HHasb·Legal & TrustBack to product

Data Processing Agreement

When you use Hasb to process personal data about people other than you (your customers, vendors, staff), Hasb acts as a processor on your behalf and you act as the controller. This Data Processing Agreement ("DPA") governs that relationship. It is incorporated into the Terms of Service by reference.

Effective: 13 May 2026Aligned with: GDPR Art. 28 · UK GDPR · UAE PDPL Art. 25

1. Definitions

Terms not defined here have the meaning given in the Terms of Service or, where relevant, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, or the UAE Federal Decree-Law No. 45/2021 on Personal Data Protection ("UAE PDPL").

  • Controller = you (the Customer).
  • Processor = Hasb.
  • Sub-processor = a third party engaged by Hasb to process Customer Personal Data on your behalf.
  • Customer Personal Data= personal data inside Customer Data that Hasb processes on the Controller's behalf.

2. Subject matter, duration, nature & purpose

Subject matterProvision of the Hasb cloud accounting service.
DurationUntil termination of the Customer's account, plus the export window and statutory retention.
Nature & purposeHosting, storing, parsing, transforming, retrieving, displaying, and erasing Customer Personal Data to provide the Service as the Customer instructs.
Categories of data subjectsCustomer's employees, customers, suppliers, contractors, beneficial owners, and any other natural person whose data the Customer chooses to put into the Service.
Categories of personal dataIdentification data, contact data, financial transaction data, tax identification numbers (TRN), banking details, payroll data; optionally, copies of identity documents, salary information, beneficial-ownership data.
Special categoriesNone expected. The Customer must not upload special-category data (Art. 9 GDPR — health, biometric, political, religious, etc.) unless strictly necessary for accounting and lawful in their jurisdiction.

3. Processor obligations

Hasb shall:

  1. process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers, unless required to do otherwise by applicable law;
  2. ensure that personnel authorised to process Customer Personal Data have committed to confidentiality;
  3. implement and maintain appropriate technical and organisational measures (Annex II);
  4. respect the conditions for engaging sub-processors (clause 5);
  5. taking into account the nature of the processing, assist the Controller in fulfilling its obligation to respond to data-subject rights requests;
  6. assist the Controller in ensuring compliance with security, breach notification, data-protection-impact-assessment, and prior-consultation obligations;
  7. at the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless retention is required by law;
  8. make available to the Controller all information necessary to demonstrate compliance and allow for audits as set out in clause 7.

4. Confidentiality & staff access

Hasb staff who may access Customer Personal Data are bound by written confidentiality obligations, complete data-protection training, and operate under a least-privilege access model. Staff access only occurs in the narrow Trust Exceptions defined in the Privacy Policy (clause 6 of that document). Each access is audit-logged.

5. Sub-processors

The Controller hereby gives a general written authorisation for the engagement of sub-processors. The current list is at /subprocessors. Hasb will inform the Controller of intended changes (additions or replacements) at least 30 days in advance. The Controller may object on reasonable data-protection grounds; if a resolution cannot be reached, the Controller may terminate the affected subscription without penalty for the unused term.

Hasb shall impose on each sub-processor data-protection obligations no less protective than those in this DPA, and remains liable to the Controller for the performance of each sub-processor's obligations.

6. International transfers

Where personal data is transferred outside the UAE, Hasb relies on (a) adequacy decisions where available; (b) the EU Standard Contractual Clauses with the UK Addendum where required; and (c) UAE PDPL transfer mechanisms approved by the UAE Data Office. Supplementary technical and contractual safeguards apply.

7. Audits & information rights

On no less than 30 days' written notice, and no more than once in any twelve-month period (except where required by a supervisory authority or following a personal-data breach), the Controller may audit Hasb's compliance with this DPA. Audits shall (a) be conducted during business hours; (b) not unreasonably interfere with Hasb's business; (c) be subject to confidentiality; and (d) where possible, be satisfied by Hasb providing the Controller with copies of relevant third-party audit reports (e.g., SOC 2 Type II, ISO/IEC 27001) before any on-site audit.

8. Personal-data breach

Hasb shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data. The notification will include, where available, the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed.

9. Return or deletion

Upon termination of the Service, the Customer may export Customer Personal Data through the export window (30 days). After the export window, all Customer Personal Data is irreversibly deleted from production within 90 days, and from backups within their normal retention cycle (up to 35 additional days), except where retention is required by law.

10. Liability & limitation

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a data subject's statutory right to compensation against the controller or the processor where the relevant law allows direct claims.

Annex I — Categories of data subjects, data, sensitivity, retention

As described in clause 2.

Annex II — Technical and organisational measures

See /security for the full and current list. Summary:

  • Tenant isolation via Postgres Row-Level Security keyed to authenticated workspace.
  • TLS 1.2+ in transit; at-rest encryption on storage volumes.
  • Per-request workspace scoping; least-privilege database roles (no app process runs as superuser).
  • Append-only audit log with SHA-256 hash chain.
  • Magic-link auth + TOTP + step-up confirmation for sensitive actions.
  • Rate-limiting, IP allow-listing on admin paths, Cloudflare WAF.
  • Encrypted backups with restricted access and verified restore drills.
  • Mandatory two-factor authentication on Hasb staff accounts.
  • Vendor security review before any new sub-processor.

Annex III — Sub-processors

See /subprocessors.

© 2026 Hasb. Effective 13 May 2026.