Data Processing Agreement

Personal Data

Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and applicable U.S. state privacy laws.

Processing

Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.

Controller

The entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Controller.

Processor

The entity that processes Personal Data on behalf of the Controller. Under this DPA, Streamline Reports, Inc. is the Processor.

Sub-Processor

Any third party engaged by the Processor to process Personal Data in connection with the Service.

Data Subject

A natural person whose Personal Data is processed under this DPA — typically a client of the Customer whose financial information appears in generated reports.

The Customer (bookkeeper or accounting firm) is the Controllerof Personal Data relating to the Customer's end clients — the individuals and businesses whose financial information is retrieved, processed, and included in reports generated by the Service.

Streamline Reports is the Processor, acting only on documented instructions from the Customer and solely as necessary to provide the Service. Streamline Reports does not determine the purposes of processing and will not process Personal Data for any purpose other than fulfilling its obligations under the Terms of Service and this DPA.

Streamline Reports shall process Personal Data only in accordance with the Customer's documented instructions. The Customer instructs Streamline Reports to process Personal Data for the following purposes:

• Retrieving financial data (including client names, entity names, and financial figures) from connected accounting platforms via authorized OAuth connections
• Generating, formatting, and storing financial report documents as configured by the Customer
• Delivering reports to designated recipients via email or other channels configured by the Customer
• Providing the Customer with access to report history and audit logs within the Service

If Streamline Reports believes any instruction from the Customer violates applicable data protection law, it will promptly inform the Customer. Streamline Reports shall not process Personal Data beyond these documented instructions without the Customer's express written authorization, except as required by law.

In the course of providing the Service, Streamline Reports may process the following categories of Personal Data:

• Business and contact identifiers: Client entity names, contact names, email addresses used for report delivery
• Financial data: Revenue figures, expense categories, account balances, profit and loss data, and other financial information retrieved from connected accounting platforms
• Account data: Customer (bookkeeper) name, email address, and subscription information

Streamline Reports engages the following Sub-Processors. Each Sub-Processor is bound by contractual data protection obligations at least as protective as those in this DPA.

Streamline Reports will notify the Customer of any intended addition or replacement of Sub-Processors at least 30 days in advance. The Customer may object to such changes by providing written notice within 15 days; if the parties cannot resolve the objection, the Customer may terminate the Service agreement without penalty.

Streamline Reports implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, and destruction, including:

Encryption

• TLS 1.2 or higher for all data in transit
• AES-256 encryption for data at rest
• OAuth 2.0 token storage with minimal required scopes

Access Controls

• Role-based access controls limiting internal staff access to Personal Data
• Multi-factor authentication required for internal administrative access
• Access logs maintained for sensitive operations

Operational Security

• Continuous security monitoring and intrusion detection
• Regular vulnerability assessments and security reviews
• Documented incident response procedures
• Employee security training and confidentiality agreements

Streamline Reports shall promptly notify the Customer if it receives a request from a Data Subject exercising their rights (access, erasure, portability, restriction, or objection) and will not respond to such requests directly, except to direct the Data Subject to the Customer.

Streamline Reports will provide commercially reasonable assistance to the Customer in fulfilling its obligations to respond to Data Subject rights requests, taking into account the nature of the processing and the information available to Streamline Reports.

In the event of a Personal Data breach affecting data processed under this DPA, Streamline Reports will notify the Customer without undue delay — and in any event within 72 hours of becoming aware of the breach.

Notification will include, to the extent known at the time:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Contact information for the Streamline Reports point of contact

Streamline Reports will cooperate with the Customer and provide further information as it becomes available. The Customer is responsible for any required notifications to supervisory authorities or Data Subjects.

Upon expiration or termination of the Service agreement, Streamline Reports will, at the Customer's election, either delete or return all Personal Data within 30 days. If the Customer requests a copy of their data prior to deletion, Streamline Reports will make it available in a machine-readable format.

Aggregated or fully anonymized data that is not attributable to any individual or Customer may be retained by Streamline Reports for internal service improvement purposes.

Upon reasonable written notice of at least 30 days, the Customer may audit Streamline Reports' compliance with this DPA, subject to the following conditions:

• Audits may occur no more than once per calendar year, except following a confirmed security incident
• Audits will be conducted during normal business hours and will not unreasonably disrupt Streamline Reports' operations
• Streamline Reports may, at its option, satisfy this obligation by providing a current third-party audit report (SOC 2 or equivalent) in lieu of a direct audit
• The Customer is responsible for all costs associated with the audit

Streamline Reports and its Sub-Processors operate primarily in the United States. Where the Customer is subject to GDPR and the transfer of Personal Data involves a jurisdiction that does not benefit from an EU adequacy decision, such transfers shall be made pursuant to the Standard Contractual Clauses (SCCs) issued by the European Commission (as amended or superseded from time to time), which are incorporated into this DPA by reference.

Customers who require executed SCCs should contact us at miles@streamlinereports.com.

Streamline Reports shall ensure that personnel authorized to process Personal Data under this DPA are subject to appropriate confidentiality obligations. Access to Personal Data is limited to personnel who require it to perform their duties in connection with the Service.

Each party's liability arising out of or related to this DPA — whether in contract, tort, or under any other legal theory — is subject to the limitations set forth in the Limitation of Liability section of the Streamline Reports Terms of Service. Nothing in this DPA expands either party's liability beyond those limits.

This DPA is effective for the duration of the Service agreement between the parties and terminates automatically upon expiration or termination of that agreement. Obligations relating to Personal Data that has not yet been deleted survive termination until deletion is complete in accordance with Section 9.

This DPA is governed by the laws of the State of Oregon, consistent with the governing law of the Streamline Reports Terms of Service.

For questions about this DPA, data processing practices, or to request Standard Contractual Clauses: