Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ExactSum, a product of Productimiser US LLC ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of the US Statement Converter service ("Service").

This DPA sets out the terms under which we process personal data on your behalf when you use our Service to convert bank statements.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Data Subject" means the individual to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "CCPA" means the California Consumer Privacy Act and its implementing regulations.

3. Scope and Purpose of Processing

3.1 Data Processed

When you upload bank statements to our Service, we may process the following categories of Personal Data:

• Account holder names
• Bank account numbers and routing numbers
• Transaction details (dates, descriptions, amounts)
• Account balances
• Merchant and payee names

3.2 Purpose of Processing

We process this data solely for the purpose of:

• Converting PDF bank statements to Excel and CSV formats
• Extracting and structuring transaction data
• Providing the converted files for download

4. Data Location and Security

4.1 Data Centers Location

Our servers are located in US data centers with the following certifications:

• ISO 27001 (Information Security Management)
• ISO 27017 (Cloud Security)
• ISO 27018 (Protection of Personal Data in Cloud)
• SOC 2 Type II

4.2 Security Measures

We implement appropriate technical and organized measures to ensure security of processing, including:

• Encryption in transit: TLS 1.3 (256-bit encryption) for all data transfers
• Encryption at rest: AES-256 encryption for stored files
• Access controls: Role-based access with multi-factor authentication
• Audit logging: Comprehensive logging of all data access
• Regular security assessments: Penetration testing and vulnerability scanning
• Staff training: Regular data protection training for all personnel

5. Data Retention

We adhere to strict data retention policies to minimize data exposure:

• Uploaded bank statements: Automatically deleted within 24 hours
• Converted files: Automatically deleted within 24 hours
• Processing logs: Retained for 30 days for troubleshooting, then deleted
• No long-term storage: We do not retain copies of your financial documents

6. Sub-processors

We use the following sub-processors to provide our Service:

Sub-processor	Purpose	Location
Hetzner Online GmbH	Cloud hosting infrastructure	US/Germany (EU)
Stripe Inc.	Payment processing	United States
Cloudflare Inc.	CDN and security services	US endpoints

We will notify you of any changes to our sub-processors via email or through our Service.

7. Controller Obligations

As the Controller, you confirm that:

• You have the legal authority to upload the bank statements to our Service
• You have obtained any necessary consents from Data Subjects
• You will use the Service in compliance with applicable data protection laws
• You will not upload documents containing data you are not authorized to process

8. Processor Obligations

As the Processor, we undertake to:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate security measures
• Assist you in responding to Data Subject requests
• Notify you without undue delay of any Personal Data breach
• Delete all Personal Data upon termination of the Service
• Make available information necessary to demonstrate compliance

9. Data Subject Rights

We will assist you in fulfilling Data Subject rights requests, including:

• Right to know
• Right to delete
• Right to correct
• Right to opt-out
• Right to data portability

Given our 24-hour deletion policy, most data subject requests will be automatically fulfilled through our standard data retention practices.

10. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (and within 48 hours where feasible)
• Provide details of the breach, including categories and approximate number of Data Subjects affected
• Describe likely consequences and measures taken to address the breach
• Cooperate with your breach notification obligations under applicable state laws

11. Audit Rights

Upon reasonable notice, we will make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an appointed auditor, subject to:

• Reasonable advance notice (minimum 30 days)
• Confidentiality obligations on the auditor
• Audits being conducted during normal business hours
• You bearing the costs of any audit

12. International Transfers

We process Personal Data within the United States. If international transfers become necessary, we will ensure appropriate safeguards are in place in compliance with applicable law.

13. Regulatory Compliance

Productimiser US LLC (operating as ExactSum) complies with applicable US federal and state data protection regulations, including the California Consumer Privacy Act (CCPA).

14. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination:

• All Personal Data will be deleted in accordance with our retention policy
• You may request confirmation of deletion
• Certain provisions survive termination (confidentiality, liability limitations)

15. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service.

16. Amendments

We may update this DPA to reflect changes in law or our practices. Material changes will be notified via email to registered users. Your continued use of the Service constitutes acceptance of the updated DPA.