Data Processing Agreement (DPA)

Effective Date: January 2025 • Version 1.0

This Data Processing Agreement governs the processing of personal data by StatementConverter on behalf of enterprise customers under GDPR Article 28.

1. Definitions and Interpretation

Controller: The entity that determines the purposes and means of processing personal data (your organization).

Processor: StatementConverter, which processes personal data on behalf of the Controller.

Personal Data: Any information contained in bank statements that relates to an identified or identifiable natural person.

Processing: The conversion, extraction, and transformation of bank statement data as specified in our service agreement.

2. Nature and Purpose of Processing

Processing Activities

  • Document Processing: Extracting transaction data from bank statements
  • Data Conversion: Converting extracted data to CSV, Excel, or JSON formats
  • Temporary Storage: Brief in-memory processing (max 24 hours)
  • AI Enhancement: Optional third-party AI processing (with explicit consent)

Categories of Personal Data

  • Account holder names and addresses
  • Account numbers and sort codes
  • Transaction amounts and descriptions
  • Transaction dates and reference numbers
  • Balance information
  • Merchant names and transaction categories

3. Data Subject Categories

The personal data processed may relate to the following categories of data subjects:

  • Account Holders: Individual bank account owners
  • Joint Account Holders: Multiple individuals on shared accounts
  • Business Representatives: Individuals associated with business accounts
  • Third Parties: Individuals mentioned in transaction descriptions

4. Processor Obligations

Security Measures (Article 32)

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for any temporary data storage
  • Multi-factor authentication for admin access
  • Regular security audits and penetration testing
  • ISO 27001 and SOC 2 Type II compliance frameworks
  • Immediate deletion of processed documents

Staff Training and Access

  • Regular GDPR and data protection training for all staff
  • Strict access controls and need-to-know basis
  • Confidentiality agreements with all personnel
  • Background checks for staff with data access

Breach Notification (Article 33-34)

  • Immediate detection and containment procedures
  • Notification to Controller within 24 hours of discovery
  • Detailed breach reports including impact assessment
  • Assistance with regulatory notifications if required

5. Sub-Processing and Third Parties

Sub-Processor Authorization

The Controller provides general authorization for the use of sub-processors listed below. We will provide 30 days' notice of any changes to this list.

Infrastructure Providers

  • Vercel: Application hosting and deployment
  • Railway/DigitalOcean: Backend processing infrastructure
  • AWS/Google Cloud: File storage and processing

Optional AI Services (User-Controlled)

  • OpenAI: Enhanced document processing (user's API key)
  • Anthropic: Advanced text extraction (user's API key)

*AI processing only occurs when explicitly enabled by Controller with their own API credentials

6. International Transfers

Transfer Locations

  • Primary Processing: European Union (Germany, Ireland)
  • Backup Systems: United States (adequacy decision regions)
  • AI Processing: United States (only with user consent and API keys)

Safeguards

  • Standard Contractual Clauses (SCCs) with all non-EU processors
  • Additional technical and organizational measures
  • Regular adequacy assessments
  • Encryption in transit and at rest

7. Data Subject Rights Support

StatementConverter will assist the Controller in fulfilling data subject rights requests:

Access Requests

Provide processing records and any retained metadata within 7 business days

Rectification

Assist with correcting any inaccurate processing records

Erasure

Immediate and verified deletion of all personal data upon request

Data Portability

Export personal data in structured, machine-readable format (JSON)

8. Auditing and Compliance

Regular Audits

  • Annual SOC 2 Type II audits
  • Quarterly internal compliance reviews
  • Continuous security monitoring
  • Regular penetration testing

Controller Audit Rights

  • Annual right to audit processing activities
  • Access to compliance certifications and reports
  • 30-day notice period for on-site audits
  • Reasonable costs may apply for extensive audits

9. Term and Termination

Data Return and Deletion

Upon termination of the service agreement, StatementConverter will:

  • Return or delete all personal data within 30 days
  • Provide certification of deletion
  • Delete all backups and copies
  • Notify all sub-processors of termination requirements

10. Liability and Indemnification

Processor Liability

StatementConverter is liable for damage caused by processing that violates GDPR or fails to comply with lawful Controller instructions.

Limitation of Liability

Total liability is limited to the greater of €100,000 or 12 months of service fees. This does not limit liability for data breaches or regulatory fines.

11. Contact Information

DPA-Related Contacts

  • DPA Questions: statementconverterxyz@gmail.com
  • Data Protection Officer: statementconverterxyz@gmail.com
  • Security Incidents: statementconverterxyz@gmail.com
  • Compliance Team: statementconverterxyz@gmail.com

Agreement Execution

This DPA is automatically incorporated into your Enterprise Service Agreement. For questions about execution or amendments:

  • Legal Team: statementconverterxyz@gmail.com
  • Enterprise Sales: statementconverterxyz@gmail.com

Document Status

Document Version: 1.0

Effective Date: January 15, 2025

Next Review: January 2026

Approved By: Legal & Compliance Team