Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ExactSum ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of the UK Statement Converter service ("Service").

This DPA sets out the terms under which we process personal data on your behalf when you use our Service to convert bank statements.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in UK GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Data Subject" means the individual to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "UK GDPR" means the UK General Data Protection Regulation as incorporated into UK law.

3. Scope and Purpose of Processing

3.1 Data Processed

When you upload bank statements to our Service, we may process the following categories of Personal Data:

• Account holder names
• Bank account numbers and sort codes
• Transaction details (dates, descriptions, amounts)
• Account balances
• Merchant and payee names

3.2 Purpose of Processing

We process this data solely for the purpose of:

• Converting PDF bank statements to Excel and CSV formats
• Extracting and structuring transaction data
• Providing the converted files for download

4. Data Location and Security

4.1 Data Centre Location

Our servers are located in UK data centres with the following certifications:

• ISO 27001 (Information Security Management)
• ISO 27017 (Cloud Security)
• ISO 27018 (Protection of Personal Data in Cloud)
• Cyber Essentials Plus

4.2 Security Measures

We implement appropriate technical and organisational measures to ensure security of processing, including:

• Encryption in transit: TLS 1.3 (256-bit encryption) for all data transfers
• Encryption at rest: AES-256 encryption for stored files
• Access controls: Role-based access with multi-factor authentication
• Audit logging: Comprehensive logging of all data access
• Regular security assessments: Penetration testing and vulnerability scanning
• Staff training: Regular data protection training for all personnel

5. Data Retention

We adhere to strict data retention policies to minimise data exposure:

• Uploaded bank statements: Automatically deleted within 24 hours
• Converted files: Automatically deleted within 24 hours
• Processing logs: Retained for 30 days for troubleshooting, then deleted
• No long-term storage: We do not retain copies of your financial documents

6. Sub-processors

We use the following sub-processors to provide our Service:

Sub-processor	Purpose	Location
Hetzner Online GmbH	Cloud hosting infrastructure	UK/Germany (EU)
Stripe Inc.	Payment processing	UK/EU (adequacy decision)
Cloudflare Inc.	CDN and security services	UK/EU endpoints

We will notify you of any changes to our sub-processors via email or through our Service.

7. Controller Obligations

As the Controller, you confirm that:

• You have the legal authority to upload the bank statements to our Service
• You have obtained any necessary consents from Data Subjects
• You will use the Service in compliance with applicable data protection laws
• You will not upload documents containing data you are not authorised to process

8. Processor Obligations

As the Processor, we undertake to:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate security measures
• Assist you in responding to Data Subject requests
• Notify you without undue delay of any Personal Data breach
• Delete all Personal Data upon termination of the Service
• Make available information necessary to demonstrate compliance

9. Data Subject Rights

We will assist you in fulfilling Data Subject rights requests, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

Given our 24-hour deletion policy, most data subject requests will be automatically fulfilled through our standard data retention practices.

10. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (and within 48 hours where feasible)
• Provide details of the breach, including categories and approximate number of Data Subjects affected
• Describe likely consequences and measures taken to address the breach
• Cooperate with your breach notification obligations to the ICO

11. Audit Rights

Upon reasonable notice, we will make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an appointed auditor, subject to:

• Reasonable advance notice (minimum 30 days)
• Confidentiality obligations on the auditor
• Audits being conducted during normal business hours
• You bearing the costs of any audit

12. International Transfers

We do not transfer Personal Data outside the United Kingdom or European Economic Area. All processing occurs on UK-based infrastructure.

In the event this changes, we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or binding corporate rules.

13. ICO Registration

ExactSum is registered with the Information Commissioner's Office (ICO) as a data controller and processor. Our registration demonstrates our commitment to data protection compliance and accountability.

You can verify our registration on the ICO public register.

14. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination:

• All Personal Data will be deleted in accordance with our retention policy
• You may request confirmation of deletion
• Certain provisions survive termination (confidentiality, liability limitations)

15. Liability

Liability under this DPA is subject to the limitations set out in our Terms of Service.

16. Amendments

We may update this DPA to reflect changes in law or our practices. Material changes will be notified via email to registered users. Your continued use of the Service constitutes acceptance of the updated DPA.