Legal
Data Processing Agreement
Effective date: March 1, 2026 · Last updated: March 1, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between FinanceConvert ("Processor") and the customer entity that has agreed to the FinanceConvert Terms of Service ("Controller"). This DPA supplements the Terms of Service and governs the processing of personal data in connection with FinanceConvert's financial file conversion service.
2. Nature of Processing
FinanceConvert processes financial files (PDF, OFX, QFX, QBO, QIF, IIF, CSV) submitted by the Controller for the sole purpose of converting them to the requested output format. Processing is performed entirely in volatile server RAM. No input or output file is written to disk, stored in a database, or retained after the download is complete.
The types of personal data that may be contained within submitted financial files include: individual names, account numbers, transaction descriptions, amounts, and dates. FinanceConvert does not access, analyze, or retain this data beyond the duration of the conversion operation (typically under 30 seconds).
3. Controller Obligations
The Controller represents and warrants that:
- It has the legal right to submit the data to FinanceConvert for processing.
- It has provided all required notices and obtained all required consents from data subjects.
- It will not submit special categories of sensitive personal data unless strictly necessary for the conversion task.
4. Processor Obligations
FinanceConvert agrees to:
- Process personal data only on documented instructions from the Controller (i.e., the conversion request).
- Ensure that persons authorized to process the data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including RAM-only processing and immediate data deletion upon download.
- Not engage any sub-processor without prior written authorization from the Controller, except as set out in this DPA.
- Assist the Controller in meeting its data subject rights obligations (access, erasure, portability) to the extent technically feasible given that FinanceConvert retains no personal data after delivery.
- Delete all personal data contained in processed files upon completion of each conversion job (no later than 30 minutes after upload if no download occurs).
5. Sub-processors
FinanceConvert may use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| OpenAI (optional) | AI-assisted PDF text extraction (GPT-4.1-mini) | USA |
| Stripe | Payment processing and billing | USA |
| Resend | Transactional email delivery | USA |
OpenAI is only engaged when the file is a PDF and the OPENAI_API_KEY environment variable is configured. PDF text extraction falls back to a deterministic heuristic parser when OpenAI is not configured. Financial data sent to OpenAI is transmitted via encrypted HTTPS and is not used to train models under the API terms of service.
6. Security Measures
FinanceConvert implements the following technical and organizational measures:
- RAM-only processing — no file is written to disk at any point during conversion.
- Automatic deletion — converted files are removed from memory immediately upon download, or within 30 minutes if not downloaded.
- Encrypted transport — all data in transit is protected by TLS 1.2 or higher.
- Access control — file buffers are isolated per request and inaccessible to other users.
7. Data Breach Notification
In the event of a personal data breach affecting data under this DPA, FinanceConvert will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, to the extent such notification is possible.
8. International Transfers
FinanceConvert is based in the United States. If the Controller is subject to GDPR and submits data from the European Economic Area, the Controller acknowledges that processing occurs in the USA. FinanceConvert relies on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework as appropriate to legitimize such transfers.
9. Contact
For DPA inquiries, data subject rights requests, or to request a signed copy of this agreement, contact us at our contact page or email legal@financeconvert.com.