Legal

Acceptable Use PolicyAccessibilityCookie PolicyData Processing AddendumLegal NoticePrivacy PolicySecuritySub-processorsTerms and Conditions

Data Processing Addendum

Last updated: May 25, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions between QuickBits OÜ ("Processor", "we") and the customer organization ("Controller", "you") and applies where we process Personal Data on your behalf in connection with the Service. Where this DPA conflicts with the Terms, this DPA prevails for data protection matters.

1. Definitions

"Data Protection Law" means the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR, and any other applicable data protection laws. "Controller", "Processor", "Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given in Data Protection Law. "Customer Personal Data" means Personal Data we process on your behalf under the Terms.

2. Roles of the Parties

You are the Controller (or a processor acting on behalf of a third-party controller) of Customer Personal Data, and we are the Processor. Each party complies with its obligations under Data Protection Law. You are responsible for the lawfulness of the Personal Data you provide and the instructions you give.

3. Processing of Personal Data

  • We process Customer Personal Data only on your documented instructions, including those set out in the Terms and this DPA, unless required by law (in which case we will notify you unless prohibited).
  • The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex A.
  • We will inform you if, in our opinion, an instruction infringes Data Protection Law.

4. Confidentiality

We ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and are limited to those who need access to perform the Service.

5. Security

We implement appropriate technical and organizational measures to protect Customer Personal Data as required by Article 32 GDPR, described in Annex B and on our Security page.

6. Sub-processors

  • You provide general authorization for us to engage Sub-processors to process Customer Personal Data. Our current Sub-processors are listed at Sub-processors.
  • We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain liable for their performance.
  • We will give notice of any intended addition or replacement of a Sub-processor (via the Sub-processors page or email) before it begins processing. You may object on reasonable data protection grounds within 30 days; if we cannot reasonably accommodate the objection, you may terminate the affected Service.

7. Data Subject Requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests to exercise their rights under Data Protection Law. If a Data Subject contacts us directly, we will refer them to you.

8. Assistance

We will assist you, taking into account the nature of processing and the information available to us, in ensuring compliance with your obligations under Articles 32–36 GDPR, including security, breach notification, data protection impact assessments, and prior consultation.

9. Personal Data Breach

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your notification obligations.

10. International Transfers

Where processing of Customer Personal Data involves a transfer outside the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) or another lawful transfer mechanism. The Standard Contractual Clauses are incorporated by reference into this DPA.

11. Deletion or Return

Upon termination of the Service, we will, at your choice, delete or return Customer Personal Data within the period described in our Privacy Policy, and delete existing copies unless retention is required by law.

12. Audits

We make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits. We may satisfy audit requests by providing relevant third-party reports or documentation where available.

13. Term

This DPA takes effect when you accept the Terms and remains in force for as long as we process Customer Personal Data on your behalf.

Annex A — Details of Processing

  • Subject matter: Provision of the Expensicat Service.
  • Duration: For the term of the Service plus the retention periods in the Privacy Policy.
  • Nature and purpose: Hosting, storing, and processing Personal Data to deliver financial, invoicing, document, and AI features.
  • Types of Personal Data: Account and contact details, financial and transaction data, invoices, documents, and content submitted to the Service.
  • Categories of Data Subjects: Your authorized users, your customers, contacts, and other individuals whose data you submit.

Annex B — Technical and Organizational Measures

Encryption in transit (TLS) and at rest (AES-256); database row-level tenant isolation; least-privilege access controls and authenticated sessions; error tracking, monitoring, and regular vulnerability scanning; encrypted, regularly purged backups. See our Security page for detail.

Annex C — Sub-processors

The current list of Sub-processors is maintained at expensicat.com/legal/subprocessors.

To request a signed copy of this DPA, contact [email protected].