Data Processing Addendum
DPA version: 2026-06-05.v1. Last updated: 2026-07-10.
This Data Processing Addendum (the “DPA”) forms part of the ProofRows Terms of Service (the “Agreement”) between ProofRows(“ProofRows”, “we”, the “Processor”) and the customer that signs up to use the Service (the “Controller”). It applies to the Processing of Controller Personal Data by ProofRows in connection with the Service. Defined terms in this DPA have the meanings given in the Agreement or in Article 4 of Regulation (EU) 2016/679 (“GDPR”).
1. Preamble and incorporation
This DPA is incorporated by reference into, and forms part of, the Agreement. By clicking “I accept the DPA” in the Service, or by continuing to use the Service after we have notified you of an updated DPA, the Controller agrees to its terms. The DPA is a stand-alone data-processing agreement for the purposes of Article 28(3) of GDPR and Article 28(3) of the UK GDPR.
2. Definitions
- Personal Data has the meaning in Article 4(1) GDPR, including any data relating to an identified or identifiable natural person that the Controller submits to the Service.
- Processing, Controller, Processor, Sub-processor, Data Subject, Supervisory Authority and Personal Data Breach have the meanings given in Article 4 GDPR.
- Restricted Transfer means a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country outside that jurisdiction that is not the subject of an adequacy decision.
- Controller Personal Data means the Personal Data that the Controller submits to the Service in the form of bank-statement PDFs, client records, and any other data uploaded to or generated by the Controller’s workspace.
3. Roles
The parties acknowledge that, for the purposes of GDPR, the UK GDPR, the Swiss FADP, and equivalent laws:
- The Controller is the customer (typically a bookkeeper, accountant, or accounting firm) that determines the purpose and means of the Processing of Controller Personal Data in the course of providing bookkeeping or accounting services to its own clients.
- The Processor is ProofRows, which Processes Controller Personal Data only on the Controller’s documented instructions, as set out in this DPA and the Agreement.
- The data subjects are the Controller’s own clients (typically the businesses or individuals whose bank statements the Controller uploads) and any natural persons named in those statements (e.g. payees, account holders).
4. Subject matter, nature, purpose, and duration of the Processing
- Subject matter: the Processor’s provision of the bank-statement clean-up and export service to the Controller.
- Nature: receipt, storage, automated extraction, review-assistance, and export of bank-statement PDFs and the resulting transaction data.
- Purpose: providing the Service to the Controller; no other purpose.
- Duration: for the term of the Agreement, and thereafter until the Controller Personal Data is returned or deleted in accordance with §15.
5. Categories of Personal Data and Data Subjects
- Categories of Personal Data: bank-account holder names, account numbers (typically masked to last 4 digits after extraction), bank names, transaction dates, descriptions, debit/credit amounts, balances, counter-party names appearing in transactions, and any free-text fields the Controller enters when reviewing a statement. The Service does not process special categories of data within the meaning of Article 9 GDPR, and the Controller must not upload such data.
- Categories of Data Subjects: the Controller’s own clients (typically small-business owners and sole proprietors); account holders and authorised signatories of the bank accounts appearing on uploaded statements; and any natural persons named in transaction descriptions.
6. Controller’s instructions
The Processor shall Process Controller Personal Data only on documented instructions from the Controller, including with regard to Restricted Transfers, unless the Processor is required to do otherwise by Union or Member State law or by the law of another jurisdiction to which the Processor is subject (in which case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest). The Controller’s initial instructions are set out in the Agreement, this DPA, and the configuration of the Controller’s workspace. If the Processor reasonably believes that an instruction infringes GDPR, the UK GDPR, the Swiss FADP, or other applicable data-protection law, it shall immediately inform the Controller.
