Data Processing Agreement

JENESYS DATA PROCESSING AGREEMENT ("DPA")

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between:

Jenesys HQ Ltd (registered in England and Wales, with company number 14512007, whose registered office is at 167-169 Great Portland Street, London W1W 5PF ("Processor" or "Jenesys");

and

The Customer identified in the applicable Order Form or Subscription Agreement ("Controller" or "Customer").

Each a "party" and together the "parties".

BACKGROUND

(A) The Controller is a provider of accounting services to its clients.

(B) Jenesys provides an AI-powered bookkeeping solution ("Jack") which processes accounting documents and provides automated bookkeeping services to accounting firms, as further described in the Subscription Agreement.

(C) The Controller wishes to use Jenesys's services, which will involve Jenesys processing personal data on behalf of the Controller.

(D) The parties acknowledge that Jenesys acts primarily as a data processor for Customer Data, but also acts as a data controller in certain limited circumstances, particularly with respect to: (i) operational data; (ii) learning data generated when human operators correct decisions previously made by the AI system; and (iii) continuous fine-tuning processes that apply to the customer tenant.

(E) The parties have agreed to enter into this DPA to ensure compliance with UK GDPR when Personal Data is processed under the Subscription Agreement.

AGREED TERMS

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions:

In this Agreement, the following terms shall have the following meanings:

"Applicable Laws" means all laws, regulations, and binding codes of practice applicable to the processing of personal data under this Agreement, including the UK GDPR;

"Approved Jurisdiction" means the UK, the European Economic Area (EEA), or any other territory determined by the UK Government to provide an adequate level of protection for Personal Data, or where appropriate safeguards as referenced in clause 12.1 are in place;

"Customer" means the entity that has entered into the Subscription Agreement with Jenesys;

"Customer Data" means the personal data described in Schedule 1 that is provided by or on behalf of the Controller;

"Data Processing Details" means the information set out in Schedule 1 of this DPA which applies to the Jenesys services being procured by the Customer;

"Data Protection Laws" means the Data Protection Act 2018, the Retained Regulation (EU) 2016/679 (UK GDPR) as incorporated under the European Union (Withdrawal Act) 2018 and as amended by The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019, and any other laws or regulations applicable in the United Kingdom, and where applicable to Jenesys in the performance of the Agreement, the General Data Protection Regulation (Regulation (EU) 2016/679 (EU GDPR)), in each case as amended or repealed from time to time;

"Data Subject" means an identified or identifiable natural person who is the subject of Personal Data;

"End Date" means the date of termination or expiry of the Subscription Agreement;

"GDPR" means, as appropriate, the UK GDPR or EU GDPR;

"Jenesys as Controller" refers to circumstances where Jenesys HQ Ltd acts as a data controller in its own right;

"Personal Data" means any information relating to a Data Subject;

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

"Revised Instruction" means a request for information sent by Jenesys to the Customer pertaining to whether the Customer's instruction post the End Date remains to delete the Customer's personal data;

"Services" means the services to be provided by Jenesys to the Customer as set out in the Subscription Agreement, which includes the AI-powered bookkeeping solution known as "Jack";

"Sub-processor" means any person (including any third party, but excluding an employee of Jenesys) appointed by or on behalf of Jenesys to process Personal Data on behalf of the Controller;

"Subscription Agreement" means the agreement between the parties for the provision of the Services;

"Supervisory Authority" means the UK Information Commissioner's Office (ICO) or any successor or replacement body from time to time;

"UK Addendum" means Addendum B.1.0 issued by the UK Information Commissioner's Office in accordance with s119A of the Data Protection Act 2018 as amended from time to time;

"UK GDPR" means the UK General Data Protection Regulation as defined in the Data Protection Act 2018 (as amended).

1.2 Interpretation:

1.2.1 The terms "process", "processing", "controller", "processor", "data subject", and "supervisory authority" shall have the meanings given to them in the UK GDPR.

