Data Processing Agreement
Plain English first. If you convert your clients' bank statements, GDPR makes you the controller and us the processor. Article 28 requires a written agreement between us. This is that agreement. It costs nothing and applies on every plan, including the free one.
Two things worth knowing before you read further, because they are the questions that actually matter:
- We never store statements. Pages are held in memory for the seconds it takes to extract the rows, then discarded. There is no copy to breach, subpoena or delete.
- Extraction happens in the United States. We are an EU business and your account data lives in Frankfurt, but the AI extraction step runs on Anthropic's API and Netlify's infrastructure, both US-based. That transfer relies on Standard Contractual Clauses. We would rather say so plainly than let "Made in the EU" imply something it does not.
1. Parties and scope
This Data Processing Agreement ("DPA") is entered into between you (the "Controller") and Ivan Mlynek, trading as Statement Mill, Slovakia ("Processor", "we", "us"). It forms part of and is subject to our Terms of Service.
This DPA applies where you use Statement Mill to process personal data for which you are the controller — typically bank statements belonging to your clients or your business. It takes effect when you start using the service and remains in force for as long as you do.
If you require a countersigned copy on your own paper, email hello@statementmill.com and we will sign and return it. There is no charge and no plan requirement.
2. Subject matter and duration
Subject matter: extraction of transaction data from bank statement documents you submit, and delivery of that data back to you in your chosen format.
Duration: for each document, the duration of processing is the length of a single conversion — typically under a minute. We retain no statement content after that. This DPA itself remains in force for the duration of your use of the service.
3. Nature and purpose of processing
We process the documents you upload solely to perform the conversion you have requested: reading the page, extracting transactions, verifying them against the statement's own balances, and returning structured data to you. We do not use your documents for any other purpose. We do not use them to train models, and our AI sub-processor is contractually barred from doing so.
4. Types of personal data
You determine what you upload. In practice a bank statement typically contains:
- Account holder name and, sometimes, address
- Account number, IBAN, sort code or equivalent
- Transaction dates, descriptions, counterparty names, payment references
- Amounts and balances
Statements may incidentally reveal information from which special categories of data could be inferred (for example, payments to a medical provider, a trade union or a political party). We do not analyse for, or act on, such inferences. You remain responsible for deciding whether uploading a given document is appropriate.
5. Categories of data subjects
Your clients, your employees, your counterparties, or any individual appearing on a statement you submit.
6. Our obligations as processor
We will:
- Process only on your documented instructions. Your use of the service is the instruction. We will not process for our own purposes.
- Tell you if an instruction appears unlawful. If we believe an instruction infringes GDPR or other EU or member-state law, we will inform you.
- Keep it confidential. Everyone authorised to process the data is bound by confidentiality.
- Secure it per Article 32 — see section 8.
- Not engage sub-processors other than those listed in section 9 without informing you first, per section 10.
- Help you respond to data subjects. See section 11.
- Help you with Articles 32–36 — security, breach notification, impact assessments — taking into account the nature of processing and the information available to us.
- Delete or return the data. Already the default: statement content is discarded automatically after conversion. See section 12.
- Make available the information needed to demonstrate compliance and allow for audits. See section 13.
7. Your obligations as controller
You warrant that you have a lawful basis for the processing you instruct, that you have provided any required notice to data subjects, and that you are entitled to disclose the documents you upload to us.
8. Security measures (Article 32)
The measures we actually operate, stated concretely rather than in the abstract:
- No storage of statement content. Files are processed in memory and discarded. We operate no database, disk, bucket or backup containing statement content. This is the single most consequential measure here: most breach scenarios require stored data, and there is none.
- Encryption in transit. TLS on every connection, including to sub-processors.
- Access control. Account data is protected by row-level security so that each user can read only their own records. Administrative credentials are held server-side only.
- No raw IP storage. Where we count anonymous usage, we store a salted SHA-256 hash, never the address itself.
- Data minimisation. We store your email address, your plan, and a count of pages processed. Nothing about the contents of your statements.
- Segregation. Statement content never reaches our database; it exists only in the memory of a single function invocation.
We do not currently hold ISO 27001 or SOC 2 certification, and we will not imply otherwise.
9. Authorised sub-processors
You give general authorisation for the following sub-processors as at the version date above:
| Sub-processor | Purpose | Statement content? | Location & transfer basis |
|---|---|---|---|
| Anthropic PBC | AI extraction of statement text | Yes — in transit, not retained by us | United States — Standard Contractual Clauses |
| Netlify, Inc. | Hosting and serverless execution | Yes — in transit, not retained | United States — Standard Contractual Clauses |
| Supabase, Inc. | Accounts, plan, page counters | No | EU — Frankfurt (eu-central-1) |
| Resend (Plazma Labs, Inc.) | Sign-in emails | No | EU — Ireland (eu-west-1) |
| Google Ireland Ltd / Google LLC | Optional Google sign-in | No | United States — Standard Contractual Clauses |
| Paddle.com Market Ltd | Payments (merchant of record; independent controller for payment data) | No | United Kingdom — adequacy decision |
10. Changes to sub-processors
We will give you at least 30 days' notice by email before adding or replacing a sub-processor that handles statement content. If you object on reasonable data-protection grounds within that period, you may terminate your subscription and we will refund the unused portion of your current billing period.
11. Data subject requests
Because we retain no statement content, there is normally nothing for us to access, rectify, export or erase in response to a data subject request — the answer is simply that no copy exists. Where a request does concern data we hold (your account email, plan, page counts), we will assist you promptly and at no charge. Forward requests to hello@statementmill.com.
12. Deletion and return
Statement content is discarded automatically at the end of each conversion; no action is needed from either party. Account data is deleted within 30 days of your written request or of account closure, except where we must retain records to meet a legal obligation — for example, invoices retained for tax purposes.
13. Audit
We will make available all information reasonably necessary to demonstrate compliance with this DPA and Article 28, and will respond to reasonable written questions from you or your auditor. Given the nature of the service — a single-operator business that stores no statement content — we ask that on-site audits be reserved for cases where documentary answers are genuinely insufficient, and be agreed in advance.
14. Personal data breach
We will notify you without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting data processed on your behalf, with the information available to us at the time.
15. International transfers
As set out in section 9, extraction involves transfer of statement content to the United States. These transfers rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), incorporated into our agreements with the relevant sub-processors. We can provide details of these safeguards on request.
We note plainly that Standard Contractual Clauses authorise transfers; they do not prevent US authorities from asserting access rights under statutes such as FISA 702 or the CLOUD Act. If your risk assessment requires that client statements never leave the EU, Statement Mill in its current architecture is not the right tool for you, and we would rather say so than take your money.
16. Liability and governing law
Liability under this DPA is subject to the limitations in our Terms of Service. This DPA is governed by the laws of the Slovak Republic, and the courts of the Slovak Republic have jurisdiction, without prejudice to any mandatory rights you have under GDPR or your local consumer law.
17. Acceptance
Using Statement Mill to process personal data on behalf of others constitutes acceptance of this DPA. If your organisation requires a signed copy — many accounting practices do, for their own audit file — email hello@statementmill.com, and we will return a countersigned PDF. Free, on any plan.
Questions about this agreement: hello@statementmill.com