Data Processing Addendum

1. Parties & scope

This Data Processing Addendum ("DPA") is entered into between you ("Customer", "Controller") and Om369 LLC-FZ ("GeniusBooks", "Processor") and supplements the Terms of Service ("Agreement").

This DPA applies to the extent that GeniusBooks processes Personal Data on behalf of Customer in the course of providing the Service. It is effective from the date Customer agrees to the Agreement.

Capitalized terms not defined here have the meanings given in the Agreement or applicable Data Protection Laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that GeniusBooks processes on behalf of Customer.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR (EU 2016/679), UK GDPR, and any applicable national implementing legislation.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Subprocessor" means any third party engaged by GeniusBooks to process Personal Data on behalf of Customer.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data approved by the European Commission (Decision 2021/914).

3. Roles of the parties

Customer is the Controller who determines the purposes and means of processing Personal Data submitted to the Service (e.g., customer names, invoices, financial records from QuickBooks).

GeniusBooks is the Processor that processes Personal Data solely on behalf of and under the documented instructions of the Customer to provide the Service.

4. Details of processing

• Subject matter: Provision of the GeniusBooks AI bookkeeping assistant service.
• Duration: For the term of the Agreement plus any retention period required by law.
• Nature and purpose: Processing Customer's QuickBooks data (including Personal Data of Customer's clients) to perform bookkeeping tasks as instructed by Customer through the Service.
• Types of Personal Data: Names, email addresses, mailing addresses, phone numbers, financial transaction data, invoice details, and other information contained in Customer's QuickBooks account.
• Categories of Data Subjects: Customer's employees, clients, vendors, and contractors whose data is stored in QuickBooks.

5. Processor obligations

GeniusBooks shall:

• Process Personal Data only on documented instructions from Customer, unless required by applicable law (in which case we will inform Customer before processing, unless prohibited by law).
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex II (Security Measures).
• Not engage another processor (subprocessor) without prior written authorization from Customer, subject to Section 7.
• Assist Customer, taking into account the nature of processing, in responding to Data Subject requests to exercise their rights.
• Assist Customer in ensuring compliance with obligations regarding security, breach notification, impact assessments, and prior consultation, taking into account the nature of processing and information available to GeniusBooks.
• At Customer's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless storage is required by applicable law.
• Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9.

6. Controller obligations

Customer shall:

• Ensure that it has a lawful basis for processing Personal Data and for instructing GeniusBooks to process on its behalf.
• Provide all necessary notices and obtain all necessary consents from Data Subjects as required by Data Protection Laws.
• Ensure that instructions to GeniusBooks comply with applicable laws.
• Be responsible for the accuracy, quality, and legality of the Personal Data submitted to the Service.

7. Subprocessors

Customer provides general written authorization for GeniusBooks to engage subprocessors to assist in providing the Service. A current list is maintained at /legal/subprocessors.

GeniusBooks will notify Customer at least 30 days in advance of any intended addition or replacement of subprocessors by updating the Subprocessors page and, where Customer has subscribed to notifications, by email.

If Customer reasonably objects to a new subprocessor on data protection grounds, Customer must notify GeniusBooks in writing within 14 days of the notification. The parties will discuss the objection in good faith. If the objection cannot be resolved, Customer may terminate the affected Service component without penalty.

GeniusBooks shall impose contractual obligations on each subprocessor that are no less protective than this DPA.

8. International data transfers

To the extent that processing involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, the parties agree that such transfer shall be governed by the Standard Contractual Clauses (Module Two: Controller to Processor) as set forth in Annex III.

For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies.

GeniusBooks will implement appropriate supplementary measures where required to ensure that the transferred data is afforded a level of protection essentially equivalent to that within the EEA/UK.

9. Audits

GeniusBooks shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Customer (or its appointed third-party auditor, subject to confidentiality obligations) may conduct an audit of GeniusBooks' processing activities no more than once per year, with at least 30 days' prior written notice, during normal business hours, and in a manner that minimizes disruption.

GeniusBooks may satisfy audit requests by providing: (a) relevant certifications or audit reports (e.g., SOC 2); (b) written responses to reasonable information requests; or (c) on-site or remote audit access where (a) and (b) are insufficient.

Customer shall bear its own costs of the audit. If the audit reveals material non-compliance, GeniusBooks shall bear reasonable audit costs and promptly remediate.

10. Personal data breach notification

GeniusBooks shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach that affects Customer's data.

The notification shall include: (a) a description of the nature of the breach, including categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) measures taken or proposed to mitigate the breach; and (d) contact point for further information.

GeniusBooks shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

11. Data protection impact assessments

GeniusBooks shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and taking into account the nature of the processing and information available to GeniusBooks.

12. Term & termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, GeniusBooks shall, at Customer's written election, either delete or return all Personal Data within 30 days and certify deletion in writing, unless applicable law requires continued storage.

Provisions of this DPA that by their nature should survive termination shall survive, including Sections 5, 9, 10, and 13.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

In no event shall either party's aggregate liability for all claims under this DPA exceed the limitations set out in the Agreement.

Annex I — Processing description

• Controller: Customer (the entity that agreed to the Terms of Service).
• Processor: Om369 LLC-FZ (operating as GeniusBooks), United Arab Emirates.
• Contact: privacy@geniusbooks.ai.
• Subject matter: AI-powered bookkeeping assistance via QuickBooks Online integration.
• Processing activities: Receiving, caching, analyzing, and transmitting QuickBooks data to fulfill Customer's natural-language bookkeeping requests via AI; session management; billing.
• Data types: Names, emails, addresses, phone numbers, financial records (invoices, expenses, payments), bank/account identifiers.
• Data subjects: Customer's end-clients, vendors, employees, and contractors whose data is in QuickBooks.
• Duration: Term of the Agreement plus 30 days for deletion.

Annex II — Technical & organizational measures

• Encryption: AES-256 at rest, TLS 1.2+ in transit.
• Access control: Role-based access, least-privilege, MFA for administrative access.
• Authentication: OAuth 2.0 for QuickBooks integration — no passwords stored.
• Logging & monitoring: Audit logs for all data access; anomaly detection.
• Data minimization: Only data necessary for the requested task is accessed; no bulk downloads.
• Incident response: Documented incident response plan; breach notification within 72 hours.
• Personnel: Confidentiality agreements for all staff; regular security awareness training.
• Subprocessor management: Due diligence, contractual safeguards, and periodic review.
• Business continuity: Regular backups, disaster recovery testing.
• Deletion: Automated purging of session data; account deletion upon request within 30 days.

Annex III — Standard Contractual Clauses

Where Personal Data is transferred from the EEA to a country without an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914), Module Two (Controller to Processor).

For transfers from the UK, the UK International Data Transfer Addendum (as issued by the UK ICO) supplements the SCCs.

The details in Annex I and Annex II of this DPA serve as Annexes I and II of the SCCs. The competent supervisory authority is the data protection authority of the EU Member State in which the Controller is established, or where the Controller is not established in the EEA, the authority of the Member State where Data Subjects are located.