1.2.2 References to clauses and schedules are to the clauses and schedules of this DPA.

1.2.3 The schedules form part of this DPA and shall have effect as if set out in full in the body of this DPA.

2. PURPOSE AND SCOPE

2.1 This DPA sets out the terms and conditions under which: (a) Jenesys may process Personal Data on behalf of the Controller when providing the Services; and (b) the parties will comply with Data Protection Laws in respect of their processing of Personal Data where Jenesys acts as a controller.

2.2 The nature and purpose of the processing, the types of Personal Data processed, the categories of Data Subjects, and the capacity in which Jenesys acts (processor or controller) in relation to different categories of data, are set out in Schedule 1.

2.3 When acting as a Processor, Jenesys shall process Personal Data on behalf of the Controller only for the purposes of providing the Services and in accordance with the documented instructions of the Controller, including with regard to transfers of Personal Data outside the UK, unless required to do so by the Applicable Laws, in which case Jenesys shall inform the Controller of that legal requirement before processing, unless those Applicable Laws prohibit such information on important grounds of public interest.

2.4 When acting as a Controller, Jenesys shall: (a) process Personal Data in accordance with the Data Protection Laws; (b) provide appropriate privacy notices to Data Subjects; (c) implement appropriate technical and organisational measures to protect Personal Data; and (d) respect the rights of Data Subjects.

3. CONTROLLER OBLIGATIONS

3.1 The Controller shall:

3.1.1 ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Jenesys for the duration and purposes of this Agreement;

3.1.2 ensure that the processing of Personal Data by the Controller, and its instructions to Jenesys, comply with all Applicable Laws;

3.1.3 notify Jenesys without undue delay if it becomes aware that any of the Personal Data it has provided to Jenesys is inaccurate or outdated;

3.1.4 provide reasonable cooperation and assistance to Jenesys in dealing with inquiries from Data Subjects or the Supervisory Authority relating to Jenesys's processing of Personal Data under this DPA;

3.1.5 ensure that neither you nor your Permitted Users upload any special category personal data (as defined in Article 9 of the UK GDPR) to the Services. Breach of this clause shall constitute a material breach of the Subscription Agreement which may allow Jenesys to terminate the Agreement in accordance with its terms;

3.1.6 acknowledge and agree that (i) Jenesys is not acting on the Controller's or any of the Controller's Permitted User's behalf as a Business Associate or subcontractor under the Health Insurance Portability and Accountability Act of 1996, as amended and supplemented ("HIPAA"); (ii) the Services may not be used to store, maintain, process or transmit protected health information ("PHI") and (iii) the Services will not be used in any manner that would require Jenesys to be compliant with HIPAA. In the preceding sentence, the terms "Business Associate," "subcontractor," "protected health information" or "PHI" shall have the meanings described in HIPAA;

4. PROCESSOR OBLIGATIONS

4.1 Jenesys shall:

4.1.1 process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Applicable Laws; in such a case, Jenesys shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

4.1.2 ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

4.1.3 take all measures required pursuant to Article 32 of the UK GDPR (Security of Processing);

4.1.4 respect the conditions referred to in Article 28(2) and 28(4) of the UK GDPR for engaging another processor;

4.1.5 taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the UK GDPR;

4.1.6 assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of processing and the information available to Jenesys;

4.1.7 at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless storage of the Personal Data is required by Applicable Laws;

4.1.8 make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller; and

4.1.9 immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other data protection provisions of the Applicable Laws.

5. SECURITY

5.1 Jenesys shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:

5.1.1 the pseudonymisation and encryption of Personal Data;

5.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

5.1.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

5.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2 Jenesys shall implement appropriate security measures including:

5.2.1 Encryption of personal data during transmission and at rest;

5.2.2 Secure access controls and authentication mechanisms;

5.2.3 Regular security testing and assessments;

5.2.4 Secure development practices;

5.2.5 Employee security training and awareness;

5.2.6 Incident response procedures.

5.3 Jenesys is working towards SOC 2 Type 2 certification, which is expected to be awarded in April 2025. Upon certification, Jenesys shall implement security measures in accordance with the requirements of this certification and shall maintain this certification (or an equivalent or higher security standard) throughout the term of this DPA.

