Note: This Data Processing Agreement (DPA) governs the processing of personal data by Faturium — AI-native expense reconciliation + receipt OCR + bank import + accountant Google Drive sync on behalf of customers using Faturium — AI-native expense reconciliation + receipt OCR + bank import + accountant Google Drive sync. Reach out at info@faturium.com to request a signed copy.

Data Processing Agreement

Last updated: 2026-06-09

1. Parties

Controller: the customer entity using Faturium — AI-native expense reconciliation + receipt OCR + bank import + accountant Google Drive sync.
Processor: Faturium — AI-native expense reconciliation + receipt OCR + bank import + accountant Google Drive sync.

2. Subject matter & duration

The Processor processes personal data only to provide the Service described in the Terms of Service. Processing duration matches the Service subscription term plus any post-termination retention required by law.

3. Nature & purpose of processing

Storage, indexing, retrieval and computational processing of the documents and personal data the Controller submits, strictly to deliver the Service.

4. Categories of data & data subjects

  • Authentication identifiers (email, name) of end users.
  • Document content uploaded by the Controller.
  • Operational metadata (timestamps, IPs) of users.

5. Processor obligations

  • Process only on documented Controller instructions.
  • Ensure persons authorised to process data are under appropriate confidentiality obligations.
  • Implement technical and organisational measures appropriate to the risk (Art. 32 GDPR).
  • Engage sub-processors only with prior general authorisation (current list in section 7 of the Privacy Policy); notify the Controller of intended changes.
  • Assist the Controller with data subject rights and impact assessments where reasonably required.
  • Notify the Controller without undue delay of any personal data breach.
  • Return or delete all personal data at the end of the Service relationship, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR.

6. International transfers

All processing happens within the European Union. No transfer of personal data outside the EEA occurs without the Controller's prior written consent and an appropriate transfer mechanism (Standard Contractual Clauses, adequacy decision, ...).

7. Audit rights

On reasonable notice (≥30 days) the Controller may request an audit of compliance with this DPA, at its own cost, no more than once per twelve-month period (except in case of a material breach).

8. Liability

Liability under this DPA is subject to the cap and exclusions set in the Terms of Service.

9. Contact

For DPA enquiries or to request a signed copy: info@faturium.com.