This Data Processing Addendum ("Addendum") forms part of the Joiin Terms of Use (the "Agreement") between you, the Customer ("Customer"), and Joiin Ltd ("Joiin," "we," "us," or "our").

This Addendum applies to all personal data processing activities carried out by Joiin in connection with the services we provide, including but not limited to the use of Joiin’s core financial reporting and consolidation software and integrations facilitated through Joiin Connect.

By using Joiin's services, you agree to the terms of this Addendum. Joiin processes personal data as necessary to deliver the agreed-upon services, and in compliance with applicable data protection laws.


1. Definitions

1.1 In this Addendum:

  • Controller, Processor, Data Subject, Personal Data, Processing (and Process), and Special Categories of Personal Data have the meanings given in applicable data protection law.

  • Applicable Data Protection Law refers to:

    • The EU General Data Protection Regulation (Regulation 2016/679) (GDPR);

    • The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018;

    • The California Consumer Privacy Act (CCPA), where applicable; and

    • Any laws implementing or supplementing the above, as applicable.

  • Customer has the meaning of "you" as defined in the Agreement.

  • Subprocessor refers to any third-party processor engaged by Joiin for processing personal data. 


2. Scope and Roles

2.1 Joiin acts as a data processor, and the Customer acts as a data controller. Joiin processes personal data only on documented instructions from the Customer, as described in this Addendum, the Agreement, or otherwise agreed in writing (the "Permitted Purpose").

2.2 The Customer shall ensure compliance with all obligations as a controller under Applicable Data Protection Law.


3. Data Processing Details

Details of Joiin’s data processing activities are outlined in Annex A. These include:

  • The nature, purpose, and types of personal data processed;

  • Categories of data subjects; and

  • Retention periods.


4. Prohibited Data

4.1 The Customer must not provide Joiin with special categories of personal data or other sensitive data (e.g., health, biometric, or financial account details) unless explicitly agreed in writing.


5. Data Transfers

5.1 Joiin will not transfer personal data outside of the European Economic Area (EEA) or the UK unless compliant with Applicable Data Protection Law. Measures may include:

  • Transfers to countries deemed "adequate" by the European Commission or UK Secretary of State; or

  • Execution of Standard Contractual Clauses (SCCs).

5.2 Joiin is authorised to enter SCCs as the Customer’s agent with any non-Adequate Country recipients where necessary.

5.3 Anonymised, Hashed or Pseudonymised Data
Joiin may upload anonymised, hashed, or pseudonymised data to third-party platforms (e.g., Google) for purposes such as analytics, service improvement, or targeted advertising.

  • Anonymised Data: This data has been processed to remove any personal identifiers, ensuring that individuals cannot be identified directly or indirectly. Such data is not considered personal data under Applicable Data Protection Law.

  • Hashed Data: This data is transformed into an irreversible, fixed-length string using cryptographic hashing techniques (e.g. SHA-256). Hashing ensures that data cannot be directly linked back to the Customer without the original data and a matching process. If used alongside other data to allow re-identification, hashed data may still be considered pseudonymised under Applicable Data Protection Law. Joiin ensures that hashed data is used securely and only for legitimate purposes.

  • Pseudonymised Data: This data is processed to partially remove identifiers but may still be re-identified with additional information. Where pseudonymised data is used, Joiin will ensure that such processing is compliant with Applicable Data Protection Law, including appropriate safeguards for transfers outside the EEA or UK (e.g., SCCs or adequacy decisions).


6. Subprocessors

6.1 Joiin may engage Subprocessors for processing personal data, subject to the following conditions:

  • A current list of Subprocessors will be maintained and made available on request to [email protected].

  • Joiin imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law.

  • Joiin remains liable for any breach of this Addendum that is caused by an act, error or omission of its subprocessor

  • For certain data processing activities, Joiin engages Reditus B.V. ("Reditus") to manage Joiin’s affiliate program. Reditus processes limited personal data necessary to calculate affiliate commissions, in accordance with its privacy policy and data protection obligations.

  • Where Joiin engages sub-processors to provide Joiin Connect functionality, such sub-processors are subject to the terms outlined in this Addendum.

6.2 The Customer may object to Joiin’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Joiin will either not appoint or replace the subprocessor or, if Joiin determines at its sole discretion that this is not reasonably possible, the Customer may suspend or terminate th    e Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).

7. Joiin Connect

7.1 When utilising Joiin Connect, the Customer acknowledges and agrees that:

  • Joiin processes data transmitted through the integration solely as necessary to provide the Joiin Connect functionality.

