Skip to content
Get Started

DATA PROCESSING AGREEMENT

Last Updated: April 20, 2026

This Data Processing Agreement (“DPA”) forms part of the LedgerPort Terms and Conditions of Use (the “Terms”) between the entity identified in the LedgerPort account registration (the “Customer,” “Controller,” “you,” or “your”) and PushEngage LLC, a Florida limited liability company, doing business as LedgerPort, located at 400 Executive Center Dr, Ste 208, West Palm Beach, Florida 33401 (“LedgerPort,” “Processor,” “we,” “our,” or “us”).

This DPA applies to the processing of Personal Data by LedgerPort on behalf of the Customer in connection with the provision of the LedgerPort data synchronization services (the “Services”). In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of Personal Data.

By subscribing to and using the Services, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its end customers and other data subjects whose Personal Data is processed through the Services.

1. Definitions

“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including, where applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”); (b) the EU General Data Protection Regulation 2016/679 (“GDPR”); (c) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”); and (d) any other applicable privacy or data protection legislation.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by LedgerPort on behalf of the Customer in connection with the Services. This includes “personal information” as defined by the CCPA and “personal data” as defined by the GDPR and UK GDPR.

“Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by LedgerPort in connection with the Services.

“Sub-Processor” means any third party engaged by LedgerPort to process Personal Data on behalf of the Customer in connection with the Services.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended, superseded, or replaced from time to time.

2. Roles and Scope of Processing

2.1 Roles

The Customer is the Controller (or “business” under the CCPA) of Personal Data processed through the Services. LedgerPort is the Processor (or “service provider” under the CCPA) that processes Personal Data solely on behalf of and under the documented instructions of the Customer.

2.2 Scope of Processing

The details of the processing are as follows:

Subject Matter: Synchronization of e-commerce and financial data between the Customer’s connected Third-Party Platforms (e.g., Shopify, QuickBooks Online, Xero, WooCommerce, Magento, Amazon) via the LedgerPort Services.

Duration: For the term of the Customer’s subscription to the Services, plus thirty (30) calendar days for data deletion following termination, subject to any legal or regulatory retention obligations.

Nature and Purpose: Automated data synchronization, transformation, mapping, and transmission of e-commerce and financial records between the Customer’s connected platforms, as configured by the Customer through the Services.

Types of Personal Data Processed:

  • Names (of Customer’s end customers, contacts, and account users)
  • Email addresses
  • Phone numbers
  • Physical addresses (billing and shipping)
  • Order and transaction details (order IDs, amounts, dates, line items)
  • Payment information (payment methods, gateway references — not full card numbers)
  • Product purchase history
  • Account credentials (usernames, hashed passwords, OAuth tokens)

Categories of Data Subjects:

  • The Customer’s end customers (individuals whose orders, contact information, and transaction data are synced)
  • The Customer’s employees and Authorized Users who access the Services
  • The Customer’s business contacts stored in connected accounting platforms

3. Customer Obligations

3.1. The Customer warrants that: (a) it has a lawful basis under applicable Data Protection Laws for the collection and processing of Personal Data that it provides to or makes accessible through the Services; (b) it has provided all required notices and obtained all necessary consents or authorizations from data subjects whose Personal Data will be processed through the Services; and (c) its instructions to LedgerPort regarding the processing of Personal Data comply with all applicable Data Protection Laws.

3.2. The Customer is solely responsible for the accuracy, quality, and legality of the Personal Data provided to or processed through the Services, and for the means by which the Customer acquired such data.

3.3. The Customer shall promptly notify LedgerPort if it becomes aware of any circumstances that may affect LedgerPort’s ability to comply with its obligations under this DPA.

4. LedgerPort Obligations

4.1. Processing Instructions. LedgerPort shall process Personal Data only on behalf of and in accordance with the Customer’s documented instructions. The Customer’s instructions are documented in: (a) this DPA; (b) the Terms; and (c) the Customer’s sync configuration settings within the Services. LedgerPort shall promptly inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.

