Skip to main content
Spendrein
Sign inSign up
Legal

Data Processing Agreement

Version 1.0 · Effective 17 May 2026

This Data Processing Agreement (the “DPA”) supplements the Spendrein Terms of Service (the “Agreement”) entered into between the customer (the “Controller”) and Spendrein (the “Processor”), and applies whenever Spendrein Processes Personal Data on the Controller's behalf in connection with the Spendrein service (the “Service”).

The Parties have agreed to this DPA to reflect their commitments under the EU General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom Data Protection Act 2018 and UK GDPR (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), as applicable.

If there is any conflict between this DPA and the Agreement, this DPA prevails for matters concerning the Processing of Personal Data.

1. Definitions

Capitalised terms not defined here have the meanings given in the GDPR. For convenience:

  • “Personal Data” means any information relating to an identified or identifiable natural person submitted to, stored in, or generated by the Service on behalf of the Controller.
  • “Processing” has the meaning in GDPR Article 4(2) and includes collection, storage, use, transmission, and deletion.
  • “Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller, as listed in Annex III.
  • “Standard Contractual Clauses” or “SCCs” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries.
  • “UK IDTA”means the United Kingdom International Data Transfer Agreement issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018.

2. Subject Matter, Duration, and Roles

2.1 Subject matter and duration

The Processor Processes Personal Data on behalf of the Controller for the duration of the Agreement and for any period thereafter during which the Processor retains Personal Data pursuant to Section 9 (Return and Deletion).

2.2 Roles

The Controller is the controller of the Personal Data and the Processor is a processor. The Processor will only Process Personal Data on documented instructions from the Controller, which instructions consist of (a) the Agreement, (b) this DPA, and (c) any further written instructions given by the Controller through the Service interface or by email to privacy@spendrein.com.

2.3 Service description

The Service ingests financial statements and contract documents supplied by the Controller's authorised users, identifies recurring vendor charges and contractual obligations, surfaces recommendations, and (on paid tiers) helps users cancel unwanted subscriptions and track contract renewals.

Full description of categories of data subjects, categories of Personal Data, nature and purpose of Processing, and retention is set out in Annex I.

3. Processor Obligations

The Processor will:

  1. Process Personal Data only on the Controller's documented instructions, including with regard to transfers to a third country, unless required to do so by EU or Member State law to which the Processor is subject. The Processor will inform the Controller of any such legal requirement before Processing unless the law prohibits such information on important grounds of public interest.
  2. Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality.
  3. Implement the technical and organisational measures described in Annex II.
  4. Engage Sub-processors only in accordance with Section 5.
  5. Assist the Controller, taking into account the nature of the Processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights (Section 7) and in ensuring compliance with the Controller's obligations under GDPR Articles 32 to 36 (Section 6 and Section 8).
  6. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless EU or Member State law requires storage of the Personal Data (Section 9).
  7. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits in accordance with Section 10.

4. Confidentiality and Personnel

Access to Personal Data is restricted to Processor personnel who require such access to perform the Agreement. All such personnel are bound by written confidentiality obligations and receive training on data protection. Production database access is limited to the engineering personnel responsible for operating the Service and is logged.

5. Sub-processors

5.1 General authorisation

The Controller grants the Processor general written authorisation to engage the Sub-processors listed in Annex III for the Processing of Personal Data.

5.2 Sub-processor obligations

The Processor will enter into a written agreement with each Sub-processor imposing on the Sub-processor data protection obligations substantially the same as those imposed on the Processor under this DPA. The Processor remains fully liable to the Controller for the performance of the Sub-processor's obligations.

5.3 Changes to the Sub-processor list

The Processor will give the Controller at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-processor by updating Annex III and notifying registered Workspace Owners by email. The Controller may object to the change on reasonable data-protection grounds within the notice period. If the Parties cannot agree on a resolution, the Controller may terminate the affected portion of the Service with pro-rata refund of any pre-paid fees for the unused remainder of the then-current billing period.

