Data Processing Agreement

1. Definitions

• Controller: The customer (you) who determines the purposes and means of processing Personal Data by uploading documents to the Service.
• Processor: N MARKETING SAS, trading as ParseField, acting on the Controller's documented instructions.
• Personal Data: Any information relating to an identified or identifiable natural person (as defined in GDPR Article 4(1)) contained in documents submitted to the Service.
• Processing: Any operation or set of operations performed on Personal Data, including collection, recording, structuring, storage, extraction, consultation, use, disclosure by transmission, erasure, or destruction (as defined in GDPR Article 4(2)).
• Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed (as defined in GDPR Article 4(12)).
• Supervisory Authority: The Commission Nationale de l'Informatique et des Libertés (CNIL) is the lead supervisory authority for the Processor.

2. Scope and Purpose of Processing

The Processor processes Personal Data in connection with providing the ParseField Service. The nature and purpose of processing includes:

• Nature of processing: Automated extraction, structuring, and output generation from uploaded PDF financial documents using large language model (LLM) technologies; and recording of user activity within the organization (audit trail) for compliance and accountability purposes.
• Purpose of processing: To convert unstructured PDF documents into structured data formats (Excel, CSV, JSON) as requested by the Controller; and to provide the Controller with an audit trail of actions taken by its users within the Service.
• Types of Personal Data: (a) Names, addresses, account numbers, financial transaction details, dates, amounts, and any other personal data contained in the documents uploaded by the Controller; and (b) user identifiers, action types, resource identifiers, and timestamps recorded in the audit trail (activity log) for users of the Controller's account.
• Categories of data subjects: (a) Individuals whose personal data appears in the documents uploaded by the Controller (e.g., bank account holders, invoice recipients, cardholders); and (b) users (employees or agents) of the Controller who access the Service.

Processing is limited to the scope defined in our Privacy Policy and Terms of Service.

3. Processor's Obligations

In accordance with GDPR Article 28, the Processor shall:

• Process Personal Data only on documented instructions from the Controller (as defined by the Service's purpose and the Controller's use of Service features), unless required to do so by Union or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational security measures as described in Section 7
• Not engage another processor (sub-processor) without prior general written authorization from the Controller (see Section 6)
• Assist the Controller, by appropriate technical and organizational measures and insofar as this is possible, in fulfilling the Controller's obligation to respond to data subject requests under GDPR Chapter III
• Assist the Controller in ensuring compliance with obligations under GDPR Articles 32 to 36 (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor
• At the choice of the Controller, delete or return all Personal Data to the Controller upon termination of the Service, and delete existing copies unless Union or Member State law requires storage of the Personal Data
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions
• Not process Personal Data for any purpose other than providing the Service, and specifically shall not use uploaded documents or extracted data for training machine learning models

4. Controller's Obligations

The Controller agrees to:

• Ensure there is a lawful basis (under GDPR Article 6, and where applicable, Article 9) for processing the Personal Data uploaded to the Service
• Only upload documents the Controller has the legal right to process
• Not upload Special Categories of data (as defined in GDPR Article 9: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation) unless strictly necessary and with a valid legal basis
• Inform data subjects about the use of ParseField as a data processor where required by GDPR Articles 13 and 14
• Ensure that instructions given to the Processor regarding the processing of Personal Data comply with all applicable data protection legislation
• Maintain a record of processing activities under GDPR Article 30 that includes the processing performed by the Processor

5. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, automated decision-making) by appropriate technical and organizational measures, insofar as this is possible and taking into account the nature of the processing.

If the Processor receives a request directly from a data subject, the Processor shall promptly redirect the data subject to the Controller and notify the Controller of the request, unless otherwise required by applicable law.

To initiate a data subject rights request related to data processed through ParseField, contact privacy@parsefield.com.

6. Sub-processors

The Controller provides general written authorization for the Processor to engage the following sub-processors to deliver the Service:

The Processor shall impose data protection obligations no less protective than those set out in this DPA on each sub-processor by way of a written contract in accordance with GDPR Article 28(4). The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

Changes to sub-processors: The Processor will notify the Controller of any intended changes to sub-processors (additions or replacements) at least 30 days in advance. The Controller may object to the change by notifying the Processor in writing within the 30-day notice period. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected Service with 30 days' notice.

