Data Processing Agreement

Last updated: 1 March 2026

This Data Processing Agreement (“Agreement”) has been drawn up in accordance with Article 28 of the General Data Protection Regulation (GDPR) and governs the processing of personal data by the Processor on behalf of the Controller in the context of the StatementBridge service.

Processor: FIDURO B.V., Stephensonweg 6, 4207 HB Gorinchem, CoC 78200695

Controller: the User (any natural or legal person who uses StatementBridge)

Article 1 — Definitions

  1. Controller: the User of StatementBridge who determines the purposes and means of the processing of personal data.
  2. Processor: FIDURO B.V., which processes personal data on behalf of the Controller in the context of the StatementBridge service.
  3. Data Subject: the natural person to whom the personal data relate.
  4. Personal Data: any information relating to an identified or identifiable natural person, as referred to in Article 4(1) GDPR.
  5. Sub-processor: a third party engaged by the Processor to carry out (part of) the processing.
  6. GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679).

Article 2 — Subject matter and duration

  1. This Agreement relates to the processing of personal data that takes place in the context of the StatementBridge service, an online application for the conversion of bank statements and transaction files between various file formats.
  2. The duration of this Agreement is equal to the period during which the Controller holds an active account with StatementBridge.
  3. The processing of personal data takes place exclusively during active file conversions. Uploaded files are deleted immediately after processing.

Article 3 — Nature and purpose of the processing

  1. The processing concerns the conversion of bank statements and transaction files between the following formats: MT940, CAMT.053, CSV, Excel, OFX, CODA, DATEV and PDF.
  2. The purpose of the processing is to convert financial transaction data into a file format that is compatible with the accounting software of the Controller.
  3. Optionally, the Controller may use AI extraction of transactions from PDF files. This functionality uses external APIs (Anthropic or OpenAI) and is only activated at the express request of the Controller.

Article 4 — Types of personal data

The following categories of personal data are processed:

  • Account data — email address and display name
  • Financial transaction data — IBAN numbers, amounts, descriptions, transaction dates and counterparty names
  • Payment data — Stripe customer ID and subscription details
  • Technical data — anonymised IP address and user agent
  • API keys — stored encrypted (AES-128/Fernet)

Article 5 — Categories of Data Subjects

  1. The User (account holder) — the person who uses StatementBridge.
  2. Third parties whose data appear in bank statements — counterparties and beneficiaries of transactions included in the uploaded files.

Article 6 — Obligations of the Processor

The Processor commits to the following:

  1. To process personal data only on the basis of documented instructions from the Controller, unless required to do so by a legal obligation.
  2. To ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. To take all appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as referred to in Article 32 GDPR.
  4. To comply with the conditions for engaging sub-processors as described in Article 7 of this Agreement.
  5. To assist the Controller in fulfilling requests from Data Subjects to exercise their rights under the GDPR.
  6. To assist the Controller in carrying out a Data Protection Impact Assessment (DPIA) where necessary.
  7. At the choice of the Controller, to delete or return all personal data after the end of the processing services and to delete existing copies, unless storage is required by law.
  8. To make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and to allow for and contribute to audits.

Article 7 — Sub-processors

The Controller grants the Processor general written authorisation to engage the following sub-processors:

Sub-processor Purpose Location Safeguards
Stripe, Inc. Payment processing US Standard Contractual Clauses (SCCs)
Render.com Application and database hosting EU (Frankfurt) EU-based
Anthropic (optional) AI PDF extraction US SCCs
OpenAI (optional) AI PDF extraction US SCCs
  1. The Processor shall inform the Controller in advance of any intended changes concerning the addition or replacement of sub-processors.
  2. The Controller has the right to object to changes in sub-processors. If the objection cannot be resolved, the Controller has the right to terminate the Agreement.
  3. The Processor ensures that the same data protection obligations as set out in this Agreement are imposed on each sub-processor.

Article 8 — Transfers outside the EEA

  1. Transfers of personal data to the United States take place on the basis of Standard Contractual Clauses (SCCs) in accordance with Article 46(2)(c) GDPR.
  2. Anthropic and OpenAI are only engaged at the express request of the User. Without use of the AI PDF extraction functionality, no transfer to these parties takes place.
  3. The Processor ensures that any transfer of personal data to a country outside the European Economic Area (EEA) complies with Chapter V of the GDPR.

Article 9 — Security measures (Art. 32 GDPR)

The Processor has implemented the following technical and organisational security measures:

  • HTTPS/TLS encryption — all communication between user and server is encrypted
  • Bcrypt password hashing — passwords are never stored in readable form
  • AES-128/Fernet encryption — API keys are stored encrypted
  • Immediate deletion — uploaded files are deleted immediately after processing
  • Secure session cookies — HttpOnly, Secure, SameSite=Strict
  • Rate limiting — protection against abuse and overload
  • Access controls — users only have access to their own data
  • Regular security updates — software and dependencies are updated regularly
  • Anonymised logging — log files do not contain identifiable personal data

Article 10 — Data breach notification

  1. The Processor shall notify the Controller of any data breach (personal data breach) without undue delay and no later than 72 hours after becoming aware of it.
  2. The notification shall contain at least the following information:
    • the nature of the data breach, including where possible the categories and approximate number of Data Subjects concerned;
    • the categories and approximate number of personal data records concerned;
    • the likely consequences of the data breach;
    • the measures taken or proposed to address the data breach and mitigate its adverse effects.
  3. The Processor shall fully cooperate with the Controller in investigating and handling the data breach.

Article 11 — Assistance with Data Subject rights

  1. The Processor shall assist the Controller in responding to requests from Data Subjects with regard to the following rights:
    • Right of access (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR)
    • Right to object (Art. 21 GDPR)
  2. The User can delete their account and all associated data themselves via the application settings in StatementBridge.

Article 12 — Return and deletion

  1. Upon termination of the processing services, all personal data of the Controller shall be deleted.
  2. Account deletion via the application results in permanent deletion of all personal data.
  3. No uploaded files are retained after processing. Files are deleted from the server immediately after conversion.

Article 13 — Audit rights

  1. The Controller has the right to conduct or have conducted audits to verify compliance with this Agreement.
  2. The Processor shall cooperate with reasonable audit requests and make the necessary information available.
  3. As an alternative, the Processor may provide an independent audit report (such as SOC 2 or a comparable certification) to demonstrate compliance.

Article 14 — Governing law and disputes

  1. This Data Processing Agreement is governed by the laws of the Netherlands.
  2. Disputes arising from or in connection with this Agreement shall be submitted to the competent court in the district of Rotterdam.

Contact

FIDURO B.V.
Stephensonweg 6
4207 HB Gorinchem
The Netherlands
Email: info@fiduro.nl
Phone: +31 183 201077
CoC: 78200695
VAT: NL861300221B01