Skip to content
Skip to content
Akauntants
Legal review pending. This document is a draft. Consult qualified Philippine legal counsel before relying on it.

Legal Data Processing Agreement

Data Processing Agreement

Last updated: April 2026

About this DPA

This Data Processing Agreement ("DPA") applies when Akauntants processes personal data on behalf of a business customer ("Controller") in the course of providing the Akauntants service. It supplements the Terms of Service and is entered into between the Controller (the business using Akauntants) and Akauntants ("Processor").

This DPA is required by Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations for personal data processing arrangements between personal information controllers and personal information processors.

By using the Akauntants service, business customers acknowledge and agree to this DPA. For a signed PDF copy suitable for regulatory submission, see the Download section below.

Definitions

  • Controller / Personal Information Controller (PIC): The business customer who determines the purposes and means of processing personal data through the Akauntants service.
  • Processor / Personal Information Processor (PIP): Akauntants, which processes personal data on behalf of the Controller.
  • Personal data: Any information that identifies or can identify a natural person, as defined in RA 10173.
  • Processing: Any operation performed on personal data, including collection, recording, storage, use, disclosure, and deletion.
  • Data subject: The natural person whose personal data is processed (e.g., your customers, employees, vendors).
  • Sub-processor: A third party engaged by Akauntants to process personal data in connection with the service.
  • NPC: The National Privacy Commission of the Philippines.

Scope of processing

Akauntants processes personal data on the Controller's behalf for the purpose of providing the accounting, payroll, BIR compliance, and related features of the Akauntants service as described in the Terms of Service.

The categories of personal data processed may include: names, contact information, Philippine Identification Numbers (TIN, SSS, PhilHealth, Pag-IBIG), salary and compensation data, bank account details, and other data entered by the Controller's authorized users.

Akauntants will process personal data only as instructed by the Controller through use of the service, or as required by applicable law.

Controller obligations

The Controller agrees to:

  • Have a lawful basis for all personal data provided to Akauntants for processing.
  • Provide accurate and complete personal data.
  • Comply with RA 10173 in its capacity as a Personal Information Controller.
  • Implement its own privacy notices to data subjects covering the processing performed through Akauntants.
  • Manage team member access to the Akauntants organization appropriately.
  • Promptly inform Akauntants of any changes in instructions that may affect processing.

Processor obligations

Akauntants agrees to:

  • Process personal data only on the documented instructions of the Controller.
  • Ensure that personnel who access personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Security measures).
  • Assist the Controller in fulfilling data subject rights requests.
  • Notify the Controller of data breaches without undue delay (see Data breach notification).
  • Delete or return all personal data to the Controller upon termination, at the Controller's option, unless legal retention obligations apply.
  • Provide reasonable assistance to the Controller for privacy impact assessments when required by law.

Sub-processors

The Controller hereby grants Akauntants general authorization to engage sub-processors necessary to provide the service, subject to the conditions in this section.

Akauntants will inform the Controller of any intended addition or replacement of sub-processors by updating the sub-processor list in our Privacy Policy with at least 30 days' notice. The Controller may object to a new sub-processor within this notice period. If the objection cannot be resolved, either party may terminate the affected services with 30 days' written notice.

Akauntants will impose data protection obligations on sub-processors equivalent to those in this DPA. The current list of sub-processors is available in our Privacy Policy — Third-party processors section.

International transfers

Akauntants may transfer personal data to sub-processors located outside the Philippines (see sub-processor list). We implement appropriate safeguards for such transfers, which may include Standard Contractual Clauses, adequacy decisions, or other mechanisms recognized under RA 10173 and NPC regulations.

Specific transfer mechanisms for each sub-processor are disclosed in our Privacy Policy and may be provided to the Controller on request.

Security measures

Akauntants implements the following technical and organizational security measures:

  • Encryption in transit: TLS 1.3 for all data transmissions.
  • Encryption at rest: AES-256 for sensitive personal data fields.
  • Access control: Role-based access control (RBAC) with principle of least privilege. Dual-control approvals for privileged operations.
  • Audit logging: Hash-chained audit logs for all significant data access and modification events.
  • Backup: Encrypted daily backups with 15-day retention.
  • Infrastructure: Dedicated VPS with firewall and DDoS protection (Cloudflare).
  • Personnel: Access restricted to authorized personnel; confidentiality agreements in place.

Data breach notification

In the event of a personal data breach affecting the Controller's data, Akauntants will:

  • Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach.
  • Provide, as far as possible: the nature of the breach, categories of data affected, estimated number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Cooperate with the Controller in fulfilling its own notification obligations to the NPC and affected data subjects under RA 10173.

Data subject rights

When Akauntants receives a request from a data subject that relates to the Controller's data (e.g., a request from one of the Controller's customers or employees), Akauntants will promptly forward the request to the Controller and provide reasonable assistance to the Controller in responding to it.

The Controller is responsible for responding to data subject requests within the timeframes required by RA 10173.

Audit rights

The Controller may, at its own expense, request an audit of Akauntants' compliance with this DPA no more than once per 12-month period, with at least 30 days' written notice. Audits must be conducted during business hours and must not unreasonably disrupt Akauntants' operations. In lieu of an on-site audit, Akauntants may provide a written certification or third-party audit report demonstrating compliance.

Termination

This DPA remains in effect for as long as Akauntants processes personal data on behalf of the Controller. Upon termination of the Terms of Service, Akauntants will, at the Controller's election, return or delete all personal data within 90 days, except where Philippine law requires longer retention. Akauntants will confirm deletion in writing upon request.

Download signed DPA

A pre-signed PDF version of this Data Processing Agreement, suitable for submission to regulators, auditors, or enterprise procurement, is available for download below.

Download DPA (PDF)

For enterprise customers requiring a custom or mutually negotiated DPA, contact legal@akauntants.cloud.

Last updated: April 2026

This document is a draft pending review by Philippine legal counsel. Material changes will be communicated 30 days in advance.

Questions? Email legal@akauntants.cloud