Skip to content
KEOBOOKS

Data Processing Addendum

Last updated: 2026-06-03

1. Scope

This DPA applies when KEOBOOKS (Processor) processes personal data on behalf of you, the customer (Controller), in connection with the service.

2. Roles

Controller: the customer entity that opens the engagement. Processor: Brickstone & Associates, LLC operating KEOBOOKS, with technical operations performed by Korastratum as a sub-processor.

3. Categories of data processed

Account identifiers (name, email), business identifiers (EIN, SSN/ITIN, state), and the financial records you submit (bank/card statements, receipts, invoices, 1099s, W-2s). The full list is maintained in the Privacy Policy.

4. Sub-processors

We engage: Google Cloud Platform (hosting), Anthropic (AI inference), Stripe (billing), and a transactional email vendor (Brevo or equivalent). We will notify Controller of any change to this list with at least 30 days' notice.

5. Security measures

Encryption at rest and in transit, database-level tenant isolation (Postgres Row-Level Security as the non-owner role), signed-URL document storage, append-only audit trail, mandatory authenticator-app 2FA option, gitleaks/CodeQL scanning. See the Security page for sourced specifics.

6. International transfers

Personal data is stored in the United States. If the Controller is outside the US, the parties incorporate the Standard Contractual Clauses (current EU version) by reference and supplement with the UK Addendum where applicable.

7. Data-subject requests

Controller is responsible for responding to data-subject requests; KEOBOOKS will provide reasonable assistance. Direct technical requests to privacy@keobooks.com.

8. Breach notification

We notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach affecting Controller's data, with the information available at that time and follow-up updates as we learn more.

9. Term, deletion, audit

On termination, Controller may export data; after the legally-required retention window, residual personal data is deleted or de-identified. Controller may request a reasonable audit consistent with confidentiality and security practices, including the right to rely on Korastratum's certifications when published.