Data Processing Agreement

For B2B engagements where Troy Accounting processes personal data on behalf of a client business, this Data Processing Agreement (DPA) supplements the executed engagement letter and governs that processing under GDPR, UK-GDPR, and CCPA.

Effective Date: 2026-05-29 · Version 1.0

1. Roles

Client is the data controller (or business under CCPA). Troy Accounting is the data processor (or service provider under CCPA) for personal data processed under the engagement letter.

2. Scope & Purpose

We process personal data only as necessary to perform the services described in the engagement letter and on documented instructions from the client.

3. Categories of Data

Typically: employee names, addresses, Social Security numbers (for payroll), bank routing details, compensation data, contractor identifying information, customer/vendor contact data appearing in transaction records.

4. Security Measures

Encryption in transit (TLS 1.3) and at rest (AES-256); mandatory multi-factor authentication; role-based access controls with least-privilege defaults; comprehensive audit logging; documented incident response; alignment with IRS Publication 4557 and FTC Safeguards Rule; SOC 2 Type II audit in progress.

5. Sub-Processors

Current sub-processors are listed at /subprocessors.html. We will notify clients before adding or replacing sub-processors and provide a reasonable objection window.

6. International Transfers

Where applicable, transfers from the EEA / UK / Switzerland to the U.S. are governed by Standard Contractual Clauses incorporated into this DPA, with supplementary technical and organizational measures.

7. Data Subject Rights

We assist the client in responding to data-subject requests, complying with regulatory inquiries, and conducting data-protection impact assessments where required.

8. Personal Data Breach

We notify the client of any confirmed personal-data breach affecting their data within 48 hours of becoming aware, with available information and remediation status.

9. Audit

On reasonable notice and during business hours, the client may audit our compliance with this DPA, or accept our most recent SOC 2 report once available.

10. Deletion or Return

On termination of the engagement, we return or delete client personal data as the client directs, subject to our legal record-retention obligations (typically 7 years for tax-related records).

Questions? Contact info@troyaccounting.net or browse all our legal & compliance documents.