Data Processing Agreement

Introduction & parties

This Data Processing Agreement ("DPA") forms part of the agreement between LW Agency Limited — the entity that operates ChronoLedger ("Processor", "ChronoLedger", "we", "us") — and the customer that has accepted our Terms of Use ("Controller", "you"). The DPA governs the Processing of Personal Data carried out by the Processor on the Controller's behalf in the course of providing the Service.

This DPA is intended to satisfy Article 28 of the EU General Data Protection Regulation 2016/679 ("EU GDPR"), Article 28 of the UK GDPR, the equivalent processor-engagement requirements of the Hong Kong Personal Data (Privacy) Ordinance Cap. 486 ("HK PDPO"), and other applicable privacy laws. Where local law imposes stricter requirements, those requirements apply to the affected Processing.

Where the Controller has appointed a representative under EU GDPR or UK GDPR Article 27, that representative may act on the Controller's behalf for the purposes of this DPA. Our own Article 27 representatives are identified in the Privacy Policy.

Definitions

Capitalised terms not defined in this DPA take the meaning given in our Terms of Use. In addition:

• "Personal Data" — any information relating to an identified or identifiable natural person Processed by us on the Controller's behalf.
• "Processing" — any operation performed on Personal Data, whether or not by automated means.
• "Subprocessor" — any third party engaged by us to Process Personal Data on the Controller's behalf, as listed at /legal/subprocessors.
• "Data Subject" — the individual to whom the Personal Data relates.
• "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data Processed by us or by a Subprocessor.
• "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.
• "UK Addendum" — the International Data Transfer Addendum to the EU SCCs issued by the United Kingdom Information Commissioner's Office under section 119A of the UK Data Protection Act 2018.
• "Restricted Jurisdiction" — a country, territory, or region with which we may not lawfully provide the Service, as maintained in our consolidated restricted-jurisdictions list.

Processing scope

We Process Personal Data only on documented instructions from the Controller, which include the use of the Service in line with the Terms of Use, the Controller's configuration of the workspace, the Controller's API calls (including any agent-token call placed under the Customer-orchestrated AI section), and lawful written instructions delivered through our published support channels. We will inform the Controller without undue delay if, in our opinion, an instruction infringes the EU GDPR, the UK GDPR, or other applicable law.

• Subject matter — operation of the ChronoLedger time-tracking and profitability service and any related professional services we provide to the Controller.
• Duration — the term of the Controller's account, plus any retention period required by law or by the Controller's instructions in accordance with this DPA.
• Nature and purpose — hosting, transmission, support, billing, security, abuse prevention, and audit-logging of the Service.
• Categories of Data Subjects — the Controller's directors, employees, contractors, clients, and end users; and any other natural person whose Personal Data the Controller chooses to upload.
• Categories of Personal Data — name, contact details, role, time entries, project metadata, internal cost rates, external billable rates, billing identifiers, IP address, user-agent, and any other Personal Data the Controller chooses to upload. The Controller acknowledges that internal cost rates and time entries concerning employees are HR-sensitive and that the Controller is responsible for the lawfulness of that Processing.
• Special-category Personal Data — the Controller agrees not to upload special-category Personal Data within the meaning of GDPR Article 9 unless it has notified us in writing in advance and we have agreed in writing to host it.

Your duties as Controller

The Controller is and remains the data controller for all Customer Data and is solely responsible for ensuring that its instructions to us comply with applicable law. Without limiting that responsibility, the Controller is responsible for:

• identifying and documenting the lawful basis for each Processing activity it instructs us to perform;
• providing the Article 13 / Article 14 notice required to be given to its Data Subjects (in particular, employees and clients added to the workspace);
• maintaining its own records of Processing under EU GDPR / UK GDPR Article 30 where Article 30(5) does not exempt it;
• conducting any Data Protection Impact Assessment under EU GDPR / UK GDPR Article 35 that is required of it (we will assist as set out in the DPIA assistance section below);
• obtaining any consent required for the inclusion of a Data Subject in the workspace, including parental consent in respect of any natural person under the age of 16 (or the higher age stipulated by local law);
• completing any consultation with employee representatives, works council, or equivalent body required of the Controller under applicable national employment-monitoring law before deploying the Service in a manner that processes employee data;
• responding to Data Subject requests it receives directly (we will assist as set out in the Assistance with data-subject requests section below).

The Controller represents and warrants that all Personal Data it uploads to the Service has been collected and Processed lawfully and that the Controller has obtained any consent required under applicable law for the inclusion of the Data Subject in the workspace.

Workforce monitoring & works councils

The ChronoLedger Service includes the systematic recording of employee time entries, project assignments, and internal cost rates ("Workforce Data"). The Controller acknowledges and agrees that the Processing of Workforce Data may, in certain jurisdictions, require consultation with, or co-determination by, employee representatives, a works council, or an equivalent body before the Service is deployed.

