top of page

This Outsourcing Agreement (“Agreement”) is entered by you, the User (“User”, “You” or “PIC”), and Lista Bookkeeping App, Inc. (“Lista” or “PIP”) (collectively, “Parties”).

This Agreement constitute a binding and enforceable legal contract between You and Lista. You represent and warrant that you (a) have full legal capacity and authority to agree and bind yourself to these Terms, and (b) are 18 (eighteen) years of age or older. If you represent an entity, organization, or any other legal person, you confirm and represent that you have the necessary power and authority to bind such entity, organization, or legal person to these Agreement.

The Parties acknowledge that the Customers have express rights under the Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”) and its Implementing Rules and Regulations (“IRR”), that provide for protection and confidentiality of their Personal Data;

The Parties hereby agree to bind themselves, as follows:

1. Definitions

The following terms shall have the respective meaning whenever they are used in this Agreement:

A. Commission – refers to the National Privacy Commission or NPC;

B. Consent – refers to any freely given, specific, informed indication of will obtained by the User from its Customers, who agrees to the collection and processing of his or her personal, sensitive personal information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a Customer by a lawful representative or an agent specifically authorized by the Customer to do so;

C. Data Processing – refers to any operation or any set of operations performed by Lista, within the Philippines, on any personal data including, but not limited to, collecting, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;

E. Data Protection Officer (“DPO”) – refers to an individual designated by a Party to be accountable for compliance with the DPA, its IRR, and other issuance of the Commission;

F. Customers – refers to data subjects whose personal and sensitive personal information are collected and processed by the User as its customers;

G. Personal Data – refers to either the personal and/or sensitive personal information of the Customers, such as, but not limited to, name, address, contact number, email address, and birthday;

H. Personal Information Controller (“PIC”) – refers to the User who obtains the consent of its Customers, controls the processing of personal data, and instructs another to process Personal Data on its behalf. There is control if the party decides on what information is collected, or the purpose or extent of its processing;

I. Personal Information Processor (“PIP”) – refers to Lista to whom the PIC outsources or instructs the processing of Personal Data pertaining to a Customer;

J. Security Breach – refers to any unauthorized, unlawful or accidental access, processing, disclosure, alteration, loss, damage, or destruction of Personal Data whether by human or natural causes; and


2. Purpose

The User, upon securing the consent of its Customers, will share, provide, or disclose to Lista, Personal Data in its possession and control which pertains to its Customers for the purpose of processing an online digital ledger book/record book and payment links/reminders.

3. Obligations and Responsibilities

A. ​PIC​

i. The PIC with regard to the Personal Data in their original possession, is responsible for ensuring that it collects Personal Data lawfully and in accordance with the requirements of the DPA and its IRR.

ii. Prior to collection or sharing of Personal Data, a PIC shall be responsible for obtaining the necessary Consent of the Customers over the collection of Personal Data and of appraising the Customers with the nature, purpose, and extent of the processing of his or her Personal Data, including the risks and safeguards involved, the identity of the PIC, his or her rights as a Customer, and how these can be exercised.

iii. The PIC shall be responsible for the accuracy, quality, and legality of Personal Data and the means by which they acquired them.

iv. The PIC hereby represents and warrants that it is compliant with the DPA and its IRR in relation to its collection of Personal Data, and in obtaining the Customers’ Consent for the sharing of Personal Data with the PIP; and that it has in place appropriate security measures that protect Personal Data from Security Breach.

v. The PIC shall be responsible for addressing any information request, or any complaint filed by a Customer and/or any investigation conducted by the Commission. Provided, that the Commission shall make a final determination as to which (PIC or PIP) is liable for any breach or violation of the DPA, its IRR, or any applicable issuance of the Commission.

vi. The PIC shall be responsible in providing a copy of this Agreement if requested by the Customer in writing.

B. ​PIP​

i. The PIP shall not share, divulge, exploit, and modify any Personal Data Personal Data obtained from the PIC with any other party without the prior written permission/instruction of the PIC, or process Personal Data in any way or for any purpose other than those set out in this Agreement

ii. The PIP shall segregate the Personal Data from its own and the User’ data.

iii. The PIP shall not sub-contract or engage a third party or a Personal Information Processor to process the Personal Data without the prior knowledge and written agreement of the PIC, and only after the third party has provided all the necessary assurance and guarantees that it has adequate administrative, physical, technical, organizational and procedural security measures to protect the Personal Data.

iv. The PIP shall implement strict security measures that ensure the availability, integrity, and confidentiality of Personal Data.

v. The PIP shall ensure that Personal Data is backed up on a regular basis and that any back up is subject to security measures as necessary to protect the availability, integrity and confidentiality of Personal Data.

vi. The PIP shall take reasonable steps to ensure the reliability of any of its officers, employees, agents or representatives who have access to Personal Data, which shall include ensuring that they all understand the confidential nature of the Personal Data; and have received appropriate training in data protection prior to their access or Processing of Personal Data, and have signed a written undertaking that they understand and will act in accordance with their responsibilities for confidentiality under this Agreement.

4. Categories of Personal Data

The categories of Personal Data to be shared by User are as follows:

Screenshot 2023-05-19 at 2.59.25 PM.png


5. Customers Access Rights

The PIC has an obligation to respond to these requests or complaints, however, requests madeto the PIP should be honored by the PIP. Inquiry or request for Personal Data can be requested by submitting a written request with the following DPO (or its equivalent), who shall be the first port of call for any questions about this Agreement:

Screenshot 2023-05-19 at 3.17.25 PM.png

Each Party shall rectify the complaint by any Customer within thirty (30) days from receipt of any complaint. The Customer shall be given a response in writing describing how the complaint was rectified and how the situation complained of will be avoided moving forward.


