Legal
Data Processing Agreement
This DPA governs how Eazyle processes personal data on behalf of customers using the platform for finance, payroll, accountant, and connected workflows.
1. Scope
This Data Processing Agreement (“DPA”) applies to all processing of personal data by Eazyle (the “Processor”) on behalf of the customer (the “Controller”) in connection with the Eazyle platform services.
The Processor shall process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by applicable law.
2. Data Categories
The categories of personal data processed include:
- Contact information (names, email addresses, phone numbers)
- Employment data (job titles, compensation, tax identifiers)
- Financial data (bank details, transaction records, invoices)
- Usage data (access logs, feature interactions)
3. Security Measures
Eazyle implements appropriate technical and organisational measures including:
- AES-256 encryption at rest and TLS 1.3 in transit
- Role-based access controls and least-privilege principles
- Regular penetration testing and vulnerability assessments
- SOC 2 Type II aligned controls and monitoring
4. Subprocessors
Eazyle maintains a list of authorised subprocessors. The Controller will be notified at least 30 days before any new subprocessor is engaged. Current subprocessors include cloud infrastructure, email delivery, and payment processing providers.
5. Data Subject Rights
Eazyle assists the Controller in responding to data subject requests including access, rectification, erasure, restriction, portability, and objection. Requests are acknowledged within 72 hours and fulfilled within 30 days.
6. Breach Notification
In the event of a personal data breach, Eazyle will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification includes the nature of the breach, categories of data affected, and remediation steps taken.
7. Retention
Personal data is retained for the duration of the service agreement plus any legally required retention period. Upon termination, data is deleted or returned within 90 days at the Controller’s election, unless retention is required by law.
8. International Transfers
Where personal data is transferred outside the Controller’s jurisdiction, Eazyle relies on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. Data is primarily processed in the region selected during account setup.