  • Joiin shall not be held responsible for data handling practices of third-party platforms connected via Joiin Connect.

  • Customers are responsible for obtaining all necessary consents and permissions required for data sharing through Joiin Connect, ensuring compliance with applicable data protection regulations


8. Joiin Intelligence

8.1 AI Processing: Joiin Intelligence (Joiin’s AI services) leverages Amazon Web Services (AWS) Bedrock, a secure and compliant platform, to provide AI-powered functionalities as part of its services. The processing of personal data through AWS Bedrock is conducted in compliance with Applicable Data Protection Law.

8.2 AWS Bedrock Security and Compliance: AWS Bedrock adheres to stringent security and compliance standards, including encryption, data isolation, and audit controls. For more details on AWS Bedrock’s security and compliance measures, please refer to AWS Bedrock Security and Compliance.

8.3 Transparency and Safeguards: Personal data processed using AI services will remain subject to the terms outlined in this Addendum, including provisions for data transfers, security, and retention. Joiin ensures that appropriate safeguards are in place for all AI-related processing activities.

8.4 Data Minimisation: Where feasible, Joiin will apply techniques such as anonymisation or pseudonymisation before processing personal data with AI services, ensuring compliance with Applicable Data Protection Law and minimising risks to data subjects.


9. Security

9.1 Joiin will implement appropriate technical and organisational measures, as detailed in Annex A, to safeguard personal data from:

  • Accidental or unlawful destruction;

  • Loss, alteration, unauthorised disclosure, or access ("Security Incidents").

9.2 Security measures will include protections for data consolidated from third-party integrations, such as Xero, Sage, and QuickBooks.


10. Cooperation and Rights of Data Subjects

10.1 Joiin will assist the Customer (at the Customer’s expense) in responding to:

  • Data subject requests (e.g., access, deletion, anonymisation); and

  • Complaints or inquiries from regulators.

10.2 If Joiin receives a direct request from a data subject, it will promptly notify the Customer.


11. Data Protection Impact Assessments

11.1 If Joiin identifies that processing poses a high risk to data subjects’ rights, Joiin will notify the Customer and assist with any required Data Protection Impact Assessment (DPIA).


12. Security Incidents

12.1 Joiin will notify the Customer of any confirmed Security Incident without undue delay, providing:

  • A description of the incident;

  • Its impact; and

  • Mitigation steps taken.

12.2 Joiin will cooperate to resolve the issue and assist the Customer in meeting legal reporting obligations.    


13. Retention and Deletion

13.1 Upon account cancellation or trial expiry:

  • Trial accounts: Data will be retained for 12 months after inactivity.

  • Paid accounts: Data will be retained for 12 months after cancellation unless otherwise requested.

13..2 Minimal payment records will be retained for 7 years for compliance with legal and tax obligations.

13..3 After the retention period, Joiin will delete or anonymise data unless prohibited by applicable law.


14. Email Communications

14.1 Joiin processes personal data for email communications and notifications as described in Joiin’s Privacy Policy.


14..2 Customers may opt out of marketing and product emails at any time.


Annex A – Data Processing Schedule

  1. Subject Matter and Duration

    • Subject Matter: Personal data provided by the Customer to enable the functionality of Joiin’s Software, including integrations facilitated through Joiin Connect.

    • Duration: Data will be processed for the term of the Agreement and as specified in Clause 12 (Retention and Deletion).

  2. Nature and Purpose

    • Nature: Collection, storage, and processing of personal data to provide reporting, consolidation, AI-enhanced functionalities, and integration services through Joiin Connect.

    • Purpose: To support the functionality of Joiin’s Software and Joiin Connect integrations as per the Agreement.

  3. Types of Personal Data

    • Names

    • Email addresses

    • Contact details

    • Data submitted by the Customer for reporting, AI-powered insights, and integration through Joiin Connect

    • Integration-specific data such as API keys, data mapping configurations, or integration logs

  4. Categories of Data Subjects

    • Customer employees or representatives

    • Suppliers/service providers of the Customer

    • Customers/clients of the Customer

  5. Technical and Organisational Measures

    Joiin will:

    • Use encryption for data in transit and at rest

    • Restrict access to authorised personnel

    • Conduct regular security audit

    • Maintain a disaster recovery and backup plan

    • Ensure compliance with AWS Bedrock’s security standards (AWS Bedrock Security and Compliance)

    • Implement specific security measures for Joiin Connect integrations, such as secure API management, transmission encryption, and monitoring of integration logs for anomalies