6. Security Measures

The Processor implements the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks to data subjects.

The Controller is responsible for the security of any Personal Data outside the Service (for example, statement files stored on the Controller's own systems before upload, or files exported from the Service).

7. Data Subject Rights

The Processor will, taking into account the nature of the Processing, assist the Controller through appropriate technical and organisational measures in responding to requests from data subjects to exercise their rights under GDPR Chapter III. Specifically:

  • The Service provides self-service mechanisms in /settings to access, export, correct, and delete Personal Data.
  • The Processor will forward any data subject request received directly by the Processor to the relevant Controller within five (5) business days and will not respond substantively except to confirm receipt.
  • Where a Controller request requires deletion or export beyond what the self-service interface allows, the Processor will complete the request within thirty (30) days of receipt.

8. Personal Data Breach Notification

The Processor will notify the Controller without undue delay and in any event within seventy-two (72) hoursafter becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include, to the extent then known:

  1. The nature of the Personal Data Breach, including the categories and approximate number of data subjects and records concerned;
  2. The likely consequences of the Personal Data Breach;
  3. The measures taken or proposed to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
  4. The name and contact details of the Processor's data protection contact point.

Notification of, or response to, a Personal Data Breach by the Processor is not an acknowledgement by the Processor of any fault or liability with respect to the Personal Data Breach.

9. Return and Deletion

9.1 During the Agreement

The Controller may at any time delete Personal Data using the self-service interface (/settings) or by emailing privacy@spendrein.com. Specific deletion behaviour:

  • Raw bank statement files uploaded for an audit are deleted from primary storage within minutes of successful parsing. An automated daily sweep purges any orphaned files within seven (7) days at the latest.
  • Parsed transactions, subscriptions, contracts, and audits are deleted when the Controller deletes the underlying record or the account.
  • Workspacesmoved to the “soft-deleted” lifecycle state via the Service are hard-deleted thirty (30) days after the soft-delete event, unless restored by the Owner before then.

9.2 On termination of the Agreement

Upon termination of the Agreement, or upon the Controller's earlier request, the Processor will delete all Personal Data Processed on behalf of the Controller from the Processor's primary systems within thirty (30) days. Backups containing Personal Data are purged in accordance with the rolling backup retention schedule (currently thirty (30) days) and are inaccessible during that period except for disaster recovery.

The Processor will, upon written request from the Controller and prior to such deletion, provide the Controller with a self-service export of the Controller's Personal Data in a structured, commonly used, and machine-readable format.

9.3 Mandatory retention

The Processor may retain Personal Data after termination only to the extent and for the period required by applicable law (for example, tax, accounting, or anti-money-laundering record-keeping obligations applying to billing records). Personal Data retained on this basis remains subject to the confidentiality, security, and access obligations of this DPA.

10. Audits

The Processor will make available to the Controller, upon written request and no more than once per twelve (12) month period, the following:

  1. The Processor's then-current Annex II security measures summary;
  2. The Processor's then-current third-party security attestations and certifications (e.g. SOC 2 reports, ISO 27001 certificates, penetration test summaries), if any, subject to a mutual non-disclosure agreement;
  3. Reasonable written responses to a security questionnaire addressing the topics in Annex II.

If the Controller can demonstrate, after exhausting the above, that this information is insufficient to demonstrate compliance with the Processor's obligations under this DPA, the Controller may request an on-site audit by an independent third-party auditor reasonably acceptable to the Processor, at the Controller's expense, on at least sixty (60) days' written notice, during regular business hours, and subject to the Processor's reasonable security and confidentiality requirements.

Audits in connection with a regulator's binding instruction or a Personal Data Breach are not subject to the frequency or cost limitations of this Section.