7. Processor obligations (Article 28(3) GDPR)
The Processor shall:
- Process Controller Personal Data only on the Controller’s documented instructions;
- ensure that persons authorised to Process Controller Personal Data have committed themselves to confidentiality;
- implement the technical and organisational measures set out in §10 and Annex II to protect Controller Personal Data;
- engage Sub-processors only in accordance with §8;
- assist the Controller in fulfilling the Controller’s obligation to respond to Data Subject rights requests under Chapter III GDPR (see §12);
- assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (see §10, §11, §13);
- at the Controller’s choice, return or delete Controller Personal Data in accordance with §14;
- make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for, and contribute to, audits and inspections in accordance with §15.
8. Sub-processors
8.1 General authorisation
The Controller grants the Processor general written authorisation to engage Sub-processors, on the terms of this §8. The current list of Sub-processors is published on the Privacy page and is incorporated into this DPA by reference. The Processor shall maintain the list as the single source of truth and shall update the page before engaging any new Sub-processor.
8.2 Change notification
The Processor shall give the Controller at least 30 days’ prior written notice of any intended addition or replacement of a Sub-processor, by (a) updating the list on the Privacy page, (b) sending an email to the Controller’s account contact address, and (c) showing an in-app banner to signed-in Controllers. The Controller may object to the change for reasonable data-protection grounds within the 30-day notice period by emailing privacy@proofrows.com. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the affected part of the Service and the Processor will refund any pre-paid, unused fees on a pro-rata basis.
8.3 Flow-down obligations
The Processor shall impose on each Sub-processor, by way of a written contract, data-protection obligations no less protective than those set out in this DPA, and shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.
9. International data transfers
9.1 EU-US Data Privacy Framework
For Restricted Transfers from the EEA to a Sub-processor in the United States that is self-certified under the EU-US Data Privacy Framework (DPF) adequacy decision of 10 July 2023, no further transfer mechanism is required. The current DPF status of each US Sub-processor is set out on the Privacy page.
9.2 EU Standard Contractual Clauses — Module 2
For Restricted Transfers from the EEA to a Sub-processor in a third country that is not the subject of an adequacy decision and is not DPF-certified, the parties incorporate by reference the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller-to-Processor). The Annexes are:
- Annex I.A (List of Parties): the Controller is the customer identified in the executed order form / signed-up workspace; the Processor is ProofRows at the address set out in /terms. A blank template Annex I is set out at the bottom of this page for the Controller’s reference.
- Annex I.B (Details of the Transfer): categories of Data Subjects and Personal Data are as described in §5; sensitive data is none; frequency is continuous; retention is as set out in §14; Sub-processor list is at /privacy.
- Annex II (Technical and Organisational Measures): the TOMs set out in §10 and Annex II below.
- Annex III (Sub-processor list): the list on /privacy.
Clause 7 (Docking clause) of the SCCs is included. Clause 17 (Governing law) and Clause 18 (Forum) are filled in as the laws and courts of [GOVERNING_JURISDICTION] — verify with counsel.
9.3 UK International Data Transfer Addendum
For Restricted Transfers from the United Kingdom, the parties incorporate the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner on 21 March 2022 (the “UK Addendum”), which modifies the EU SCCs to make them valid under the UK GDPR. The UK Addendum applies automatically to any transfer that is also an EU transfer under §9.2.
9.4 Swiss FADP SCCs
For Restricted Transfers from Switzerland, the parties incorporate the EU SCCs as set out in §9.2 with the following “Swiss Rider” adaptations required by the revised Federal Act on Data Protection (in force 1 September 2023) and recognised by the FDPIC: (a) references to GDPR are read as references to the FADP; (b) the competent Supervisory Authority is the FDPIC; (c) the governing law is the law of Switzerland and the forum is the courts of Switzerland at the Data Subject’s place of habitual residence; and (d) the parties have completed and documented a Transfer Impact Assessment.
10. Security of Processing (TOMs)
The Processor has implemented and shall maintain the technical and organisational measures listed in Annex II at the bottom of this page. These measures are designed to ensure a level of security appropriate to the risk of the Processing, in accordance with Article 32 GDPR. The Processor reviews and updates the measures as the Service evolves, and makes the current TOMs available to the Controller on request.
