Data Processing Agreement - Beta Preview
Preview of Enterprise Data Processing Terms (Available Upon Launch)
Beta Note: This is a preview of our future DPA. During beta testing, no production data processing occurs. This document shows our commitment to GDPR compliance upon launch.
1. Definitions and Interpretation
This Data Processing Agreement ("DPA") forms part of the Service Agreement between Treanova GmbH ("Processor") and the Customer ("Controller") for the provision of treasury management services.
Terms used in this DPA have the following meanings:
- "Data Protection Laws" means EU General Data Protection Regulation 2016/679 (GDPR) and any applicable national data protection laws
- "Personal Data" means any information relating to an identified or identifiable natural person processed under this Agreement
- "Processing" has the meaning given in Article 4(2) GDPR
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
- "Data Subject" means the individual to whom Personal Data relates
2. Processing of Personal Data
2.1 Processor's Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security of processing
- Not transfer Personal Data outside the EEA without appropriate safeguards
- Assist the Controller in responding to data subject requests
- Make available all information necessary to demonstrate compliance
- Delete or return all Personal Data at the end of the service provision
2.2 Controller's Obligations
The Controller shall:
- Ensure it has all necessary lawful bases for processing Personal Data
- Provide clear and lawful processing instructions
- Ensure the accuracy of Personal Data provided
- Comply with all applicable Data Protection Laws
- Obtain necessary consents from Data Subjects where required
3. Details of Processing
3.1 Subject Matter and Duration
The Processor will process Personal Data as necessary to provide treasury management services for the duration of the Service Agreement.
3.2 Nature and Purpose
Processing activities include:
- Storage and hosting of financial data
- Transaction processing and reconciliation
- Financial reporting and analytics
- Bank connectivity and data synchronization
- User authentication and access management
3.3 Categories of Data Subjects
- Controller's employees and contractors
- Controller's customers and suppliers
- Authorized users of the Services
- Financial transaction counterparties
3.4 Categories of Personal Data
- Contact information (names, email addresses, phone numbers)
- Financial account information
- Transaction data and payment details
- User credentials and access logs
- Business identification data
4. Technical and Organizational Measures
The Processor implements the following security measures:
4.1 Physical Security
- Secure data center facilities with 24/7 monitoring
- Restricted physical access controls
- Environmental controls and fire suppression systems
4.2 Technical Security
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for system access
- Regular security patches and updates
- Intrusion detection and prevention systems
- Regular penetration testing and vulnerability assessments
4.3 Organizational Security
- Background checks for personnel with data access
- Regular security awareness training
- Strict access controls and principle of least privilege
- Incident response procedures
- Business continuity and disaster recovery plans
5. Sub-processing
5.1 Authorized Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors, subject to the following conditions:
- The Processor shall maintain a list of Sub-processors available upon request
- The Processor shall notify the Controller of any intended changes to Sub-processors
- The Controller has 14 days to object to new Sub-processors
- Sub-processors must be bound by equivalent data protection obligations
5.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting | EU (Frankfurt) |
| Google Cloud Platform | Backup and analytics | EU (Belgium) |
| SendGrid | Email services | EU/US (SCCs) |
| Stripe | Payment processing | EU (Ireland) |
6. International Data Transfers
Where Personal Data is transferred outside the EEA, the Processor shall ensure:
- Transfers are based on an adequacy decision by the European Commission, or
- Appropriate safeguards are in place (Standard Contractual Clauses), or
- The transfer is otherwise lawful under Data Protection Laws
The Processor shall provide copies of relevant safeguards upon request.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Access to Personal Data
- Rectification or erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
The Processor shall notify the Controller promptly of any Data Subject request received directly and shall not respond without the Controller's written instructions.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a Personal Data breach. The notification shall include:
- Nature of the breach and categories of data affected
- Estimated number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for further information
The Processor shall cooperate fully with the Controller in investigating and remediating the breach and complying with notification obligations.
9. Audits and Inspections
The Processor shall:
- Make available all information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits conducted by the Controller or its appointed auditor
- Provide relevant certifications (ISO 27001, SOC 2) upon request
Audits shall be conducted with reasonable notice (minimum 30 days) and during business hours, minimizing disruption to the Processor's operations. The Controller shall bear the costs of any audit unless a material breach is discovered.
10. Data Return and Deletion
Upon termination of the Service Agreement, the Processor shall, at the Controller's option:
- Return all Personal Data to the Controller in a commonly used format
- Securely delete all Personal Data and provide certification of deletion
- Retain Personal Data only to the extent required by applicable law
The Controller shall have 30 days from termination to retrieve its data. After this period, the Processor may delete all Personal Data unless legally required to retain it.
11. Liability and Indemnification
Each party shall be liable for its own compliance with Data Protection Laws. The Processor shall indemnify the Controller against losses arising from:
- The Processor's breach of this DPA
- Processing outside the Controller's instructions
- Breach by Sub-processors engaged by the Processor
Liability shall be subject to the limitations set forth in the Service Agreement, except where prohibited by Data Protection Laws.
12. Term and Termination
This DPA shall commence on the effective date of the Service Agreement and continue for its duration. Termination of the Service Agreement automatically terminates this DPA.
Provisions relating to data return, deletion, confidentiality, and liability shall survive termination.
13. Governing Law
This DPA is governed by the laws of Germany. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Service Agreement.
14. Contact Information
Processor's Data Protection Contact:
Treanova GmbH
Data Protection Officer
Email:
Contact via email above
This Data Processing Agreement supplements the Service Agreement and prevails in case of any conflict regarding data protection matters.