FieldLedger
TermsPrivacyDPASLA
Draft pending legal review. This page is a working draft. The final version reviewed by counsel will be published before general availability. Contact [email protected] with questions.

Data Processing Agreement

Last updated: April 24, 2026

This Data Processing Agreement (“DPA”) forms part of the FieldLedger Terms of Servicebetween Startvest LLC, an SDVOSB doing business as FieldLedger (“Processor”), and the subscribing entity (“Controller”). It describes how FieldLedger processes personal data on behalf of the Controller.

1. Roles and Scope

The Controller determines the purposes and means of processing Customer Data. FieldLedger processes Customer Data solely on the Controller's documented instructions, as set out in these Terms and the Controller's configuration of the Service. This DPA applies to all personal data processed by FieldLedger under the Agreement.

2. Nature and Purpose of Processing

FieldLedger processes Customer Data to operate the Service: DCAA-adjacent cost accounting, timekeeping, equipment costing, invoicing, and reporting for federal contract compliance. Processing activities include storage, retrieval, computation (rate engines), report generation, and customer-initiated exports.

3. Categories of Data Subjects and Data

  • Data subjects:Controller's employees, contractors, administrators, customers, and vendors whose information Controller chooses to upload.
  • Categories of data: names, contact information, employment records, hours worked, pay rates, project assignments, equipment operators, and invoice recipients.

4. Subprocessors

The Controller authorizes FieldLedger to engage the following subprocessors:

  • Microsoft Corporation (Entra External ID), One Microsoft Way, Redmond, WA — authentication and identity.
  • Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA — payments.
  • Microsoft Corporation (Azure US regions), One Microsoft Way, Redmond, WA — hosting, database, and object storage.
  • Intuit Inc., 2700 Coast Ave, Mountain View, CA — QuickBooks Online integration (used only when Controller authorizes).
  • Samsara Inc., 1 De Haro St, San Francisco, CA — GPS and equipment telematics (used only when Controller authorizes).

FieldLedger remains responsible for subprocessor compliance with obligations equivalent to those in this DPA. We will notify Controllers at least 30 days before adding or replacing a subprocessor. Controller may object in writing; if the objection cannot be resolved, Controller may terminate the affected portion of the Service for a pro-rated refund.

5. Security Measures

FieldLedger maintains the following technical and organizational measures:

  • Encryption. TLS 1.2+ for data in transit; AES-256 for data at rest (Azure SQL Transparent Data Encryption and Azure Blob Storage service-side encryption).
  • Access control. Role-based access (FieldLedger-managed roles), tenant isolation enforced at query layer, Azure Key Vault for secrets with managed identity (no credentials in code).
  • Audit logging. All mutations to Customer Data are logged immutably to an audit table with actor, timestamp, IP address, and before/after state.
  • Backups. Azure SQL point-in-time restore (35 days) and geo-redundant storage for critical artifacts.
  • Personnel. Contractors and employees with access to Customer Data sign confidentiality obligations and complete security awareness training annually.
  • Compliance roadmap. CMMC Level 2 self-attestation targeted for month 6; SOC 2 Type II for month 12; Azure FedRAMP High boundary on the Plus roadmap.

6. Personnel Obligations

Any FieldLedger personnel who access Customer Data are bound by written confidentiality obligations. Access is granted on a least-privilege basis and revoked promptly upon role change or separation.

7. Data Subject Requests

FieldLedger will provide the Controller with tools and reasonable assistance to respond to data subject requests (access, correction, deletion, portability). Controller is responsible for communicating directly with data subjects.

8. Data Breach Notification

FieldLedger will notify the Controller without undue delay, and in any event within 72 hoursafter becoming aware of a personal data breach affecting Customer Data, with available facts and mitigation status. Notifications are sent to the Controller's designated security contact (configurable in Settings) and to the account admin email on file.

9. Data Location

All Customer Data is stored in US Azure regions. We do not transfer Customer Data outside the United States.

10. Audit Rights

Upon reasonable written request (no more than once per 12 months), and subject to a customary NDA, FieldLedger will provide summaries of relevant third-party audit reports (e.g., SOC 2 Type II once issued) and reasonable information to demonstrate compliance with this DPA.

11. Return or Deletion at Termination

Upon termination, Controller may export Customer Data in machine-readable format for 30 days. After that period, FieldLedger will delete operational copies within 30 days and purge backups within 90 days, except for audit logs required to be retained for 7 years per FAR 52.215-2 and DCAA retention standards.

12. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service.

13. Contact

DPA questions and security incidents: [email protected].