6. Breach Management and Notification

Each Party shall implement policies and procedures for guidance of its personnel in the event
of a Security Breach, including but not limited to:


a. A procedure for the timely discovery of Security Breach, including the identification of person or persons responsible for regular monitoring and evaluation of Security

b. A policy for documentation, regular review, evaluation and updating of the privacy and security policy and practices;

c. Clear reporting lines in the event of a possible Security Breach, including the identification of the person responsible for setting in motion the Security Breach response procedure, and who shall be immediately contacted in the event of a possible or confirmed Security Breach;

d. Conduct of a preliminary assessment for purpose of:

i. Assessing the nature and scope of the Security Breach and the immediate damage;

ii. Determining the need for notification of law enforcement or external expertise; and

iii. Implementing immediate measures necessary to secure any evidence, contain the Security Breach and restore integrity to the Personal Data;

e. Evaluation of the Security Breach as to its nature, extent and cause, the adequacy of safeguards in place, immediate and long-term damage, impact of the breach, and its potential harm and negative consequences to Personal Data and affected Customers;

f. Procedures for contacting law enforcement in case Security Breach involves possible commission of criminal acts;

g. Conduct of investigations that will evaluate fully the Security Breach;

h. Procedures for immediately notifying the PIC when the Security Breach is subject to notification requirement; and

i. Measures and procedures for mitigating the possible harm and negative consequence to the PIC and the affected Customers in the event of a Security Breach. Each Party must be ready to provide assistance to the Customers whose Personal Data may have been affected.

The Parties shall have the manpower, system, facilities and equipment in place to properly monitor access to Personal Data, and to monitor and identify a Security Breach.


If a party becomes aware of any Security Breach on its personnel, premises, facilities, system, or equipment, it shall: (a) notify the other Party of the Security Breach; (b) investigate the Security Breach and provide the other Party with information about the Security Breach; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from
the Security Breach.

The Parties shall cooperate with each other on incident investigation requirements for any Security Breach of Personal Data.


Each Party shall send the written notification or notification to their DPO counterpart via e-mail of any Security Breach to the other within twenty-four (24) hours from knowledge or discovery thereof.

Upon receipt, confirmation and knowledge of the security breach, the DPO shall notify the Commission and the affected Customer within seventy-two (72) hours. The Party who was notified of a Security Breach may require the other Party to provide
further details and actions taken on the Security Breach.


7. Duration of this Agreement

Unless extended by mutual written consent of both Parties hereto, this Agreement shall expire either one (1) year from the date hereof or upon the termination of the Agreement, whichever occurs last.

This Agreement may be renewed by mutual written consent at the option of either party before its expiration as provided above.


8. Retention, Return and/or Destruction of Personal Data

Personal Data should only be processed for as long as is necessary. Processing of Personal Data should be limited accordingly and for a period no longer than the term of this Agreement. Specific justification for processing of Personal Data beyond said period is required.

The PIP may request a written permission to keep Personal Data for specified purposes in anticipation of further use. This written permission must be renewed annually and each time a new project or use is undertaken. At the end of the specified time period, the Personal Data must be deleted unless otherwise agreed by the Parties in writing.

In view of the foregoing, if Personal Data has been held for longer than one (1) year, an updated version must be obtained as soon as practicable.

Upon expiration or termination of this Agreement, whichever comes first, the PIP shall perform the following within thirty (30) days from date of said expiration or termination:

a. Return all Personal Data of Customers in any recorded form including any other property, information, and documents provided by the PIC;

b. Destroy all copies it made of Personal Data and any other property, information and documents if requested by the PIC. For print out or other tangible formats, the document will be shredded. For data in electronic form, the document must be deleted, wiped, overwritten or otherwise make it irretrievable; and

c. Deliver to the PIC a certificate confirming PIP’s compliance with the return or
destruction obligation under this section, if requested by the PIC.


9. ​Entire Agreement

This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof. It excludes and supersedes everything else which has occurred between the Parties whether written or oral, including all other communications with respect to the subject matter hereof.


10. Amendment

This Agreement may not be amended or modified except in writing and consented to by both Parties.


11. Separability Clause

If any provision of this Agreement is illegal or unenforceable, its invalidity shall not affect the other provisions of this Agreement that can be given effect without the invalid provision.

If any provision of this Agreement does not comply with any law, ordinance or regulation, such provision to the extent possible shall be interpreted in such a manner to comply with such law, ordinance or regulation, or if such interpretation is not possible, it shall be deemed to satisfy the minimum requirements thereof.


12. Assignment

Either Party shall not assign or delegate its rights or obligations under this Agreement, in whole or in part, to any third party by operation of law or otherwise, without the prior written consent of the other. Any attempted assignment or delegation, that does not comply with this section, shall be null and void and of no effect.


13. Non-Waiver of Rights

The failure of a Party to insist upon a strict performance of any of the terms, conditions and covenants hereof, shall not be deemed a relinquishment or waiver of any right/remedy that said Party may have, nor shall it be construed as a waiver of any subsequent breach of the same or other terms, conditions and covenants.

Any waiver, extension or forbearance of any of the terms, conditions and covenants of this Agreement by any Party hereto shall be in writing and limited to the particular instance only and shall not in any manner be construed as a waiver, extension or forbearance of any of the terms, conditions and/or covenants of this Agreement.


14. Governing Law and Venue

This Agreement shall be governed by and construed in accordance with the laws of the Philippines, without regard to any conflicts of law rules. Exclusive jurisdiction over and venue of any suit arising out of or relating to this Agreement shall be in the courts of Makati City, Philippines. The Parties hereby consent and submit to the exclusive jurisdiction and
venue of those courts

The Parties have hereunto affixed their signatures on the date and at the place first above-written.

Screenshot 2023-05-19 at 3.35.57 PM.png
bottom of page