4.2. Confidentiality. LedgerPort shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4.3. Security. LedgerPort shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption of Personal Data in transit using TLS/SSL protocols
  • Encryption of stored OAuth tokens, credentials, and other sensitive data at rest
  • Role-based access controls limiting access to Personal Data to authorized personnel on a need-to-know basis
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Secure hosting on Google Cloud Platform with enterprise-grade infrastructure, network isolation, and firewall protections
  • Automated monitoring and alerting for suspicious activity and unauthorized access attempts
  • Secure software development lifecycle practices, including code reviews and dependency management
  • Employee security awareness training

4.4. CCPA Compliance. To the extent that LedgerPort processes Personal Data subject to the CCPA on behalf of the Customer, LedgerPort: (a) shall not sell or share (as defined by the CCPA) the Personal Data; (b) shall not retain, use, or disclose the Personal Data for any purpose other than the business purposes specified in the Terms and this DPA, or as otherwise permitted by the CCPA; (c) shall not retain, use, or disclose the Personal Data outside of the direct business relationship between LedgerPort and the Customer; and (d) certifies that it understands the restrictions set forth in this Section 4.4 and will comply with them.

4.5. Assistance with Data Subject Rights. LedgerPort shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction, and objection). If LedgerPort receives a request directly from a data subject, LedgerPort shall promptly redirect the data subject to the Customer and notify the Customer of the request.

4.6. Assistance with Compliance. LedgerPort shall assist the Customer in ensuring compliance with its obligations under applicable Data Protection Laws with respect to: (a) the security of processing; (b) notification of Security Incidents; (c) data protection impact assessments (where required); and (d) prior consultation with supervisory authorities (where required). Such assistance shall be provided taking into account the nature of processing and the information available to LedgerPort.

4.7. Data Deletion. Upon termination or expiration of the Customer’s subscription, LedgerPort shall, at the Customer’s choice, delete or return all Personal Data processed on behalf of the Customer within thirty (30) calendar days, and delete existing copies unless applicable law requires further storage. The Customer acknowledges that after the thirty (30) day deletion period, LedgerPort shall have no obligation to maintain or provide any Personal Data.

5. Security Incident Notification

5.1. Notification. LedgerPort shall notify the Customer of any Security Incident without undue delay after becoming aware of such incident. Where feasible, notification shall be made within seventy-two (72) hours of LedgerPort becoming aware of the Security Incident.

5.2. Content of Notification. The notification shall include, to the extent reasonably available:

  • A description of the nature of the Security Incident, including the categories and approximate number of data subjects and Personal Data records affected
  • The name and contact details of LedgerPort’s point of contact for further information
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

5.3. Cooperation. LedgerPort shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident. LedgerPort shall also assist the Customer in complying with any breach notification obligations under applicable Data Protection Laws, including the California breach notification requirements under Cal. Civ. Code § 1798.82.

5.4. Limitations. LedgerPort’s obligation to report or respond to a Security Incident under this Section 5 is not and will not be construed as an acknowledgment by LedgerPort of any fault or liability with respect to the Security Incident.

6. Sub-Processors

6.1. Authorized Sub-Processors. The Customer provides general written authorization for LedgerPort to engage Sub-Processors to process Personal Data on behalf of the Customer. The current list of authorized Sub-Processors is set forth in Schedule 1 (Sub-Processor List) below and is also maintained at www.ledgerport.com/sub-processors.

6.2. Sub-Processor Obligations. LedgerPort shall: (a) enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA; (b) remain fully liable to the Customer for the performance of each Sub-Processor’s obligations; and (c) ensure that each Sub-Processor provides sufficient guarantees to implement appropriate technical and organizational measures.

