Log In

Data Processing Agreement

Click-Through Data Processing Agreement for GDPR and data protection compliance.

Processor: FACTIONER SRL (trading as “StmtScan”), Gabor Aron street nr 26, Târgu Mureș, Romania (“Processor”).

Controller: The customer entity or person that creates an account or uses the Service (“Controller”).

Service: StmtScan – SaaS that extracts and analyzes data from bank statements, available at https://stmtscan.com (the “Service”).

Effective: Automatically upon Controller’s account creation or first use of the Service, and incorporated by reference into the Terms of Service.

1. Subject Matter, Duration, and Roles

1.1 Subject matter. Processor processes Personal Data on behalf of Controller to provide the Service and related support.

1.2 Duration. This DPA applies for the term of the Agreement (Terms of Service and any order) and until deletion/return under §10.

1.3 Roles. Controller is “controller”; Processor is “processor” under GDPR (and similar laws).

2. Controller Instructions

Processor will process Personal Data only on documented instructions from Controller: the Agreement, this DPA, and Controller’s configuration/usage. Processor will inform Controller if an instruction appears unlawful.

3. Confidentiality

Processor ensures persons authorized to process Personal Data are subject to confidentiality obligations.

4. Security (TOMs)

Processor implements appropriate technical and organizational measures described in Annex II (e.g., AES-256 at rest, TLS in transit, access control, logging, backups, incident response). Processor may update TOMs without reducing overall protection.

5. Subprocessors (General Authorization; No Public List)

Controller grants Processor a general written authorization to engage subprocessors to process Personal Data for the Service.

1) Notice by Email Only. Processor will notify Controller’s admin contact at least 30 days in advance of any intended addition or replacement of a subprocessor (except for urgent replacements required for security, continuity, or legal reasons; in such cases Processor will notify as soon as practicable).

2) On-Request Disclosure. Upon written request, Processor will provide an up-to-date confidential list of subprocessors (legal name, purpose, processing location, and transfer mechanism). Controller agrees this list is confidential and may be used solely for data-protection due diligence.

3) Objections & Deemed Consent. Controller may object on reasonable data-protection grounds within 10 days of notice. The parties will work in good faith to mitigate. If no resolution is possible, Controller may suspend the affected processing or terminate the impacted portion of the Service. If Controller does not object within 10 days, consent is deemed granted.

4) Flow-Down & Responsibility. Processor will impose written data-protection terms on all subprocessors no less protective than this DPA and remains responsible for their performance.

5) International Transfers. Where a subprocessor processes Personal Data outside the EEA/UK/CH, Processor will ensure an appropriate transfer mechanism (e.g., EU SCCs with supplementary measures) is in place.

6. International Transfers

6.1 Processing may occur in us-east-1 (USA) and other locations of authorized subprocessors.

6.2 Where required, the parties incorporate the EU Standard Contractual Clauses (EU 2021/914, Module 2, C2P), including the UK Addendum and Swiss amendments as applicable. The SCCs prevail over conflicting DPA terms for EEA/UK/CH transfers.

7. Assistance

Processor will, considering the nature of processing: (a) assist Controller with data subject requests; (b) assist with security, breach notifications, DPIAs and consultations with authorities; and (c) provide information reasonably necessary to demonstrate compliance (including third-party audit reports of key vendors).

8. Personal Data Breach

Processor will notify Controller without undue delay and no later than 72 hours after awareness of a Personal Data Breach affecting Controller’s Personal Data, and provide updates as information becomes available.

9. Use, De-identification, and Service Data

9.1 Processor processes Personal Data solely to provide, secure, and improve the Service, to comply with law, and as otherwise instructed.

9.2 Processor may create and use Aggregated/De-identified Data that does not identify a natural person or Controller, for analytics, benchmarking, and improving the Service.

9.3 No sale of personal data by default. Any broader reuse of document content requires a separate, explicit opt-in (e.g., a signed or checkbox Data Contribution Program) and will use de-identification with no re-identification.

10. Return and Deletion

At termination or upon request, Processor will delete or return Personal Data (Controller’s choice), unless retention is required by law. Defaults: originals retained up to 365 days; Controller deletion requests honored within 30 days.

11. Audits

Processor does not accept physical audits and does not reimburse any costs related to audit activities. Processor may satisfy audit requests by providing recent third-party audit reports and documentation demonstrating Technical and Organizational Measures (TOMs) as described in Annex II.

12. Liability; Precedence; Law

Liability follows the Agreement’s limits unless prohibited by law or the SCCs. If conflict: SCCs > DPA > Agreement for EEA/UK/CH transfers. Governing law and forum follow the Agreement (Romania, unless SCCs specify otherwise).

13. Updates to This DPA

Processor may update this DPA to reflect legal or operational changes without reducing protection; material changes will be notified (e.g., email) before effectiveness.

Annex I — Details of Processing

Purpose: Provide the StmtScan Service: ingest PDFs; extract/structure data (CSV/JSON/metrics); deliver outputs; support, security, billing, service improvement.

Data subjects: Customer personnel; individuals appearing in bank statements.

Categories of data: Account data (name, email); document contents (bank-statement data as present). No special categories intended.

Frequency/Duration: Continuous during the Agreement. Retention and deletion per §10.

Processing operations: Collection (presigned upload), storage (cloud storage), parsing (AI/ML services), retrieval, transmission to Controller, deletion, logging, backups.

Annex II — Technical and Organizational Measures (TOMs)

  • Access control: Least privilege; named accounts; MFA for cloud/admin; quarterly access review.
  • Encryption: At rest: AES-256 encryption on all stored data. In transit: TLS 1.2+; HSTS; presigned URLs.
  • Segregation/Authorization: Tenant-scoped object keys; all user data is isolated through database relationships and resource-level authorization checks
  • Logging/Monitoring: Comprehensive logging and monitoring systems with alarms for security events; ≥90-day retention.
  • Secure SDLC: PR reviews; dependency scanning; secrets management with environment secrets (no plaintext in CI); staging separate from prod.
  • Vulnerability mgmt: Critical fixes ≤7 days, high ≤14; annual pentest (planned); periodic external scans.
  • Backups/Recovery: Automated backup systems with versioning; RPO ≤24h / RTO ≤4h; quarterly restore tests.
  • Incident response: Detect→triage→contain→remediate→notify within 72h; post-incident review.
  • Retention/Deletion: Originals auto-purged at 365 days; deletion requests within 30 days; document evidence of deletion.
  • Training & confidentiality: Personnel under NDA; annual security/privacy training.
  • Privacy by design: Minimize personal data; optional Data Contribution Program is opt-in and uses de-identified data only.

Annex III — Standard Contractual Clauses (SCCs)

For EEA/UK/CH transfers, the parties incorporate by reference the EU SCCs (2021/914, Module 2) (and, where applicable, the UK Addendum and Swiss amendments). The SCCs are deemed executed by the parties and prevail over conflicting terms for such transfers.

 

 

This DPA is automatically effective upon account creation or first use of the Service