11. Personal data breach notification
The Processor shall notify the Controller of a Personal Data Breach affecting Controller Personal Data without undue delay, and in any event within 48 hours of becoming aware of the breach, so that the Controller can satisfy its own obligations under Article 33 GDPR (72-hour supervisory-authority notification) and Article 34 GDPR (Data Subject notification). The initial notification shall, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Further information shall be provided in phases as it becomes available.
12. Data Subject rights assistance
Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organisational measures, in responding to Data Subject rights requests. The Service provides self-service tools in Settings for the Controller to action most requests; for anything else, the Controller may email privacy@proofrows.com. The Processor shall not respond directly to a Data Subject except to redirect the Data Subject to the Controller, unless instructed in writing by the Controller.
13. DPIA and prior consultation
The Processor shall provide the Controller, on request, with the information reasonably necessary to enable the Controller to conduct a Data Protection Impact Assessment under Article 35 GDPR or to engage in prior consultation with a Supervisory Authority under Article 36 GDPR.
14. Return and deletion of Controller Personal Data
On termination of the Agreement (or sooner on the Controller’s written request), the Processor shall, at the Controller’s choice:
- Return all Controller Personal Data to the Controller in a structured, commonly used, machine-readable format (CSV, JSONL, or PDF, as the Controller requests and the data allows); and thereafter
- Delete all copies of Controller Personal Data in the Processor’s possession or control, within 30 days of the termination date, except where retention is required by applicable law.
Account self-deletion in Settings → Danger zone satisfies the Controller’s return-and-delete election in a single step.
15. Audit rights
The Processor shall make available to the Controller, on reasonable request and not more than once per calendar year, the information necessary to demonstrate compliance with this DPA, by:
- responding in writing to a reasonable security questionnaire;
- providing the Controller with a copy of
docs/SECURITY_AND_PRIVACY.mdand any updated TOMs; - allowing the Controller (or an independent auditor bound by confidentiality) to conduct a remote review of the Processor’s security documentation, with at least 30 days’ prior written notice; and
- on the Controller’s written request and at the Controller’s cost, permitting an on-site audit of the Processor’s Processing locations during business hours, with at least 30 days’ prior written notice, no more than once per calendar year, subject to confidentiality.
The Processor does not currently hold a SOC 2 Type II or ISO 27001 attestation; once obtained, the audit-rights clause will be updated to grant the Controller a right of access to the report on the same notice terms.
16. Liability
Liability under this DPA is allocated in accordance with the limitation-of-liability provisions of the Agreement, except that the parties’ respective liability for damages caused by their own infringement of GDPR, the UK GDPR, or the Swiss FADP shall not be subject to any contractual cap that is lower than the cap permitted by the applicable data-protection law.
17. DPO, EU representative, UK representative
The Processor’s privacy contact for all matters under this DPA is privacy@proofrows.com. The Processor has not appointed a Data Protection Officer under Article 37 GDPR because its core activities do not consist of large-scale regular and systematic monitoring of Data Subjects, large-scale processing of special categories of data, or processing by a public authority. This determination shall be kept under review and a DPO shall be appointed if the triggering criteria are met.
Where required by Article 27 GDPR or Article 27 UK GDPR, the Processor has appointed, or shall appoint, a written representative in the European Union and in the United Kingdom. The current representative details are set out on the Privacy page.
18. Order of precedence
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Controller Personal Data, this DPA shall prevail. For all other matters, the Agreement prevails.
19. Changes to this DPA
The Processor may update this DPA from time to time. Material changes will be notified to the Controller at least 30 days in advance by email and in-app banner. Continued use of the Service after the effective date of the updated DPA constitutes acceptance, except for changes that materially increase the Processor’s data-protection obligations, in which case the Controller may terminate the affected part of the Service and receive a pro-rata refund of any pre-paid, unused fees.
20. Governing law
This DPA is governed by the laws of [GOVERNING_JURISDICTION], without regard to conflict-of-laws provisions. The SCCs, the UK Addendum, and the Swiss rider are governed by their own choice-of-law clauses.
