Data Processing Addendum

1. Roles

For the accounting data of the entities you connect, you (or your company) are the controller and Composenz is the processor. This addendum is part of the Terms of Service for every business customer. A countersigned copy for your records is available on request at david@composenz.com.

2. What we process, and why

Subject matter: read-only accounting records of your connected entities. Purpose: consolidating the group and generating written briefs and reports. Duration: while your account is active. Nature: automated processing by a deterministic engine plus a narrative layer; no automated decision-making with legal effect is performed.

3. Our commitments as processor

We process accounting data only on your documented instructions (using the service is the instruction). We keep personnel bound by confidentiality. We implement the technical and organisational measures described on the Security page — read-only OAuth scopes, tenant isolation enforced at the database layer, encryption in transit and at rest, least-privilege access. We assist with data subject requests and breach notifications, and notify you without undue delay after becoming aware of a personal data breach affecting your data.

4. Subprocessors

We use the subprocessors listed on the Subprocessors page under written data protection terms. We notify customers in advance before adding or replacing subprocessors that handle accounting data; if you object on reasonable data protection grounds, you may terminate the affected service.

5. Transfers, audits and deletion

International transfers rely on recognised safeguards such as standard contractual clauses. We make available information reasonably necessary to demonstrate compliance, and answer security questionnaires from customers directly.

At termination, we delete your data within 30 days of request, except where law requires retention. Your source books in QuickBooks/Xero are never affected.