Data Processing Agreement

You are the Controller of the Personal Data you submit to or generate through the Service relating to your customers, suppliers, employees, and other third parties. Ordinal is the Processor of this data.

For personal data about you as a user of the Service (your account data, usage data), Ordinal is the Controller. That processing is governed by our Privacy Policy, not this DPA.

Ordinal processes Personal Data on your behalf solely as necessary to provide the Service, including:

• Storing and displaying customer and supplier records you create
• Processing financial documents containing third-party personal data
• Generating and delivering invoices to your customers
• Importing bank transactions that may contain counterparty information
• Automated document extraction (which may process names, addresses, and other personal data appearing on invoices and receipts)

You provide general authorization for Ordinal to engage sub-processors. The current list of sub-processors is:

• Supabase Inc. (EU) — Database hosting, authentication, file storage.
• Stripe Inc. (EU/US) — Payment processing (for invoice delivery).
• Google LLC (Gemini API) (EU/US) — Automated document extraction.
• Resend Inc. (US) — Transactional email delivery (invoice emails to your customers).
• Enable Banking Oy (EU, Finland) — Open banking data access (PSD2).
• Trigger.dev Ltd. (EU) — Background job processing.
• Google LLC (Gmail API) (EU/US) — Email document import (when enabled by you).
• Microsoft Corp. (Graph API) (EU/US) — Email document import (when enabled by you).
• Dropbox Inc. (US) — Cloud storage document import (when enabled by you).

Ordinal will notify you at least 30 days before adding or replacing a sub-processor. Notification will be sent to the email address associated with your account.

If you object to a new sub-processor on reasonable data protection grounds, you may notify us within the 30-day notice period. We will make reasonable efforts to provide an alternative or workaround. If no resolution is possible, you may terminate the affected portion of the Service without penalty.

Ordinal imposes data protection obligations on each sub-processor that are materially the same as those set out in this DPA, including obligations regarding confidentiality, security measures, and data handling. Ordinal remains fully liable to you for the performance of each sub-processor's obligations.

• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest (AES-256)
• Row-level security (RLS) enforcing organization-level data isolation
• HttpOnly, Secure, SameSite session cookies
• OAuth 2.0 with PKCE for third-party integrations
• Hashed access tokens for API/MCP authentication
• Automated database backups

• Access to production data limited to authorized personnel
• Confidentiality obligations for all employees and contractors
• Secure development practices
• Regular review of access controls

Ordinal will assist you in fulfilling your obligation to respond to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection) by:

• Providing self-service tools in the Service to access, export, correct, and delete customer and supplier records
• Responding to your written requests for assistance within a reasonable timeframe
• Redirecting Data Subject requests received directly by Ordinal to you, unless we can identify and fulfill the request through our standard tools

Assistance with Data Subject requests is included in the Service at no additional cost for requests handled through standard Service functionality. For requests requiring material additional effort, Ordinal may charge reasonable fees based on administrative costs.

Ordinal will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Personal Data processed on your behalf. Notification will be sent to the email address associated with your account.

The notification will include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of Ordinal's contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

Ordinal will cooperate with you and provide reasonable assistance to help you comply with your breach notification obligations under GDPR Art. 33 and 34.

You have the right to audit Ordinal's compliance with this DPA, subject to reasonable notice (at least 30 days) and scope limitations.

Audits will be conducted:

• During normal business hours
• Without unreasonably disrupting Ordinal's operations
• Subject to reasonable confidentiality obligations
• At your expense, unless the audit reveals material non-compliance by Ordinal

You may engage a qualified, independent third-party auditor, subject to Ordinal's reasonable approval and the auditor's execution of a confidentiality agreement.

Where Ordinal has obtained relevant third-party certifications or audit reports (such as SOC 2), Ordinal may provide these in lieu of a direct audit, provided they adequately address the scope of your audit request.

Personal Data is retained for the duration of the service agreement and processed in accordance with your instructions and the Service functionality.

Upon termination of the service agreement:

• You will have 30 days to export your data through the Service's export functionality
• After the 30-day period, Ordinal will delete Personal Data from active systems within a reasonable timeframe
• Personal Data contained in automated backups will be deleted as backups are rotated in the ordinary course of business

Accounting records containing Personal Data may be retained beyond termination as required by Bokföringslagen (SFS 1999:1078), which mandates retention until the end of the seventh calendar year following the end of the calendar year in which the fiscal year was concluded. This retention is based on GDPR Art. 17(3)(b) (compliance with a legal obligation). Retained data will be stored securely and not processed for any other purpose.