21. Contact
For all privacy, DPA, sub-processor, breach, and Data Subject rights matters: privacy@proofrows.com. To request the executed Annex I (Parties), Annex II (TOMs), or Annex III (Sub-processors) for your account, email privacy@proofrows.com with your workspace name.
Annex I — Template: List of Parties and Details of the Transfer
The Controller may use this template to record the parties and details of the Restricted Transfer covered by the EU SCCs Module 2, the UK Addendum, and the Swiss rider. Send the completed form to privacy@proofrows.com; we will countersign and return a copy for your records.
A. Parties
- Data exporter (Controller): [Controller legal name, address, contact name, role/position, email, phone]
- Data importer (Processor): ProofRows, [registered address]. Contact: privacy@proofrows.com.
B. Details of the Transfer
- Categories of Data Subjects: the Controller’s own clients (data subjects whose bank statements the Controller processes) and natural persons named in those statements.
- Categories of Personal Data: account-holder names, masked account numbers, transaction dates, descriptions, debit/credit amounts, balances, counter-party names, and free-text fields entered by the Controller during review.
- Sensitive data: none. The Controller must not upload special-category data within Article 9 GDPR.
- Frequency: continuous, for the duration of the Agreement.
- Retention: per-client retention period configured in the Controller’s workspace (default 30 days for source PDFs; transactions and export logs retained for the life of the account unless the Controller deletes them).
- Sub-processor list: /privacy, incorporated by reference.
- Competent Supervisory Authority: the Supervisory Authority of the Controller’s place of establishment (EU/UK), or the FDPIC (Switzerland).
Annex II — Technical and Organisational Measures (TOMs)
Mapped to Article 32 GDPR. The Processor shall implement and maintain, as a minimum, the following measures:
- Pseudonymisation and encryption. TLS 1.2+ in transit for all client and inter-service traffic. AES-256 encryption at rest in Supabase Postgres and the private
statement-filesstorage bucket. API keys are stored as one-way hashes inapi_keys.key_hash; the plaintext token is shown to the user once and never persisted. - Confidentiality. All personnel with access to Controller Personal Data are subject to a written confidentiality undertaking. Access to production systems is gated by Supabase Auth, role-based membership in the Controller’s
organizationsrow, and a separateSUPABASE_SERVICE_ROLE_KEYthat lives only on the server. Multi-factor authentication is supported and required for all personnel with admin access. - Integrity. Row-Level Security on every product table restricts read and write to the owning user or org. PDF access is via 60-second signed URLs minted only after an RLS-scoped read. The service-role key bypasses RLS only on the explicit allowlist documented in
docs/SECURITY_AND_PRIVACY.md. - Availability and resilience. Supabase managed Postgres with daily backups and point-in-time recovery. The retention cron runs daily at 03:00 UTC and is monitored with Vercel alerting.
- Restoration. The retention cron operates as a soft-delete + storage-delete round-trip, exercised daily in production. Disaster recovery of the database is via the Supabase backup-restore workflow.
- Regular testing. The Processor maintains a security regression test suite:
scripts/test-upload-e2e.mjs(cross-user RLS isolation),scripts/test-auth-gating.mjs(page and API gating),scripts/test-csv-export.tsandscripts/test-export-profiles.ts(export-injection protection), andscripts/test-sentry-scrub.ts(PII scrubbing before observability export). These tests run on every change before deploy. - Incident response. A documented incident-response process is maintained, anchored on the breach-notification obligation in §11. The on-call rotation is paged via Vercel + Sentry alerts; the breach timer is tracked in the on-call shared channel with a 48-hour SLA to the Controller.
- Sub-processor management. The list at /privacy is the single source of truth; every sub-processor is backed by a written contract with data-protection terms no less protective than this DPA. The change-notification process in §8.2 is the operational control.
- Logging discipline. The structured logger (
lib/observability/log.ts) has an explicit allowlist of fields. Transaction descriptions, vendor names, account numbers, balances, and statement text are never logged. Server-side Sentry scrubbing strips the same fields before any error event is sent.
Questions? privacy@proofrows.com