11. International Data Transfers

Where the Processor or a Sub-processor Processes Personal Data outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland, the transfer is subject to one of the following safeguards:

  1. For EEA→Third Country transfers: the Standard Contractual Clauses (Module Two: Controller-to-Processor where the Processor is the data exporter and the Sub-processor is the data importer; or Module Three: Processor-to-Processor where applicable), incorporated by reference into this DPA. The Parties select Clause 7 (Docking clause) — included; Clause 9(a) (Sub-processor authorisation) — option 2 (general written authorisation) with 30 days' notice; Clause 11(a) (Independent dispute resolution) — omitted; Clause 17 (Governing law) — law of the Republic of Ireland; Clause 18 (Forum and jurisdiction) — courts of the Republic of Ireland.
  2. For UK→Third Country transfers: the UK IDTA, or the EU SCCs together with the UK International Data Transfer Addendum, incorporated by reference.
  3. For Swiss→Third Country transfers: the EU SCCs as modified by the guidance of the Swiss Federal Data Protection and Information Commissioner.

The data exporter of record is the Controller; the data importer is the Processor (or, where applicable, the relevant Sub-processor).

12. California Consumer Privacy Act

To the extent the Processor Processes Personal Information (as defined in the CCPA/CPRA) of California residents on behalf of the Controller:

  1. The Processor acts as a “service provider” under the CCPA/CPRA;
  2. The Processor will not retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Service, as required for that purpose, or as otherwise permitted by the CCPA/CPRA;
  3. The Processor will not sell or share the Personal Information as those terms are defined in the CCPA/CPRA;
  4. The Processor will not combine the Personal Information with personal information that the Processor receives from or on behalf of any other person or persons, except to perform a business purpose permitted under the CCPA/CPRA regulations.

13. Liability

The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term and Termination

This DPA takes effect on the earlier of (i) the date the Controller accepts it electronically or by countersignature, and (ii) the date the Controller first uses a paid feature of the Service. It remains in force for so long as the Processor Processes Personal Data on behalf of the Controller and continues to govern such Processing after termination of the Agreement until all Personal Data has been deleted in accordance with Section 9.

15. Order of Precedence

In the event of any conflict between (a) the SCCs or UK IDTA, (b) this DPA, and (c) the Agreement, the order of precedence is (a) > (b) > (c) for matters relating to the Processing of Personal Data.

16. Governing Law

This DPA is governed by the law of the Republic of Ireland, without regard to its conflict of laws principles. Disputes arising under this DPA are subject to the exclusive jurisdiction of the courts of the Republic of Ireland, save that nothing in this Section limits either Party's right to seek injunctive relief in any court of competent jurisdiction.

Annex I — Description of Processing

Categories of data subjects
(i) The Controller's authorised users (Workspace Owners, Admins, Members, Viewers); (ii) the Controller's employees, contractors, and authorised representatives whose names, signatures, or email addresses appear in financial statements or contract documents Processed via the Service; (iii) counterparties (e.g. vendor billing contacts) named in those documents.
Categories of Personal Data
Account data (email, name, password hash via the auth Sub-processor); financial transaction data extracted from bank and card statements (date, amount, currency, counterparty name and reference); contract metadata (party names, contract value, term, notice period); contract document text and extracted fields; outbound and inbound email content related to cancellations and contract ingestion; usage logs (IP address, user agent, request path, timestamp); billing reference data (Stripe customer ID and subscription ID — no card data is stored).
Special categories (Art. 9 GDPR)
None are intentionally Processed. The Controller is responsible for not uploading documents containing special categories unless necessary.
Nature of the Processing
Ingestion, parsing, classification, deduplication, aggregation, AI-assisted categorisation, storage, display, export, and (on paid tiers) outbound email composition and dispatch via the Controller's own SMTP credentials.
Purpose of the Processing
Provide the Service: detect recurring subscription charges, surface saving opportunities, alert on contract renewals, support subscription cancellation, and provide bank-feed monitoring.
Retention period
Raw statement files: minutes to seven (7) days. Parsed transactions, subscriptions, contracts, and audits: for the duration of the Agreement plus thirty (30) days after account deletion (primary database), plus the rolling backup retention period (thirty (30) days). Workspace soft-delete restore window: thirty (30) days.
Frequency of transfer
Continuous, on user request, for the duration of the Agreement.
Means of transfer
TLS 1.2 or higher over HTTPS for all data in transit.

