apply, unless required otherwise by law:

Retention is enforced automatically through daily clean-up jobs. Erasure requests under Article 17 GDPR are handled within 30 days.

Article 14 — Audit and verification

14.1 Upon reasonable request and not more than once per year, Processor will provide Customer with documentation relevant to demonstrating compliance with this DPA, including the most recent version of the DPIA Ledger Botje.

14.2 An audit by or on behalf of Customer is conducted at Customer's expense, with at least 30 days' prior written notice, and only insofar as necessary to verify compliance with this DPA. The audit is performed by an independent, qualified third party established in the EEA, with a scope agreed in writing in advance, and is limited to documentation review and interviews. Access to production environments or to data of other Processor customers is excluded.

14.3 Where Processor relies on valid certifications or audit reports of its sub-processors (e.g. ISO 27001 or equivalent), these may substitute Customer's own audit.

Article 15 — Return and deletion

Upon termination of the Main Agreement or earlier on Customer request, Processor will delete all personal data of Customer from production systems within 30 days. Cached ERP data is rendered unusable immediately upon revocation of the OAuth integration and is automatically purged. Personal data residing in encrypted backups will be destroyed within Processor's standard backup rotation (maximum 90 days) or upon first overwrite; during that period such data is not accessible for production purposes. Processor retains only data it is required to retain by law.

Article 16 — Liability

Liability of Parties under this DPA is governed by the liability clause of the Main Agreement, without prejudice to Article 82 GDPR.

Article 17 — Term and termination

This DPA continues for as long as Processor processes personal data on behalf of Customer. Termination of the Main Agreement automatically terminates this DPA, without prejudice to provisions which by their nature continue to apply (including confidentiality, liability and the obligation of deletion).

Article 18 — Governing law and jurisdiction

This DPA is governed exclusively by Dutch law. Disputes are submitted to the competent court in the district where Processor is established, without prejudice to mandatory jurisdiction rules.

Article 19 — Final provisions

19.1 Amendments to this DPA are valid only if agreed in writing by both Parties.

19.2 If any provision is invalid or unenforceable, the remaining provisions remain in full force. Parties will then negotiate a new provision approximating the original as closely as possible.

Annex A — Description of the processing

A.1 Purposes. See Article 3.

A.2 Categories of data subjects. Customer's employees, Customer's relations (debtors/creditors), commercial counterparties, end users of Customer (insofar as captured in audit logs).

A.3 Types of personal data.

• Identification and contact data: name, address, email, phone;
• Authentication data: username, OAuth tokens (encrypted);
• Transaction data: orders, invoices, deliveries, inventory, payment mandates, IBAN;
• Technical metadata: login IP, session id, user-agent, MCP tool-call logs;
• Subscription and billing data (where Processor acts as independent controller).

A.4 No special categories. Processor does not process data within the meaning of Article 9 GDPR. The Dutch BSN is not processed.

A.5 Locations. Production environment exclusively in the Netherlands and France (within the EEA).

Annex B — Technical and organisational measures (Art. 32 GDPR)

The measures listed below reflect the state of implementation at the time of signing. Processor reserves the right to adjust individual measures, provided that the overall security level remains at least equivalent.

Annex C — Sub-processors

Not considered sub-processors of Processor: Exact Online (source system on instruction of Customer), Mollie B.V. (independent controller for payments) and the AI platforms chosen by Customer (OpenAI, Anthropic, Microsoft, Google, Mistral, Perplexity, xAI, Anysphere et al.).