Data Processing Agreement

In this Agreement:

"Controller" means the Firm or Enterprise customer who determines the purposes and means of processing personal data (i.e. you, the customer).

"Processor" means AutoConvertPros, which processes personal data on behalf of the Controller.

"Data Subject" means the individual whose personal data is being processed (e.g. the bank account holder whose statement is uploaded).

"Personal Data" has the meaning given in UK GDPR — any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, analysis, and deletion.

"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.

2.1 Controller Responsibilities
As Controller, you are responsible for:

• Ensuring you have a lawful basis for processing the personal data you upload
• Obtaining all necessary consents or authorisations from data subjects before uploading their documents
• Ensuring data subjects have been informed about how their data will be processed, including by AutoConvertPros as Processor
• Using the platform only for purposes consistent with your privacy notices and data protection obligations
• Ensuring your instructions to us comply with applicable data protection law

2.2 Processor Responsibilities
As Processor, AutoConvertPros will:

• Process personal data only on your documented instructions
• Ensure persons authorised to process the data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures
• Assist you in responding to data subject rights requests where possible
• Delete or return personal data at the end of the service relationship
• Provide you with information necessary to demonstrate compliance

Subject Matter: Automated extraction and analysis of financial transaction data from bank statements.

Duration: For the duration of your subscription or until you delete the relevant data, whichever is earlier. Uploaded files are deleted within 60 minutes of processing.

Nature of Processing: OCR text extraction, data classification, income analysis, risk scoring, report generation.

Purpose: To provide the AutoConvertPros bank statement analysis service as described in our Terms of Use.

Categories of Personal Data:
• Financial transaction data (dates, amounts, merchant names)
• Account holder name and account number (if present in uploaded documents)
• Bank name and sort code

Categories of Data Subjects:
• Bank account holders whose statements are uploaded by the Controller

We implement the following technical and organisational measures to protect personal data:

Technical Measures:
• Encryption in transit (TLS 1.2 or higher)
• Encryption at rest (AES-256)
• Access controls and authentication for all systems
• Automatic file deletion within 60 minutes of processing
• Regular security assessments and vulnerability monitoring
• Rate limiting and intrusion detection

Organisational Measures:
• Confidentiality obligations for all personnel with data access
• Data minimisation — we process only what is necessary
• Privacy by design and default principles
• Documented data processing procedures
• Incident response procedures

We will notify you without undue delay — and in any event within 72 hours — of any personal data breach that affects your data.

We use the following sub-processors to deliver the service. By agreeing to this DPA, you provide general authorisation for us to use these sub-processors:

Supabase (database and authentication)
Location: Ireland (EU)
Purpose: Storing account data, statement metadata, and transaction data
Data protection: supabase.com/privacy

Amazon Web Services (file storage and OCR)
Location: United Kingdom (eu-west-2, London)
Purpose: Temporary file storage and Textract OCR processing
Data protection: aws.amazon.com/compliance/gdpr-center

Stripe (payment processing)
Location: United States / Ireland
Purpose: Payment processing (does not process bank statement content)
Data protection: stripe.com/privacy

Resend (email delivery)
Location: United States
Purpose: Transactional email delivery (does not process bank statement content)
Data protection: resend.com/privacy

We will notify you of any intended changes to sub-processors at least 14 days in advance, giving you the opportunity to object.

We process data primarily within the UK and EU. Where data is transferred outside these regions (e.g. via Stripe or Resend), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the ICO or European Commission
• Adequacy decisions where applicable
• Transfer Impact Assessments where required

Details of transfers and safeguards are available on request.

If a data subject exercises their rights under UK GDPR (access, erasure, rectification, portability, restriction, objection) and this relates to data processed by us on your behalf, we will:

• Promptly notify you of the request
• Assist you in responding within the required timeframe (30 days)
• Delete or provide a copy of the relevant data as instructed by you

As Controller, you are responsible for responding to data subject rights requests. We will support you with technically feasible assistance.

You have the right to audit our compliance with this DPA. We will:

• Provide information reasonably necessary to demonstrate compliance
• Allow for and contribute to audits or inspections conducted by you or your appointed auditor
• Provide access to relevant documentation and records

Audits must be conducted on reasonable notice (minimum 14 days), during business hours, and at your cost. We may require a confidentiality agreement before providing access to sensitive documentation.

Upon termination of the service relationship:

• Uploaded files are already deleted within 60 minutes of processing
• Statement metadata and transaction data stored in our database will be deleted within 30 days of account closure
• You may request immediate deletion at any time by contacting support@autoconvertpros.co.uk
• We will confirm in writing when deletion is complete

We may retain anonymised aggregate data (with no individual identifiers) for service improvement purposes.

Each party shall be liable for damages caused by processing in breach of this DPA or UK GDPR to the extent it is responsible for that breach. Our liability under this DPA is subject to the limitations set out in our Terms of Use.

You are responsible for ensuring your instructions to us comply with UK GDPR. We are not liable for processing carried out in accordance with your instructions where those instructions themselves breach UK GDPR.

This DPA is entered into automatically when you subscribe to a Firm or Enterprise plan and accept our Terms of Use. No separate signature is required.

For data protection queries or to request a signed copy of this DPA for your records:

Email: support@autoconvertpros.co.uk
Website: autoconvertpros.co.uk/contact

This DPA is governed by the laws of England and Wales.