Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Vertial Holdings Pty Ltd (ABN 72 629 494 926), trading as Bank-statements.co ("Processor", "we", "us"), and you ("Controller", "you").

This DPA applies when we process personal data on your behalf in connection with our bank statement conversion services ("Services"). It is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Australian Privacy Act 1988 (Cth).

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that you submit to the Services for processing.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, conversion, and deletion.
• "Sub-processor" means a third party engaged by us to process Personal Data on your behalf.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose of Processing

We process Personal Data solely for the purpose of providing the Services to you:

• Nature of processing: Automated extraction and conversion of transaction data from uploaded bank statement PDF files into structured formats (CSV, Excel, QBO, OFX, QIF, JSON).
• Categories of data subjects: Individuals whose transaction data appears in the bank statements you upload.
• Types of Personal Data: Names, account numbers, transaction descriptions, monetary amounts, dates, and balances as contained in the uploaded documents.
• Duration: For as long as your account is active and you retain files on our platform. You may delete your files at any time from your dashboard.

3. Obligations of the Processor

We shall:

• Process Personal Data only on your documented instructions, unless required by law
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 5)
• Not engage a Sub-processor without prior notification (see Section 6)
• Assist you in responding to data subject access requests where reasonably practicable
• Notify you without undue delay upon becoming aware of a Data Breach (see Section 7)
• Delete or return all Personal Data upon termination of the Services, at your choice, unless retention is required by law
• Make available information necessary to demonstrate compliance with this DPA upon reasonable request

4. Obligations of the Controller

You shall:

• Ensure you have a lawful basis for sharing Personal Data with us for processing
• Ensure the accuracy of Personal Data provided to us
• Inform data subjects about the processing as required by applicable law
• Provide documented instructions for the processing of Personal Data

5. Security Measures

We implement the following technical and organisational measures to protect Personal Data:

• Encryption in transit: All data transmitted over HTTPS using TLS 1.2+
• Encryption at rest: Files and data encrypted using AES-256 on AWS infrastructure
• Access controls: Role-based access; only authorised personnel can access user data
• Authentication: Managed by Clerk with industry-standard security practices
• Payment security: Payment data handled exclusively by Stripe (PCI DSS Level 1 certified)
• Infrastructure: Hosted on Amazon Web Services (AWS) with their security controls
• Monitoring: Error tracking and security monitoring via Sentry

6. Sub-processors

We use the following Sub-processors to provide the Services:

We will notify you before adding or replacing a Sub-processor by updating this page. If you object to a new Sub-processor, you may terminate the Services by closing your account.

7. Data Breach Notification

In the event of a Data Breach affecting your Personal Data, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories of data affected, and approximate number of records
• Describe the likely consequences and the measures taken or proposed to mitigate the breach
• Cooperate with you in notifying relevant supervisory authorities and affected data subjects where required

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, and Australia — primarily the United States, where our infrastructure and Sub-processors are located.

For transfers from the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Sub-processors' participation in recognised data transfer frameworks where applicable

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible and within a reasonable timeframe.

10. Term and Termination

• This DPA remains in effect for the duration of your use of the Services
• Upon termination, we will delete all Personal Data in our possession unless retention is required by law
• You may delete your files at any time from your dashboard prior to account termination

11. Governing Law

This DPA is governed by the laws of New South Wales, Australia, without regard to conflict of law principles. For data subjects in the EEA or UK, nothing in this DPA limits any rights under GDPR or UK GDPR.

12. Contact

For questions about this DPA or to exercise any rights, contact us:

• Vertial Holdings Pty Ltd (ABN 72 629 494 926)
• Trading as Bank-statements.co
• Sydney, New South Wales, Australia
• Email: info@bank-statements.co