Data Processing Addendum (Template)

This Data Processing Addendum (“DPA”) is a template for bookkeepers, accounting firms, and other professional advisors who process personal data through SyncMyPayout on behalf of their merchant clients, or who need a processor agreement for enterprise review. It supplements the SyncMyPayout Terms of Service and Privacy Policy.

Last updated: July 17, 2026

How to use this template

  • Public reference for early customers and App Store / security questionnaires
  • For a signed DPA, email legal@syncmypayout.com with your firm legal name and the merchant organizations in scope
  • This page is not a substitute for counsel review on high-risk or multi-jurisdiction engagements

1. Parties and roles

“Customer” means the organization that holds a SyncMyPayout account (merchant or firm). “SyncMyPayout” means the provider of the Service. Where Customer is a bookkeeping firm acting for end merchants, Customer is typically the controller (or processor to the merchant) and SyncMyPayout is a processor (or sub-processor) for personal data processed in the Service solely on Customer’s documented instructions.

Customer instructions are: (a) the configuration and use of the Service by Customer’s authorized users; (b) this DPA; and (c) the Terms of Service.

2. Subject matter and duration

SyncMyPayout processes personal data to provide bookkeeping software: account administration, integration connectivity, payout categorization, journal posting to connected GLs, exports, close workflows, support, and security. Processing lasts for the subscription term plus deletion/return periods in Section 9 and legal retention needs.

3. Nature and purpose of processing

  • Host and secure Customer Content in multi-tenant infrastructure
  • Sync financial payout and accounting metadata from authorized platforms
  • Generate categorizations, explanations, and exports
  • Authenticate users and log security-relevant events
  • Process billing via Stripe (payment data handled by Stripe)

4. Types of personal data

Depending on Customer configuration, categories may include:

  • Identity and contact data of Customer’s users (name, email, authentication data)
  • Business identifiers (organization name, shop domain, QBO realm)
  • Financial bookkeeping data linked to the Customer’s commerce and GL systems (payouts, fees, journal metadata)
  • Limited technical data (IP, logs) generated by use of the Service
  • Incidental customer identifiers if present in integration payloads (not used for marketing)

Special categories of data (sensitive health, etc.) are not required for the Service; Customer must not intentionally submit them.

5. Data subjects

  • Customer’s employees, contractors, and invited advisors
  • End merchants (when Customer is a firm managing client orgs)
  • Incidental data subjects appearing in commerce payout payloads

6. SyncMyPayout obligations

SyncMyPayout shall:

  • Process personal data only on documented instructions from Customer, including regarding transfers, unless required by law (in which case SyncMyPayout informs Customer if legally permitted)
  • Ensure persons authorized to process personal data are bound by confidentiality
  • Implement appropriate technical and organizational measures (encryption of OAuth tokens and certain sensitive fields at rest, access controls, rate limiting, audit logging, optional MFA)
  • Not engage sub-processors without the framework in Section 7
  • Assist Customer, where reasonably possible, with data subject requests, DPIAs, and breach notifications, taking into account the nature of processing
  • Make available information necessary to demonstrate compliance with this DPA upon reasonable written request (not more than annually unless a material incident)

7. Sub-processors

Customer authorizes SyncMyPayout to use sub-processors necessary to deliver the Service, including infrastructure hosting, database hosting, payment processing (Stripe), email delivery, and the third-party platforms Customer connects (Shopify, Intuit). SyncMyPayout remains responsible for sub-processor performance as required by applicable law.

SyncMyPayout will maintain an up-to-date description of core sub-processor categories in the Privacy Policy. Material changes to sub-processor categories may be notified by updating that policy or by email for customers who request notice. Customer may object on reasonable data-protection grounds within 15 days; if unresolved, Customer may terminate the affected subscription as its sole remedy.

8. International transfers

Where personal data is transferred from the EEA/UK/Switzerland to a country not deemed adequate, SyncMyPayout will ensure a valid transfer mechanism (for example EU Standard Contractual Clauses / UK addendum) is in place with relevant sub-processors, or another lawful basis applies.

9. Return and deletion

Upon termination of the Service, Customer may export available data through product features (for example CPA PDF export) while the account remains accessible. After termination, SyncMyPayout will delete or de-identify Customer personal data within a commercially reasonable period (target: 30–90 days), except copies retained in encrypted backups until rotation, and data retained as required by law, dispute resolution, or security (for example limited audit records).

Shopify-mandated redaction webhooks are handled as described in the Privacy Policy and product compliance handlers.

10. Security incidents

SyncMyPayout will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably available to help Customer meet legal notification duties. Notification is not an admission of fault.

11. Customer obligations

Customer shall:

  • Ensure it has a lawful basis and necessary notices/consents to process personal data through SyncMyPayout
  • Configure integrations and user access appropriately (least privilege, MFA recommended)
  • Not use the Service to process prohibited or special-category data without a written agreement
  • Remain responsible for accuracy of books and for any advice given to end merchants

12. Liability and order of precedence

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except to the extent prohibited by applicable data protection law. If there is a conflict between this DPA and the Terms regarding data protection, this DPA controls for that subject.

13. Governing law

This DPA follows the governing law and dispute provisions of the Terms of Service, unless mandatory data-protection law requires otherwise.

14. Contact / requesting a signed copy

Email legal@syncmypayout.com with: firm legal name, jurisdiction, signatory name/title, and SyncMyPayout organization IDs or billing emails in scope. We may provide a countersigned PDF or e-sign version of this template (or a mutually agreed variant) for firm customers.