6.3. Changes to Sub-Processors. LedgerPort shall notify the Customer by email at least thirty (30) days before engaging any new Sub-Processor or replacing an existing Sub-Processor. The notice shall identify the new Sub-Processor, describe its processing activities, and state its location. If the Customer objects to a new Sub-Processor on reasonable grounds related to data protection, the Customer shall notify LedgerPort in writing within fifteen (15) days of receiving notice. The parties shall work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days of the Customer’s objection, the Customer may terminate the affected Services without penalty by providing written notice to LedgerPort.

7. International Data Transfers

7.1. The Services are hosted on infrastructure located in the United States. Personal Data processed through the Services is stored and processed in the United States.

7.2. To the extent that the processing of Personal Data involves a transfer of Personal Data from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the parties agree that such transfers shall be subject to the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference into this DPA. For transfers from the UK, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office shall apply.

7.3. LedgerPort shall implement appropriate supplementary measures to ensure that the level of protection of Personal Data is not undermined by the transfer, taking into account the laws and practices of the destination country.

Note: LedgerPort is currently focused on the United States market. As the Services expand to serve customers in the EEA and UK, LedgerPort will execute the applicable Standard Contractual Clauses and make them available for Customer co-signature at www.ledgerport.com/legal.

8. Audit Rights

8.1. LedgerPort shall make available to the Customer, on request, all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

8.2. The Customer (or a qualified, independent third-party auditor appointed by the Customer) may conduct an audit of LedgerPort’s processing activities and security measures, subject to the following conditions:

  • The Customer shall provide at least thirty (30) days’ prior written notice of any audit request
  • Audits shall be conducted during normal business hours, no more than once per twelve (12) month period, unless a Security Incident or regulatory requirement necessitates an additional audit
  • The Customer shall ensure that the auditor executes a confidentiality agreement acceptable to LedgerPort before the audit commences
  • Audits shall be conducted in a manner that minimizes disruption to LedgerPort’s business operations
  • The Customer shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by LedgerPort

8.3. As an alternative to an on-site audit, LedgerPort may, at its discretion, provide the Customer with: (a) a copy of any applicable SOC 2 Type II report, ISO 27001 certification, or equivalent third-party audit report; or (b) written responses to the Customer’s reasonable audit questions. Where such documentation is provided and reasonably addresses the Customer’s audit requirements, the Customer agrees that this shall satisfy the audit right for the applicable period.

9. Liability

9.1. Each party’s total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Terms.

9.2. Nothing in this DPA shall limit either party’s liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any liability that cannot be excluded or limited under applicable law.

10. Term and Termination

10.1. This DPA shall come into effect on the date the Customer first subscribes to the Services and shall remain in effect for the duration of LedgerPort’s processing of Personal Data on behalf of the Customer.

10.2. Upon termination of the Terms, LedgerPort shall comply with the data deletion obligations set forth in Section 4.7 of this DPA.

10.3. Sections 1 (Definitions), 4.7 (Data Deletion), 5 (Security Incident Notification), 8 (Audit Rights), 9 (Liability), and this Section 10.3 shall survive termination of this DPA.

11. General Provisions

11.1. Governing Law. This DPA shall be governed by the laws of the State of Florida, without regard to conflict of law provisions, except where applicable Data Protection Laws require the application of a different governing law for specific provisions (such as the Standard Contractual Clauses, which shall be governed by the law of the EU Member State in which the Controller is established).

11.2. Amendments. LedgerPort may update this DPA from time to time to reflect changes in its data processing practices, Sub-Processors, or applicable Data Protection Laws. LedgerPort shall notify the Customer of material changes at least thirty (30) days before they take effect. Continued use of the Services after such notice constitutes acceptance of the updated DPA.

11.3. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

11.4. Entire DPA. This DPA, together with the Terms and the Privacy Policy, constitutes the complete agreement between the parties with respect to the processing of Personal Data in connection with the Services.

