pdftoexcel

Data Processing Addendum

Effective: April 2026 · Version 1.0

How this DPA takes effect

This Data Processing Addendum (the "DPA") forms part of the agreement between Matrizexplícita Lda ("pdftoexcel", "Processor") and the customer using pdftoexcel's services (the "Customer", "Controller") under the Terms of Service (the "Agreement"). It governs the processing of Personal Data on behalf of the Customer in connection with pdftoexcel's services. By using the services to upload or process documents that contain Personal Data of natural persons, the Customer is deemed to have entered into this DPA on the date the Agreement was first accepted. A counter-signed PDF is available on request to hello@bankpdftoxls.com. If there is a conflict between this DPA and the Agreement, this DPA prevails for matters of personal-data processing.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Applicable Data Protection Law" means the GDPR, the UK GDPR and Data Protection Act 2018 where relevant, the Portuguese Lei n.º 58/2019, and any other applicable data-protection law. "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021. "Customer Data" means Personal Data that the Processor processes on behalf of the Controller in connection with the services.

2. Roles and scope of processing

For Customer Data uploaded by the Customer to the services, the Customer is the Controller and pdftoexcel is the Processor. Where the Customer is itself a Processor for its own end client (for example, a bookkeeper processing data on behalf of a small business; an attorney processing data on behalf of a litigant), pdftoexcel acts as a Sub-processor and the Customer warrants that it has the authority of its end-client controller to engage pdftoexcel on the terms of this DPA.

The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex I below.

3. Customer's documented instructions

pdftoexcel will process Customer Data only on the Customer's documented instructions. The Agreement, the Terms of Service, the Privacy Policy, this DPA, and the Customer's use of the configurable features of the services together constitute the Customer's complete and final documented instructions. pdftoexcel will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

pdftoexcel ensures that personnel authorized to process Customer Data are bound by a written duty of confidentiality and have received appropriate training on personal-data handling. Access to Customer Data is restricted on the principle of least privilege and to staff with a documented operational need.

5. Security of processing

pdftoexcel will implement and maintain the technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

6. Sub-processors

The Customer authorizes pdftoexcel to engage the Sub-processors listed at /legal/subprocessors (the current Sub-processor list, as updated from time to time, is incorporated by reference as Annex III). pdftoexcel will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable for the acts and omissions of its Sub-processors as if they were its own.

pdftoexcel will give the Customer at least 30 days' prior notice of any intended addition or replacement of Sub-processors by updating the published list and, where the Customer has subscribed to change notices, by email. The Customer may object to a new Sub-processor on reasonable data-protection grounds within that notice period; if the parties cannot agree on a resolution, the Customer's exclusive remedy is to terminate the Agreement and cease use of the affected services.

7. Assistance with data-subject rights

pdftoexcel will, taking into account the nature of the processing, provide reasonable assistance to the Customer through appropriate technical and organizational measures (including self-service features in the dashboard) to fulfil the Customer's obligations to respond to requests by Data Subjects under Articles 15–22 GDPR. If pdftoexcel receives a Data Subject request directly, it will promptly forward it to the Customer and not respond to the Data Subject except as required by law.

8. Personal Data Breach notification

pdftoexcel will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. pdftoexcel will provide reasonable cooperation to the Customer in respect of any related notifications to supervisory authorities or affected Data Subjects.

9. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to pdftoexcel, pdftoexcel will provide reasonable assistance to the Customer with any Data Protection Impact Assessment under Article 35 GDPR and any prior consultation with a supervisory authority under Article 36 GDPR relating to the services.

10. Deletion or return of Customer Data

On termination or expiry of the Agreement, or on earlier written request, pdftoexcel will delete (or, at the Customer's option, return) all Customer Data and existing copies, except to the extent that storage is required by Applicable Data Protection Law or other applicable law (for example, billing records retained for tax-law compliance, which are limited to invoice line items and never include source PDFs or transaction-row content). Default retention periods are set out in the Privacy Policy and on the Security page.

11. Audits and information

pdftoexcel will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. On the Customer's reasonable written request and no more than once per twelve-month period (except where required by a supervisory authority or following a Personal Data Breach), pdftoexcel will either (i) respond to a written security questionnaire or (ii) permit the Customer (or an independent auditor mandated by the Customer that is not a competitor of pdftoexcel) to conduct an audit of pdftoexcel's compliance with this DPA, subject to reasonable confidentiality obligations and at the Customer's cost. To the extent available, pdftoexcel may discharge its audit obligations by providing third-party audit reports (including SOC 2 reports of its Sub-processors and, when available, of pdftoexcel itself).

