Balence Balence

Data Processing Agreement

Last updated: 2026-04-05

This Data Processing Agreement ("DPA") supplements the Terms of Service between the Customer and Balence. It governs the processing of personal data that Balence performs on behalf of the Customer pursuant to Article 28 of the GDPR.

Parties

  • Data Controller ("Customer"): The accounting firm or business using Balence
  • Data Processor ("Balence"): Balence AI Sweden AB, org.nr 559561-9163, Mgb 433q Billo, 106 46 Stockholm

Effective upon acceptance of Balence's Terms of Service.

1. Scope and Purpose

Balence processes personal data solely to provide the service, including:

  • Receiving, storing, and processing invoices and financial documents
  • Extracting structured data from documents using AI
  • Synchronizing data with the Customer's accounting system (Fortnox)
  • Sending email notifications and document requests
  • Providing the client portal for document exchange

Categories of Data Subjects

  • Customer's employees and team members
  • Customer's clients and their employees
  • Suppliers and vendors appearing on invoices

Types of Personal Data

  • Names, email addresses, phone numbers
  • Organisation numbers
  • Invoice data (amounts, dates, references, supplier details)
  • Financial documents (invoices, receipts, credit notes)
  • Communication content (messages in client portal threads)

2. Obligations of Balence

Balence shall:

  1. Process personal data only on documented instructions from the Customer, unless required by EU or member state law.
  2. Ensure that persons authorized to process personal data have committed themselves to confidentiality.
  3. Implement appropriate technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, and data isolation between workspaces.
  4. Not engage another sub-processor without prior authorization. Current sub-processors are listed below and are hereby authorized.
  5. Assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
  6. Assist the Customer in ensuring compliance with Articles 32-36 of GDPR.
  7. At the Customer's choice, delete or return all personal data after the end of the service.
  8. Make available all information necessary to demonstrate compliance with this DPA.

3. Sub-processors

Balence will notify the Customer at least 30 days before adding or replacing a sub-processor. If the Customer objects on reasonable grounds, the parties will work to find a resolution. If none is reached, the Customer may terminate the affected service.

Sub-processorPurposeData ProcessedLocation
Amazon Web Services (AWS)File storage, email, AI processingDocuments, email content, extracted dataEU
RailwayApplication hosting, databaseAll application dataEU
Clerk, Inc.User authenticationName, email, session dataUS (EU-US DPF certified)
VercelFrontend hostingNo personal dataEdge CDN
Fortnox ABAccounting system integrationInvoice and bookkeeping dataSweden

4. International Data Transfers

All financial data and documents are processed within the EU.

Authentication services are provided by Clerk, Inc. (US), certified under the EU-US Data Privacy Framework. Only user identity data (name, email) is processed — no financial data.

5. Data Breach Notification

Balence shall notify the Customer without undue delay, and within 48 hours, after becoming aware of a personal data breach, including:

  1. The nature of the breach and approximate number of affected data subjects
  2. Contact details for Balence's point of contact
  3. Likely consequences of the breach
  4. Measures taken or proposed to address the breach

6. Audits

The Customer has the right to conduct audits to verify compliance with this DPA. Balence shall cooperate and provide reasonable assistance, subject to reasonable notice and during normal business hours.

7. Duration and Termination

This DPA remains in effect for the duration of the Customer's use of Balence. Upon termination:

  • Balence will delete all Customer personal data within 90 days, unless retention is required by law.
  • The Customer may request a data export before termination.

8. Governing Law

This DPA is governed by Swedish law. Disputes shall be resolved by Swedish courts.

9. Contact

Balence AI Sweden AB
Email: philip@trybalence.com
Website: trybalence.com