11.5. Contact. For questions or concerns regarding this DPA or LedgerPort’s data processing practices, please contact:

LedgerPort (operated by PushEngage LLC) — Privacy
400 Executive Center Dr, Ste 208
West Palm Beach, Florida 33401
Email: [email protected]

Schedule 1: Authorized Sub-Processors

Effective as of April 20, 2026. The current sub-processor list is also maintained at www.ledgerport.com/sub-processors.

Sub-ProcessorPurposeLocationData Processed
Google Cloud Platform (Google LLC)Cloud infrastructure hosting, database hosting, data processing, and storageUnited StatesAll Personal Data processed through the Services
Stripe, Inc.Credit/debit card payment processing for direct subscriptionsUnited StatesCustomer name, email, billing address, payment card details (tokenized)
Shopify Inc.App billing for Shopify-installed subscriptions; e-commerce platform integrationCanada / United StatesCustomer name, email, Shopify account ID, billing information; e-commerce data as configured
Intuit Inc. (QuickBooks Online)Accounting platform integrationUnited StatesAccounting data and customer records as configured by the Customer
Xero LimitedAccounting platform integration (planned)New Zealand / GlobalAccounting data and customer records as configured by the Customer
LindrisTransactional and marketing email deliveryUnited StatesCustomer name, email address, email content
FreeScout (self-hosted)Customer support ticket managementUnited States (hosted on LedgerPort infrastructure)Customer name, email address, support ticket content
Google LLC (Analytics)Website and product usage analyticsUnited StatesIP address (anonymized), device information, browsing behavior, usage data
Meta Platforms, Inc.Marketing campaign measurement and advertisingUnited StatesIP address, device information, browsing behavior (via pixel)

This sub-processor list is subject to change in accordance with Section 6.3 of this DPA. Customers will be notified at least thirty (30) days before any new sub-processor is engaged.

Schedule 2: Technical and Organizational Measures

LedgerPort implements the following technical and organizational measures to protect Personal Data processed through the Services:

Access Control

  • Multi-factor authentication for LedgerPort administrative access
  • Role-based access controls (RBAC) for all internal systems
  • Principle of least privilege applied to all personnel and service accounts
  • Unique user credentials for all personnel; shared accounts prohibited
  • Automated provisioning and de-provisioning of access upon employee onboarding and offboarding

Encryption

  • TLS 1.2 or higher for all data in transit
  • AES-256 encryption for OAuth tokens and sensitive credentials at rest
  • Google Cloud Platform default encryption at rest for all stored data
  • Encrypted database backups

Network Security

  • Web application firewall (WAF) protecting public-facing endpoints
  • Network segmentation and isolation between production, staging, and development environments
  • DDoS mitigation services
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning of external and internal systems

Application Security

  • Secure software development lifecycle (SDLC) with security reviews
  • Dependency vulnerability scanning and automated patching
  • Input validation and output encoding to prevent injection attacks
  • Regular code reviews with security focus
  • Automated security testing in CI/CD pipelines

Data Handling

  • Personal Data segregated by Customer account; no cross-tenant data access
  • Automated data deletion within thirty (30) days of account termination
  • Sync logs and audit trails maintained per subscription plan retention periods
  • OAuth tokens encrypted and stored separately from application data
  • Backup data encrypted and retained for disaster recovery purposes only

Monitoring and Incident Response

  • 24/7 automated monitoring of infrastructure and application health
  • Centralized logging with tamper-evident log storage
  • Documented incident response plan with defined escalation procedures
  • Regular incident response drills and tabletop exercises
  • Post-incident review and remediation tracking

Personnel

  • Background checks for all employees with access to production systems
  • Confidentiality agreements for all personnel
  • Annual security awareness training
  • Clear desk and screen lock policies

Business Continuity

  • Automated daily database backups with geographic redundancy
  • Disaster recovery plan with defined recovery time objectives (RTO) and recovery point objectives (RPO)
  • Regular backup restoration testing