5.4 In assessing the appropriate level of security, Jenesys shall take account of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

6. PERSONAL DATA BREACH

6.1 Jenesys shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

6.2 The notification referred to in clause 6.1 shall:

6.2.1 describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

6.2.2 describe the likely consequences of the Personal Data Breach;

6.2.3 describe the measures taken or proposed to be taken by Jenesys to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

6.2.4 include the name and contact details of the data protection officer or other contact point where more information can be obtained; and

6.2.5 be provided to the Controller without undue delay and in any event within 48 hours of Jenesys becoming aware of the Personal Data Breach.

6.3 Jenesys shall document any Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken.

6.4 Jenesys shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. SUB-PROCESSING

7.1 Jenesys shall not engage any Sub-processor to process Personal Data on behalf of the Controller without the prior specific or general written authorisation of the Controller. Where Jenesys engages Sub-processors under a general written authorisation, it shall inform the

Controller of any intended changes concerning the addition or replacement of Sub-processors, and the Controller shall have the right to object to such changes.

7.2 The Controller hereby authorises Jenesys to engage those Sub-processors listed in Schedule 2 to this DPA.

7.3 Where Jenesys engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, Jenesys shall ensure that it imposes on such Sub-processor data protection terms no less protective than those in this DPA.

7.4 Jenesys shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

7.5 Jenesys shall maintain and implement a policy for the oversight and management of Sub-processors that includes:

7.5.1 Due diligence prior to engagement to ensure the Sub-processor can provide sufficient guarantees in respect of the UK GDPR requirements;

7.5.2 Regular (at least annual) review of Sub-processor security measures and compliance with data protection obligations;

7.5.3 Documented data processing agreements with all Sub-processors that impose obligations no less onerous than those in this DPA;

7.5.4 Procedures for removing Sub-processors who no longer meet the required standards;

7.5.5 Clear roles and responsibilities for the management of Sub-processors;

7.5.6 Maintenance of a current register of all Sub-processors with details of the processing activities they perform.

7.6 Jenesys shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.

8. DATA SUBJECT RIGHTS

8.1 Taking into account the nature of the processing, Jenesys shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations to respond to requests to exercise Data Subject rights under the UK GDPR.

8.2 Jenesys shall:

8.2.1 promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and

8.2.2 not respond to that request except on the documented instructions of the Controller or as required by Applicable Laws to which Jenesys is subject, in which case Jenesys shall to

the extent permitted by Applicable Laws inform the Controller of that legal requirement before responding to the request.

8.3 Jenesys shall maintain a mechanism for Data Subjects to submit requests relating to their personal data via email to privacy@jenesys.co.

8.4 Jenesys shall respond to any request from the Controller to assist with a data subject request within 5 working days following written request from the Controller, provided that Jenesys may: (a) extend such time period where Jenesys considers, in its reasonable discretion, that such assistance is onerous, complex, frequent or time consuming (provided always that Jenesys shall use all reasonable endeavours to provide such assistance within a time period to enable the Controller to comply with its obligations under applicable Data Protection Legislation); and/or (b) charge the Controller on a time and materials basis in the event that Jenesys considers, in its reasonable discretion, that such assistance is onerous, complex, frequent or time consuming.

9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

9.1 Jenesys shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by Article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to processing of Controller Personal Data by, and taking into account the nature of the processing and information available to, Jenesys.

10. DATA RETENTION AND DELETION

10.1 When acting as a Processor, Jenesys shall retain Customer Data as follows:

10.1.1 Documents provided to Jenesys by the Controller: 7 years from the date of provision (in compliance with legal requirements);

10.1.2 Backup of reconciliation tasks: 3 months;

10.1.3 Data transferred to third-party ledger systems (e.g., Xero, Sage): responsibility for retention passes to these systems upon successful transfer.

10.2 When acting as a Controller, Jenesys shall retain data as specified in Schedule 1, Part B, section 4.

10.3 Upon termination or expiration of the Subscription Agreement (the "End Date"), Jenesys shall, at the Controller's choice, delete or return all Personal Data processed as a Processor to the Controller, and delete existing copies unless storage of the Personal Data is required by Applicable Laws or Jenesys is entitled to retain such data as a Controller.