Examples of jurisdictions in which such requirements may apply include (without limitation):

• Germany — § 87 Abs. 1 Nr. 6 Betriebsverfassungsgesetz (BetrVG);
• Austria — § 96 Arbeitsverfassungsgesetz (ArbVG);
• France — Article L.2312-38 Code du travail;
• Netherlands — Article 27 Wet op de Ondernemingsraden (WOR);
• Italy — Article 4 Statuto dei Lavoratori;
• Switzerland — Article 328b Code des obligations and Article 6 Federal Act on Information and Consultation of Employees in Undertakings (Mitwirkungsgesetz);
• Spain, Portugal, Belgium, Sweden, Norway, Finland, Greece, Slovenia — equivalent national rules.

The list above is illustrative and not exhaustive. Compliance with these requirements is the Controller's responsibility. We do not undertake to monitor or to advise on national employment-monitoring law. On request, we will provide a written description of the Workforce Data Processing for the Controller's use in any required consultation.

Customer-success accommodation. A downloadable employee- notice template is available from privacy@chrono-ledger.com; it is offered for convenience only, is not legal advice, and does not relieve the Controller of any consultation obligation.

Customer-orchestrated AI and the agent API

Where the Controller enables the agent API and connects a third-party automated system — including a large language model, a workflow agent, or other AI / ML system — to the Service, that connection constitutes a documented instruction from the Controller to us to Process the Personal Data accessible via the agent token in accordance with the Controller's configuration.

In connection with any such connection, the Controller acknowledges and agrees that:

• the Controller is the deployer of that AI system within the meaning of Regulation (EU) 2024/1689 (the EU AI Act) and any equivalent law applicable to the Controller, and is solely responsible for any conformity assessment, transparency notice, post-market monitoring, human-oversight, and bias-audit obligation that applies to the deployer;
• the Controller is solely responsible for any GDPR Article 22 disclosure to Data Subjects, for offering meaningful information about the logic involved, and for ensuring a human-in-the-loop review where applicable;
• the Controller indemnifies us against any claim from a Data Subject or any third party arising from the operation of that AI system, as set out in the indemnification clause of the Terms of Use.

We will, at the Controller's reasonable request and at the Controller's expense, provide commercially reasonable assistance to the Controller's DPIA scoped to the agent-token activity. We do not undertake to opine on the lawfulness of the Controller's AI deployment.

Subprocessors

The Controller grants us general written authorisation to engage Subprocessors. The current list, including each Subprocessor's role, processing location, and the transfer mechanism we rely on for that Subprocessor's flow, is published at /legal/subprocessors and is incorporated into this DPA by reference. The Subprocessors page is the authoritative list for Article 28(3)(d) purposes.

We impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain liable to the Controller for the acts and omissions of our Subprocessors as if they were our own, subject to the limitation of liability in the Terms of Use.

Sub-processor changes

The Subprocessors page is the authoritative list of Subprocessors engaged by us at any given time. We update the Subprocessors page when we add, remove, or replace a Subprocessor. Updates to the Subprocessors page take effect on publication; the Controller is deemed informed of any change by reference to the published page, which the Controller is responsible for monitoring.

The Controller's general written authorisation to engage Subprocessors (granted in the Subprocessors section above) extends to all Subprocessors listed on the Subprocessors page from time to time. The Controller's sole and exclusive remedy if it does not wish to continue with a Subprocessor change is to terminate the account under the Termination clause of the Terms of Use.

Security measures

We implement appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, cost of implementation, the nature, scope, context, and purposes of the Processing, and the risks to Data Subjects of varying likelihood and severity. Current measures include:

• Encryption of Personal Data in transit using TLS 1.3.
• At-rest encryption for high-PII tables (rolling out per our security roadmap; current scope is documented at /trust).
• Role-based access control with least-privilege defaults at the application layer; row-level security at the database layer; vhost / path access-control at the edge layer.
• Multi-factor authentication on administrative accounts (currently TOTP-based with hardware-key support on the roadmap).
• Append-only audit logging with hash-chaining for the administrative plane and trigger-enforced immutability for the customer plane.
• Secrets stored as Docker secrets (never in environment variables); secrets rotation on personnel events; vault-backed key material for at-rest encryption rollout.
• Automated dependency scanning, container-image vulnerability scanning, and gitleaks-based secret scanning in the CI pipeline.
• Backup procedures with periodic restore tests; backup retention scoped to the legal-obligation period and aligned with the deletion cascade described in the Privacy Policy.
• Personnel onboarding, offboarding, and access-review procedures; confidentiality and security obligations binding on personnel.
• Documented incident-response and breach-notification procedures.
• Error-monitoring with payload-scrubbing configured to remove request bodies, authentication headers, cookies, and user identifiers before transmission to our error-monitoring Subprocessor.

The measures above are subject to revision over time as the state of the art and the threat landscape evolve. We will not materially reduce the level of protection during the term.