7. Security Measures

In accordance with GDPR Article 32, the Processor implements the following technical and organizational measures, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to the rights and freedoms of data subjects:

• Encryption in transit: TLS 1.2+ for all data transmitted between clients, the Service, and sub-processors
• Encryption at rest: AES-256 encryption for all stored data (database, file storage)
• Access control: Row-level security (RLS) policies enforcing per-organization data isolation at the database level
• Automated deletion: Hard deletion of uploaded PDF files upon expiration of the user-configured retention period (3 or 7 days, extendable up to a maximum of 21 days). Deletion is permanent and irreversible -- there is no soft-delete, backup retention, or recovery mechanism
• Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and X-Frame-Options configured on all application responses
• Personnel access controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis, bound by confidentiality obligations
• Regular security reviews: Periodic security assessments and vulnerability reviews of infrastructure and application code
• Incident response: Documented incident response procedures with 72-hour breach notification capability (see Section 9)

8. Data Retention and Deletion

The Processor applies the following retention schedule to Personal Data processed on behalf of the Controller:

• Uploaded documents (original PDFs): Retained for a Controller-configured period of 3 or 7 days from the date of upload. The Controller may extend this period up to two times. The maximum retention period under any circumstances is 21 days (7-day base period plus two extensions of 7 days each).
• Deletion mechanism: Deletion is automated (via a scheduled workflow running every 5 minutes), permanent, and irreversible. There is no soft-delete, backup retention, or recovery mechanism. Once the retention period expires, the document cannot be restored.
• Extracted data: Structured output (transaction records, field values, confidence scores) is retained in the Controller's account until the Controller deletes it or the account is terminated.
• Audit trail (activity log) data: Records of user actions (audit trail) are retained for the duration of the Controller's active subscription. If a user's account is deleted, the user identifier in existing audit records is removed (set to null); action records themselves persist under the organization until the organization account is deleted. Upon organization deletion or account termination, all audit trail records for the organization are permanently deleted.
• Account termination: Upon termination of the Service, all remaining uploaded documents, extracted data, and audit trail records are deleted within 30 days, unless retention is required by applicable Union or Member State law.

9. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay and in any event no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33(2)
• Provide the Controller with sufficient information to enable the Controller to fulfill its own breach notification obligations under GDPR Articles 33 and 34, including: the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach
• Document all Data Breaches, including their effects and the remedial actions taken, in accordance with GDPR Article 33(5)

10. International Data Transfers

The Processor is established in France (European Union). Sub-processors are located in the United States and Germany. Specifically: uploaded documents and account data are stored in AWS us-east-1 (North Virginia) via Supabase; document processing infrastructure is hosted in Germany (Hetzner Online GmbH, within the EEA); AI-based extraction is performed in GCP us-central1 via Google Vertex AI and in Microsoft Azure via Azure OpenAI Service; website analytics and conversion tracking are processed by Google LLC (Google Analytics 4) in the United States; HTTP traffic is proxied through Cloudflare (global data centers). Personal Data transferred from the EEA to sub-processors outside the EEA is protected by appropriate safeguards as required by GDPR Chapter V, specifically:

• Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Article 46(2)(c), as supplemented by a transfer impact assessment where required
• Where applicable, the EU-U.S. Data Privacy Framework for certified sub-processors

The Controller may request a copy of the applicable transfer mechanisms by contacting privacy@parsefield.com.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and in GDPR Article 28. The Processor shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals a material breach by the Processor.

12. Supervisory Authority

The lead supervisory authority for the Processor is the Commission Nationale de l'Informatique et des Libertés (CNIL):

CNIL
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

13. Liability

The Processor's liability under this DPA is subject to the limitations set out in the Terms of Service. Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with GDPR Article 82. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

14. Term and Termination

This DPA is effective for the duration of the Controller's subscription to ParseField and shall automatically terminate upon termination of the underlying Service agreement. Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days, unless Union or Member State law requires continued storage. The Controller may request return of data in a machine-readable format (CSV, JSON, XLSX) prior to the end of the 30-day period. The obligations of confidentiality and data protection set out in this DPA shall survive termination.

15. Governing Law

This DPA is governed by and construed in accordance with French law, without regard to conflict of law principles. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Paris, France, subject to the rights of data subjects and supervisory authorities under the GDPR.

16. Contact

For DPA inquiries, to exercise audit rights, or to request a countersigned copy of this DPA for compliance purposes:

legal@parsefield.com

N MARKETING SAS, trading as ParseField
10 rue de Penthièvre, 75008 Paris, France
SIRET: 890 496 565 00015