Data Processing Agreement

Reconcify is a SaaS platform purpose-built for digital processing of accounting documents (invoices and bank statements). The system performs OCR, structured data extraction, bank transaction matching, and spreadsheet output. Processing duration is tied to the service agreement between the Processor and the Controller. All processing is on-demand, initiated by authenticated users.

The sole purpose is to support the client in performing financial bookkeeping for their mandates. The system extracts invoice data, matches it against bank transactions, and produces structured output for the tax advisor's workflow. No data is used for any other purpose, including marketing, analytics, or model training.

The system processes: names and addresses (from invoices), billing and invoice data (amounts, dates, invoice numbers), bank and payment data (IBAN, transaction amounts, counterparty names), and tax-relevant business data (VAT rates, tax IDs). Payroll data is not processed by Reconcify.

Data subjects include: clients of the accounting firm, customers and suppliers of those clients (whose names appear on invoices and bank statements), and employees of the accounting firm who use the platform. The system does not process data about the general public.

All data processing is initiated by explicit user action: the user uploads documents and submits a processing job via the web interface. The system performs no background data collection, no scheduled processing, and no autonomous analysis. Every processing run is traceable to a specific user, timestamp, and job ID. The system operates exclusively within documented instructions.

• All sensitive data encrypted at rest (AES-256-GCM) with per-organization encryption keys
• All data in transit encrypted via TLS
• Role-based access control (admin/operator) enforced at the API layer
• Optional Multi-Factor Authentication (TOTP) available for all users
• All team members bound by confidentiality obligations

• Data portability (Art. 20): Users can export their personal data as structured JSON
• Consent tracking (Art. 7): Consent recorded with timestamps and version during onboarding
• Breach notification (Art. 33/34): Procedure documented in this agreement

• Users can delete their own account and all associated data
• Admins can delete an entire organization and all associated data (requires re-authentication)
• Uploaded files automatically purged after 90 days; audit logs after 12 months
• Upon termination of the service agreement, all data is deleted or returned per the Controller's instructions

• Role-based access control (RBAC) with admin and operator roles
• Per-organization data isolation enforced at the database row level
• Optional MFA (TOTP) for all user accounts

• All data encrypted at rest using AES-256-GCM with per-organization keys
• All data in transit encrypted via TLS 1.2+
• Encryption keys stored separately from encrypted data

• Hosted on Railway with automatic restarts and health checks
• Supabase provides managed PostgreSQL with automated backups
• Infrastructure monitored continuously; incidents trigger automated alerts

• Only data necessary for bookkeeping purposes is collected and stored
• Uploaded files purged after 90 days; audit logs after 12 months
• No data retained beyond service agreement termination

• All API mutations require authenticated session tokens
• Database constraints and application-level validation prevent corrupt writes
• Audit log captures every data-modifying action with user and timestamp

• Comprehensive audit log stored in append-only table in Supabase
• Log entries include actor, action, resource, timestamp, and IP address
• Audit logs retained for 12 months and accessible to organization admins

• Breach notification procedure documented in this agreement
• Controller notified within 72 hours of confirmed breach (Art. 33 GDPR)
• Incident post-mortems documented and retained

• All sub-processors listed in the Sub-Processors section above with data received and transfer mechanism
• Controller notified of sub-processor changes with 30-day objection window
• DPAs or Standard Contractual Clauses in place with all sub-processors

• No on-premise infrastructure; all processing in ISO 27001-certified cloud data centers
• Supabase Frankfurt (EU) data center provides physical access controls and CCTV
• Development devices protected by full-disk encryption and screen lock policies