Personal-data breaches

We will notify the Controller of a Personal Data Breach affecting the Controller's Personal Data without undue delay after becoming aware of it, in accordance with EU GDPR / UK GDPR Article 33 and Article 28(3)(f). The notification will include, to the extent then known and to the extent the information is reasonably available to us:

• a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the Personal Data Breach;
• the measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
• contact information for follow-up.

We may provide information in stages as it becomes available. The Controller is responsible for any notification required to be made by the Controller to a supervisory authority under Article 33 or to Data Subjects under Article 34. We will provide reasonable assistance to the Controller, at the Controller's expense, in complying with those obligations.

Assistance with data-subject requests

Taking into account the nature of the Processing, we will assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for the exercise of Data Subject rights under EU GDPR / UK GDPR Articles 15 to 22.

Where a Data Subject contacts us directly with a request relating to the Controller's Customer Data, we will refer the Data Subject to the Controller without disclosing the Personal Data, except where the Data Subject relates to data we Process in our own controller capacity (such as a marketing visitor) — in which case we will respond directly.

Reasonable, proportionate assistance with isolated Data Subject requests is included in the Service. Where a Controller's requests are excessive — in particular, repetitive, or involving manual data-extraction beyond commercially reasonable limits — we may charge for the additional work at our then-current professional- services rates and may, with notice, decline a manifestly unfounded or excessive request.

DPIA assistance

We will provide reasonable assistance to the Controller, at the Controller's request and at the Controller's expense, in carrying out a Data Protection Impact Assessment under EU GDPR / UK GDPR Article 35 and a prior consultation under Article 36, where the Controller is required to do so in respect of Processing carried out using the Service.

We will, in particular, provide reasonable assistance to the Controller's DPIA where the Controller has enabled the agent API and the connected automated system constitutes an AI system under EU AI Act Annex III §4 (employment monitoring), as described in the Customer-orchestrated AI section above.

Audits

We will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may, no more than once per 12-month period and on at least 30 days' written notice, conduct an audit of our compliance with this DPA, either by reviewing our written documentation (including, where available, third-party attestations) or — at the Controller's expense and through an independent third-party auditor not engaged in any business that competes with us and bound by written confidentiality obligations — through a controlled on-site or remote audit.

Audits must (a) avoid disrupting the Service or our other customers, (b) respect the confidentiality and integrity of other customers' data, (c) be conducted during our normal business hours, (d) not include penetration testing, vulnerability scanning, or any active probe of our infrastructure unless we have specifically agreed in writing, and (e) be limited in scope to the Controller's Processing under this DPA.

We may, at our discretion, satisfy the audit obligation by providing recent third-party attestations (such as a SOC 2 Type II report or an ISO 27001 certificate, when available) under our standard non-disclosure terms, in lieu of a controlled audit.

Any audit-related cost we incur — including, without limitation, the cost of personnel time at our then-current professional- services rates — is borne by the Controller. The Controller will promptly share with us any findings of an audit so that we may address them.

International data transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country outside that origin region that is not the subject of an adequacy decision in force at the time of transfer, we rely on:

• Standard Contractual Clauses — Module 3 (processor-to-processor) where we onward-transfer Personal Data to a Subprocessor outside the EEA; Module 2 (controller-to-processor) where the Controller is required to transfer to us as Processor;
• UK Addendum — appended to the SCCs where the data subject is in the United Kingdom;
• Swiss DPA addendum — appended to the SCCs where the data subject is in Switzerland.

We have completed a Transfer Impact Assessment under Schrems II for each Subprocessor's flow and applied supplementary measures — including TLS encryption in transit, strict access control, and contractual restrictions on government-access requests — where appropriate. The TIA conclusions are summarised at /legal/subprocessors; full TIAs are available on request and under our standard non-disclosure terms.

The Controller acknowledges that LW Agency Limited is incorporated in Hong Kong Special Administrative Region of the People's Republic of China, that support and operations personnel based there may have access to Personal Data for the purposes set out in this DPA, and that this access is covered by the SCCs and TIA.

Term, return & deletion

This DPA remains in force for as long as we Process Personal Data on the Controller's behalf. On termination of the Service, we will, at the Controller's choice, delete or return all Personal Data, subject to:

• a 30-day grace period for export, during which the Controller may retrieve Personal Data via the standard export tooling;
• any retention required by applicable law (including but not limited to billing and tax records retained for up to seven years and audit logs retained for up to seven years for fraud-investigation purposes);
• encrypted-backup retention as described in the Privacy Policy (pseudonymised remnants persist for up to 14 days after the source data is deleted);
• information that is required to be retained for the establishment, exercise, or defence of legal claims under EU GDPR / UK GDPR Article 17(3)(e).

Where the Controller does not specify a choice within 30 days of termination, we may, at our discretion, delete the Customer Data.

Liability

Each party's liability under or in connection with this DPA is subject to the same limitations and exclusions of liability set out in the Terms of Use. The cap on aggregate liability under the Terms of Use applies to all claims under this DPA in the aggregate, except where applicable law requires otherwise.