BankDab LogoBankDab

Data Processing Agreement (DPA)

Business Use Notice

This Data Processing Agreement governs business use of the Bank Statement Reader service. Personal use is governed by our standard Terms of Service.

Effective Date: January 6, 2025
Last Updated: January 6, 2025
Version: 1.0

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The business entity using the Service ("Customer")
  • Data Processor: Bank Statement Reader service provider ("Processor")

1.2 Key Definitions

  • Personal Data: Bank statements and financial information of data subjects
  • Processing: PDF analysis, text extraction, and transaction parsing
  • Data Subject: Individual whose bank statement is processed
  • Service: Bank Statement Reader PDF analysis platform

2. Scope and Purpose of Processing

Permitted Processing

  • • PDF text extraction
  • • Transaction data parsing
  • • Bank identification
  • • Data format standardization

Prohibited Processing

  • • Data storage or retention
  • • Profiling or analysis
  • • Third-party sharing
  • • Marketing or advertising

Processing Duration

Processing occurs solely during API request execution (typically 2-5 seconds). All data is immediately purged from memory upon completion.

3. Customer Obligations

3.1 Legal Basis

Customer warrants that it has obtained valid legal basis for processing personal data, including but not limited to consent, legitimate interest, or contractual necessity.

3.2 Data Subject Rights

Customer is responsible for:

  • • Providing privacy notices to data subjects
  • • Handling data subject access requests
  • • Managing consent withdrawal
  • • Responding to deletion requests

3.3 Data Minimization

Customer must ensure only necessary personal data is submitted for processing and that data subjects have been informed of the processing purpose.

4. Processor Obligations

4.1 Processing Restrictions

  • • Process data only as instructed by Customer
  • • Delete data immediately after processing
  • • Not use data for own purposes
  • • Maintain confidentiality of all data

4.2 Security Measures

  • • HTTPS encryption for all data transmission
  • • Memory-only processing (no disk storage)
  • • Automatic data purging after processing
  • • Access logging and monitoring
  • • Regular security updates and patches

4.3 Breach Notification

Processor will notify Customer of any personal data breach within 24 hours of discovery, including details of affected data and remediation measures taken.

5. Data Transfers and Sub-processing

5.1 International Transfers

Processing occurs within the United States. No international data transfers are made. Hosting infrastructure (Vercel) operates under appropriate data protection frameworks.

5.2 Sub-processors

Current approved sub-processors:

  • Vercel: Hosting and serverless computing (Privacy Shield certified)

Customer will be notified 30 days in advance of any sub-processor changes.

6. Audits and Compliance

6.1 Audit Rights

Customer has the right to audit Processor's compliance with this DPA through:

  • • Review of security documentation
  • • Third-party security assessments
  • • Compliance certifications
  • • On-site inspections (with reasonable notice)

7. Term and Termination

7.1 Term

This DPA remains in effect for the duration of Customer's use of the Service.

7.2 Data Return/Deletion

Upon termination, Processor will confirm deletion of all Customer personal data. Since no data is retained, this occurs automatically with each processing request.

8. Liability and Indemnification

8.1 Limitation of Liability

Each party's liability for data protection violations is limited to direct damages actually incurred. Processor's total liability shall not exceed $10,000 USD.

9. Contact Information

For DPA-related inquiries, data subject requests, or compliance matters, contact our Data Protection Officer through our Support Center.

← Back to Statement AnalyzerTerms of ServicePrivacy Policy