Annex II — Technical and Organisational Measures

II.1 Encryption

  • In transit: TLS 1.2 or higher for all client-server, server-Sub-processor, and inter-service communication. HSTS is enabled on customer-facing endpoints.
  • At rest: managed AES-256 encryption provided by the database and storage Sub-processor (Supabase / AWS).
  • Application-layer encryption: user-provided SMTP credentials are encrypted with AES-256-GCM authenticated encryption before being written to the database; the encryption key is held in the Processor's secrets store and is not stored in the database. Machine-to-machine credentials issued to the Controller (e.g. MCP tokens) are stored only as SHA-256 hashes; the cleartext is shown exactly once at issuance and is not recoverable thereafter.

II.2 Access control

  • Authentication to the Service uses Supabase Auth with email-and-password or OAuth (Google, Microsoft) and bcrypt password hashing performed by the auth Sub-processor.
  • Row-level security policies enforce per-user and per-workspace access at the database layer; the application layer reinforces these checks. Service-role database keys are restricted to backend functions executing on the Processor's compute platform.
  • Production system access is restricted to the engineers operating the Service. Access is provisioned via single-sign-on with multi-factor authentication and reviewed quarterly.
  • Logical separation of customer data is enforced through user_id and workspace_id foreign keys with database-level constraints; the Processor does not operate a single shared tenant.

II.3 Application security

  • Input validation at all system boundaries using strongly typed schemas (Zod v4).
  • Output sanitisation for HTML rendering (React) and for log output.
  • Rate limiting on authentication, signup, machine-to-machine credentials, and AI-bearing endpoints.
  • Authenticated webhook endpoints verify Stripe and Resend signatures.
  • Dependencies are kept current via automated updates and a pull-request review process; SCA scanning is performed on each pull request.

II.4 Logging, monitoring, and incident response

  • Application errors and security-relevant events are recorded in the error-monitoring Sub-processor (Sentry) with PII-redacting filters and a default trace sample rate of ten percent (10%).
  • Database and storage access is logged by the database Sub-processor.
  • A workspace-level activity log records member changes, invitations, ownership transfers, and workspace state changes; this log is exposed to the Controller's Owners and Admins at /settings/workspace/activity.
  • An incident response process is documented; the Processor will notify Controllers of Personal Data Breaches within seventy-two (72) hours as set out in Section 8.

II.5 Resilience

  • Application is hosted on a managed compute platform (Vercel) with automatic failover and multiple availability zones.
  • Database backups are taken daily by the database Sub-processor with a thirty (30) day retention.
  • Disaster recovery procedures are tested at least annually.

II.6 AI and automated processing

  • AI calls send the minimum data necessary to perform the task (e.g. transaction descriptions for classification; extracted contract text for field extraction). Calls are routed through the AI gateway and the underlying providers (Anthropic, OpenAI) are configured to apply zero data retention and not to use submissions for model training, as confirmed by their published data-use policies and account configuration.
  • Output schemas are validated and recommendations are non-binding; no automated decision-making with legal or similarly significant effects on a data subject is performed within the meaning of GDPR Article 22.

II.7 Vendor management

  • Each Sub-processor is reviewed against the Processor's data-protection criteria before engagement and on material changes thereafter.
  • Data Processing Agreements (or equivalent terms) are in place with each Sub-processor.

Annex III — Sub-processors

The current list of Sub-processors engaged by the Processor is maintained at spendrein.com/legal/subprocessors and forms part of this DPA by reference. The Processor will update that page and notify Workspace Owners as set out in Section 5.3.

How to execute this DPA

This DPA is incorporated by reference into the Agreement and takes effect automatically on the Controller's first paid use of the Service. No counter-signature is required for the DPA to be binding.

If your procurement process requires a counter-signed copy on file, email privacy@spendrein.com and we will return a counter-signed PDF within five (5) business days.