10.4 Jenesys shall implement a secure deletion process for Personal Data that includes:

10.4.1 Tracking of deletion requests through Jenesys's ticketing system (Jira);

10.4.2 Verification of deletion via Jenesys's compliance platform (Drata);

10.4.3 Certification of deletion upon request.

11. AUDIT RIGHTS

11.1 Jenesys shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

11.2 Jenesys shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other data protection provisions.

12. INTERNATIONAL DATA TRANSFERS

12.1 Jenesys operates internationally and, as a result, may transfer Personal Data across international borders, including from the EEA or UK to other territories/countries, for processing and storage.

12.2 To the extent that Personal Data is transferred from the EEA or UK to territories/countries for which the EU Commission or UK Secretary of State (as applicable) has not made a finding that the legal framework in that territory/country provides adequate protection for individuals' rights and freedoms for their personal data, Jenesys may transfer such data consistent with applicable data protection laws based on prior assessment of the level of data protection afforded in the context of the transfer, including through the use of:

12.2.1 EU Commission-approved or UK Secretary of State-approved (as applicable) Standard Contractual Clauses, if necessary in combination with additional safeguards;

12.2.2 Binding corporate rules approved by the competent supervisory authority;

12.2.3 An approved code of conduct or certification mechanism; or

12.2.4 Where applicable, specific derogations permitted under Article 49 of the UK GDPR.

12.3 When Jenesys transfers Personal Data to the United States of America or other non-adequate jurisdictions, it shall implement appropriate supplementary measures in addition to the transfer mechanisms referenced in clause 12.2, where necessary to ensure a level of protection essentially equivalent to that guaranteed within the UK and EEA.

12.4 Jenesys shall document its assessment of the level of protection for Personal Data in the context of any international transfer and make this assessment available to the Controller upon reasonable request.

13. LIABILITY AND INDEMNITY

13.1 Jenesys shall be liable for any damage caused by processing only where:

13.1.1 it has not complied with obligations of the UK GDPR specifically directed to processors; or

13.1.2 it has acted outside or contrary to lawful instructions of the Controller.

13.2 Jenesys shall indemnify and keep indemnified the Controller against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs arising out of or in connection with any breach by Jenesys of its obligations under this DPA.

14. TERM AND TERMINATION

14.1 This DPA shall commence on the date of the Subscription Agreement and shall continue in full force and effect until the Subscription Agreement is terminated or expires.

14.2 The parties agree that on the termination or expiry of the Subscription Agreement for any reason, Jenesys shall, at the Controller's election, return all of the Controller's Personal Data to the Controller or securely dispose of the Controller's Personal Data (and thereafter promptly delete all existing copies of it) except to the extent that any Applicable Laws require Jenesys to store such Personal Data.

15. GOVERNING LAW AND JURISDICTION

15.1 This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.

15.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

16. JOINT CONTROLLER PROVISIONS

16.1 To the extent that Jenesys and the Controller are joint controllers for any Personal Data:

16.1.1 Each party shall comply with its obligations under the Data Protection Laws.

16.1.2 The parties shall determine their respective responsibilities for compliance with the obligations under the UK GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of the UK GDPR.

16.1.3 The parties designate a point of contact for data subjects, which shall be: privacy@jenesys.co

16.1.4 Each party shall maintain records of all processing operations under its responsibility that contain at least the information required by Article 30 of the UK GDPR.

17. API INTEGRATIONS

17.1 Some of Jenesys's Services may have an API, allowing the transfer of data (which may include personal data) to and from the Services to a third-party product ("Third-Party API") or to another Jenesys product (only where the Controller has a license to this separate Jenesys product will the API be turned on).

17.2 Whether a Third-Party API is turned on or off is at the Controller's discretion. Where it is turned on, the Controller is authorising Jenesys to share the relevant data through the Third-Party API and, where relevant, receive data from the Third-Party API for input into the Services.

17.3 Jenesys is not liable or responsible for the quality or accuracy of data shared to Jenesys via a Third-Party API, nor for what happens to the data once sent outbound via a Third-Party API (the "Transferred API Data").