12. International transfers

Where pdftoexcel transfers Customer Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that is not the subject of an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Commission Decision 2021/914), which are incorporated by reference into this DPA as follows:

  • Module 2 (controller-to-processor) applies where the Customer is the controller of the relevant Personal Data.
  • Module 3 (processor-to-processor) applies where the Customer is itself a processor acting on behalf of its end-client controller.
  • In Clause 7 (docking clause), the option is not applied.
  • In Clause 9 (use of sub-processors), Option 2 (general written authorisation) applies, with a 30-day prior-notice period.
  • In Clause 11 (redress), the optional independent dispute- resolution body language is not applied.
  • In Clause 17, the governing law is the law of Portugal.
  • In Clause 18, the courts of Lisbon, Portugal have jurisdiction.
  • Annex I.A (parties), Annex I.B (description of transfer), and Annex I.C (competent supervisory authority — CNPD) are populated by Annex I below. Annex II (TOMs) is populated by Annex II below. Annex III (sub-processors) is populated by the published Sub-processor list at /legal/subprocessors.

For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (issued by the ICO under section 119A of the Data Protection Act 2018). For transfers from Switzerland, the SCCs apply with the adjustments set out by the Swiss Federal Data Protection and Information Commissioner. Where a Sub-processor is certified under the EU–US Data Privacy Framework, that certification may also be relied upon as a transfer mechanism for that Sub-processor.

13. Term and survival

This DPA takes effect on the effective date of the Agreement and remains in force for as long as pdftoexcel processes Customer Data, with obligations relating to confidentiality, audit, and return or deletion of Customer Data surviving termination.

14. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that nothing in this DPA limits liability for breach of the SCCs or for liability that cannot be excluded under Applicable Data Protection Law.

15. Governing law

This DPA is governed by the law of Portugal, without prejudice to the governing-law provisions of the SCCs where they apply by virtue of clause 12.

Annex I — Description of processing

A. Parties

Data Exporter (Controller / Customer): the entity or individual identified as the customer in the Agreement. Contact details as provided at sign-up.

Data Importer (Processor / pdftoexcel): Matrizexplícita Lda, a limited liability company registered in Portugal. Contact: hello@bankpdftoxls.com. Activities relevant to the data transferred under the SCCs: hosting, processing, and converting bank statement PDFs into structured spreadsheet formats on behalf of the Controller.

B. Description of transfer

  • Categories of Data Subjects: the bank-account holders whose statements the Customer uploads (typically the Customer's clients, or other third parties whose statements the Customer is authorized to process); the Customer's authorized users.
  • Categories of Personal Data: name, account identifiers, transaction history (date, description, amount, running balance) printed on the uploaded statement; the Customer's authorized-user account email and authentication metadata.
  • Sensitive data: none required by the service. Bank-statement transaction data is financial data and is not a special category under Article 9 GDPR. The Customer is responsible for not uploading documents that include unrelated special-category data.
  • Frequency of transfer: on a continuous basis, triggered by Customer uploads.
  • Nature of processing: hosting, parsing, arithmetic reconciliation, structured-data extraction, file format conversion, transactional email, billing, product analytics (where consented), and error monitoring.
  • Purpose of processing: providing the pdftoexcel service to the Customer in accordance with the Agreement.
  • Period of retention: as described on the Security page and in the Privacy Policy.

C. Competent supervisory authority

The competent supervisory authority for pdftoexcel as data importer is the Comissão Nacional de Proteção de Dados (CNPD), Portugal — cnpd.pt.

Annex II — Technical and organizational measures

pdftoexcel implements the following technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk under Article 32 GDPR. The current list is also reflected on the Security page.

  • Encryption in transit. TLS 1.2 or higher for all customer-facing endpoints, internal service-to-service traffic, and outbound calls to Sub-processors and LLM providers.
  • Encryption at rest. AES-256 for database storage, object storage, and backups, via the managed encryption layers provided by the underlying cloud Sub-processors.
  • Access control. Postgres Row-Level Security isolating each Customer's rows by user ID; private object storage with short-lived signed URLs (TTL ≤ 5 minutes); least-privilege production access; SSO with hardware-backed MFA on every administrative console.
  • Pseudonymization and minimization. Application logs and error reports do not include PDF content, transaction descriptions, account numbers, or routing numbers — only document identifiers and processing metadata.
  • Resilience. Managed redundant infrastructure via Sub-processors with documented availability SLAs; daily encrypted backups of the production database; documented recovery procedures.
  • Storage and retention controls. Source PDFs deleted on successful conversion; extracted rows retained per the published retention schedule; on-demand deletion from the dashboard or by email.
  • Vulnerability management. Continuous automated dependency scanning, monitored security advisories, published vulnerability-disclosure address (security@bankpdftoxls.com), and a documented remediation policy.
  • Personnel. Written confidentiality obligations; documented information-security policy; periodic training; revocation of access on role change or departure.
  • Incident response. Documented incident- response procedure with a 72-hour controller-notification target consistent with Article 33 GDPR.
  • Sub-processor governance. Written processor terms with each Sub-processor; preference for Sub-processors with SOC 2 Type II or equivalent independent attestation; published sub-processor list with 30-day change notice.

Annex III — Sub-processors

The current list of authorized Sub-processors, including the processing they perform, the categories of Personal Data they access, the country where processing occurs, and the transfer mechanism relied upon, is published at /legal/subprocessors and is incorporated by reference into this DPA.

Contact

DPA questions, counter-signature requests, or vendor questionnaires — email hello@bankpdftoxls.com. Postal: Matrizexplícita Lda, Portugal.