Last updated: 27 April 2026

Data Processing Agreement (DPA)

If your organisation processes personal data via pdftoxlsx.com, GDPR Article 28 requires a written agreement between you (controller) and us (processor). This page contains our template, ready to print, complete and return signed.

Email signed copy

The print preview is the document — use Cmd/Ctrl + Pand pick "Save as PDF". Send it signed to hello@pdftoxlsx.com and we will counter-sign within 2 business days.

Data Processing Agreement

Pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR").

1. Parties

This Agreement is entered into between the customer using pdftoxlsx.com (the "Controller") and Technology Pro Bono S.L., CIF B88502364, registered in Spain (the "Processor").

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to provide the bank statement PDF-to-Excel conversion service available at pdftoxlsx.com. The Agreement is in force for as long as the Controller maintains an active account with the Processor.

3. Nature, purpose and categories of data

Nature of processing: automated extraction of structured transaction data from PDF files uploaded by the Controller and delivery of the extracted data as an Excel file via secure download URL.

Categories of data subjects:the Controller's account holders and their counterparties as they appear in the uploaded PDFs.

Categories of personal data: account holder name, account number (last 4 digits), transaction descriptions, dates, amounts, balances, currencies, statement period.

4. Obligations of the Processor

The Processor shall:

  • process personal data only on documented instructions from the Controller, including transfers outside the EEA, unless required to do so by EU or Member State law;
  • ensure that persons authorised to process personal data are bound by confidentiality obligations;
  • implement appropriate technical and organisational measures (TLS in transit, encryption at rest, access controls, audit logs);
  • not engage another processor (sub-processor) without prior general authorisation by the Controller (see Annex I);
  • assist the Controller in fulfilling its obligations regarding data subject rights and security incidents;
  • notify the Controller without undue delay (and in any event within 72 hours) of any personal data breach affecting Controller data;
  • at the Controller's choice, delete or return all personal data after the end of provision of services and delete existing copies, unless EU or Member State law requires storage;
  • make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow audits, including inspections, on reasonable notice.

5. International transfers

All Controller data is processed within the European Economic Area. Sub-processors based outside the EEA (where any) operate under Standard Contractual Clauses (Decision (EU) 2021/914) plus any supplementary measures required by the European Data Protection Board.

6. Liability

Each party is liable for damages caused by processing that infringes the GDPR to the extent provided in Article 82 of the GDPR. Liability between the parties for breach of this Agreement is limited as set out in the Terms of Service of pdftoxlsx.com.

7. Governing law

This Agreement is governed by the laws of Spain. Disputes shall be submitted to the exclusive jurisdiction of the courts of Spain, without prejudice to the consumer rights of the Controller where applicable.

Annex I — Authorised sub-processors

  • Supabase (EU region) — authentication, transactional database, object storage
  • Vercel — application hosting and edge functions
  • Stripe — payment processing (independent controller for billing data)
  • Resend — transactional email delivery
  • Anthropic — AI extraction (text excerpts of uploaded PDFs only; no retention)

The Processor maintains an up-to-date list at pdftoxlsx.com/privacy. Material changes are communicated to the Controller at least 30 days in advance, with an opportunity to object.

Annex II — Technical and organisational measures

  • HTTPS-only; strict CSP, HSTS preload, X-Frame-Options DENY, X-Content-Type-Options nosniff
  • Encryption at rest for all databases and object storage
  • Role-based access control on infrastructure; least privilege; MFA on admin accounts
  • Automated audit logging of every conversion request (no transaction content stored)
  • Uploaded PDFs are deleted within 1 hour of processing; generated Excel files within 24 hours
  • Per-IP and per-tenant rate limiting on hot endpoints
  • Stripe webhook idempotency to prevent duplicate side-effects

Signatures

Controller (Customer)

Company name: ____________________

Tax ID / VAT: ____________________

Signatory: ____________________

Title: ____________________

Date: ____________________

Signature:

Processor (pdftoxlsx.com)

Company name: Technology Pro Bono S.L.

CIF: B88502364

Signatory: ____________________

Title: Sole Director

Date: ____________________

Signature:

This template covers the bulk of typical EU SaaS B2B operations. If your sector has specific requirements (healthcare, regulated finance, public sector) please review it with your legal counsel before signing.
Privacy PolicyTerms of Service← Back to converter