17.4 For the avoidance of doubt, the Transferred API Data will be governed by the contract held between the Controller and the relevant third-party.

17.5 Where the Controller publishes data to third-party ledger systems (e.g., Xero, Sage) through the Services, the responsibility for data retention and security passes to these systems upon successful transfer, subject to any agreement between the Controller and such third-party systems.

18. MISCELLANEOUS

18.1 This DPA constitutes the entire agreement between the parties relating to the subject matter addressed herein and supersedes all prior communications, contracts, or agreements between the parties relating to the subject matter addressed herein, whether oral or written.

18.2 No variation of this DPA shall be effective unless it is in writing and signed by the parties.

18.3 If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this DPA.

SCHEDULE 1: DETAILS OF PROCESSING

PART A: JENESYS AS PROCESSOR

1. Subject matter of processing: Processing of accounting and financial data for the purpose of providing automated bookkeeping services through the Jack AI system.

2. Duration of processing: The duration of the Subscription Agreement plus the relevant periods specified in clause 10.1 of this DPA.

3. Nature and purpose of processing: The processing of Personal Data by Jenesys on behalf of the Controller for the purpose of:

● Analysing accounting documents (invoices, receipts, credit notes, etc.)

● Processing financial transactions

● Creating journal entries

● Checking policy compliance

● Applying tax codes

● Performing historical data analysis

● Providing integrated bookkeeping services

4. Types of Personal Data:

● Identity Data including: first name, last name, username or similar identifier, title, date of birth and gender

● Contact Data including: job description, billing address, email address and telephone numbers

● Financial Data including: bank account details, payment card details, transaction history

● Transaction Data including: details about payments, receipts or invoices; details about payments and other details of products and services purchased

● Business Data including: company registration details, VAT numbers, tax identifiers

● Employee Data including: information contained in financial records (payroll, expense claims, benefits)

● Technical Data including: internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Services

● Profile Data including: username and password, purchases or orders made, user preferences, feedback and survey responses

5. Categories of Data Subjects:

● Employees of the Controller

● Contractors of the Controller

● Directors of the Controller

● Clients of the Controller

● Suppliers and vendors of the Controller

● Permitted users authorised by the Controller

● Anyone else who submits documents to our services for the Controller or on the Controller's behalf

PART B: JENESYS AS CONTROLLER

1. Categories of Personal Data for which Jenesys is a Controller:

● Operational data related to the provision and maintenance of the Services

● Learning data generated when human operators correct decisions previously made by the AI system

● Data used for continuous fine-tuning processes that apply to the customer tenant

2. Purposes of processing:

● Service improvement and optimization

● AI model training and refinement specific to the customer tenant

● System performance monitoring and enhancement

● Maintaining records of human corrections to AI decisions for learning purposes

3. Legal basis for processing:

● Legitimate interests of Jenesys in improving and refining its AI systems

● Necessary for the performance of the contract with the Controller

● Compliance with legal obligations (where applicable)

4. Data retention periods:

● For operational data: Duration of the Subscription Agreement plus 7 years

● For learning data: Duration of the Subscription Agreement plus 3 years

● For fine-tuning data: Duration of the Subscription Agreement

5. Data Subject Rights: Jenesys will maintain procedures to respond to Data Subject requests relating to Personal Data for which Jenesys is a Controller, in accordance with the UK GDPR.

SCHEDULE 2: SUB-PROCESSORS

1. Currently Authorised Sub-processors: Sub-processor Name

Sub-processor Name
Service Provided
Processing Location
Transfer Mechanism (if outside UK/EEA)
Amazon Web Services (AWS)
Cloud infrastructure hosting services, including Bedrock for model hosting
EU: AWS Ireland and London (UK); AWS Frankfurt, Germany for Inference
NA
Google Workspace
Emails, document storage and office suite and calendar
USA
Yes
HotJar
User behaviour analytics
AWS-Ireland
NA

The list of Sub-processors may be updated from time to time. Customers will be notified of any changes to Sub-processors in accordance with Section 7.6 of this DPA.

Subscribe to receive regular updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.