Data Processing Agreement

Effective date: February 26, 2026 · Version 0.1 (Draft — pending legal review)

This Data Processing Agreement (“DPA”) forms part of the agreement between the subscribing accounting firm (“Controller”) and KittyLedger Pro (“Processor”). It describes how we collect, process, store, and protect personal and financial data on your behalf.

1. Definitions

  • Personal Information Controller — The accounting firm that subscribes to KittyLedger Pro and determines the purposes and means of processing personal data.
  • Personal Information Processor — KittyLedger Pro, which processes personal data on behalf of the Controller.
  • Data Subject — Any individual whose personal data is processed, including the firm’s clients, vendors, and employees whose information appears in financial records.
  • Personal Data — Any information relating to an identified or identifiable natural person, as defined by Republic Act No. 10173 (Data Privacy Act of 2012).

2. Data Processing Scope

KittyLedger Pro processes the following categories of data:

  • Financial records — journal entries, chart of accounts, trial balances, income statements, and balance sheets.
  • Receipt and document images — uploaded invoices, official receipts, purchase orders, bank statements, and other supporting documents.
  • Contact information — vendor names, client names, and associated metadata extracted from documents.

Purpose: AI-assisted bookkeeping, financial reporting, anomaly detection, and management insights for the Controller’s accounting practice.

Legal basis: Contractual necessity (performance of the service agreement) and the Controller’s legitimate interest in efficient, accurate accounting operations.

3. Data Residency

All data is stored in Southeast Asia (Singapore region). Your data never leaves the Southeast Asia region for storage or processing.

Our database infrastructure is hosted in the Singapore availability zone. File storage (receipts, documents) is likewise provisioned in the same region. No data is replicated to regions outside Southeast Asia.

4. AI and Model Training

We do not use your client data to train our AI models. Your financial data is processed in real-time and is not retained by AI providers beyond the immediate request.

KittyLedger Pro uses third-party AI providers (see Section 8, Subprocessors) to power features such as receipt extraction, journal entry drafting, and financial analysis. Data sent to these providers is used solely to generate a response for your request and is not used to train, fine-tune, or improve their models. We operate under zero-data-retention API agreements with our AI providers.

5. Data Ownership

You retain full ownership of all data. KittyLedger Pro acts as a data processor, not a controller, with respect to your client data.

The Controller retains all intellectual property rights and ownership over the data uploaded to or generated within KittyLedger Pro. We do not claim any ownership interest in your financial records, documents, or reports.

6. Security Measures

KittyLedger Pro implements the following technical and organizational measures to protect your data:

  • Encryption at rest — All data stored in the database and file storage is encrypted using AES-256 encryption.
  • Encryption in transit — All communications between your browser and our servers use TLS 1.2 or higher.
  • Access controls — Role-based access control (RBAC) ensures that only authorized members of your organization can access your data. Organization-scoped data isolation prevents cross-tenant access.
  • Audit logging — Every data mutation is logged with user identity, timestamp, and a detailed record of changes. Audit logs are immutable and retained for the lifetime of the account.
  • Authentication — Secure session management with support for both OAuth 2.0 (Google) and email/password sign-in. Passwords are stored as salted cryptographic hashes using industry-standard algorithms; we never store plaintext passwords. Users signing in via Google have no password stored.

7. Data Retention and Deletion

  • Active accounts: Data is retained for the duration of the active subscription. No data is purged while the account remains active.
  • Account termination: Upon termination of the service agreement, the Controller may request a full data export within 30 days. All data (including backups) will be permanently deleted within 90 days of account termination.
  • Soft deletes: Within the application, deletions are implemented as soft deletes (records are marked as deleted but retained for audit purposes). Hard deletion occurs only upon account termination.

8. Subprocessors

KittyLedger Pro engages the following subprocessors to deliver its AI features:

ProviderPurposeData Handling
OpenAIReceipt extraction, journal entry drafting, financial analysis, natural language queriesData sent via API is not used for model training. Subject to OpenAI Business Terms.
AnthropicAI-powered analysis, document understanding, financial narrativesData sent via API is not used for model training. Subject to Anthropic Commercial Terms.

We will notify the Controller of any changes to subprocessors with at least 30 days’ notice.

9. Breach Notification

In the event of a personal data breach, KittyLedger Pro commits to:

  • Notifying the Controller within 72 hours of becoming aware of the breach, in accordance with National Privacy Commission (NPC) guidelines.
  • Providing a detailed assessment of the breach, including the nature of the data affected, estimated number of data subjects, and remediation measures taken.
  • Cooperating with the Controller in notifying affected data subjects and the NPC as required by RA 10173 and NPC Circular 16-03.

10. Philippine Data Privacy Act Compliance

KittyLedger Pro is committed to compliance with Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations. Specifically:

  • We process personal data in accordance with the principles of transparency, legitimate purpose, and proportionality as required by the Act.
  • We maintain appropriate organizational, physical, and technical security measures as mandated by Sections 20–23 of the Act.
  • We are committed to registering with the National Privacy Commission (NPC) as a Personal Information Processor, as required for entities processing personal data of more than 1,000 individuals.
  • Our designated Data Protection Officer (DPO) can be reached at dpo@kittyledger.ai.

11. Rights of Data Subjects

Under RA 10173, data subjects have the following rights, which KittyLedger Pro supports through the Controller:

  • Right to be informed — Data subjects must be informed of the collection and processing of their personal data.
  • Right to access — Data subjects may request access to their personal data held within the system.
  • Right to correction — Data subjects may request correction of inaccurate or incomplete personal data.
  • Right to erasure or blocking — Data subjects may request deletion or blocking of personal data that is incomplete, outdated, or unlawfully obtained.
  • Right to data portability — Data subjects may request their personal data in a structured, commonly used, and machine-readable format.
  • Right to object — Data subjects may object to the processing of their personal data, including processing for direct marketing or automated decision-making.
  • Right to damages — Data subjects may claim compensation for damages sustained due to inaccurate, incomplete, or unauthorized processing of personal data.
  • Right to file a complaint — Data subjects may file a complaint with the National Privacy Commission.

To exercise any of these rights, data subjects should contact the Controller (your accounting firm) directly, or reach our Data Protection Officer at dpo@kittyledger.ai.