BankStatementHive
Sign in
Last updated: 2026-05-27

Data Processing Agreement

The terms under which BankStatementHive processes personal data on behalf of business customers, in accordance with GDPR Article 28.

This Data Processing Agreement ("DPA") forms part of the BankStatementHive Terms of Service and applies whenever a customer uses BankStatementHive to process documents that contain personal data. By accepting the Terms of Service, the customer also accepts this DPA.

1. Definitions

"Controller" means the customer — the natural or legal person who determines the purposes and means of processing personal data by using the BankStatementHive Service.

"Processor" means BankStatementHive, which processes personal data on behalf of the Controller.

"Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Sub-processor" have the meanings given in Regulation (EU) 2016/679 (GDPR).

"Service" means the BankStatementHive platform as described in the Terms of Service.

2. Scope and Relationship

This DPA applies where the Controller uploads documents to the Service that contain personal data — for example, bank statements that include the names, addresses, or contact details of individuals.

BankStatementHive acts solely as a Processor in this context. The Controller determines the purpose and means of processing; BankStatementHive processes the data only to the extent necessary to deliver the Service.

3. Details of Processing

ItemDetails
Subject matterAI-assisted extraction of structured data from PDF bank statement files
DurationFor the duration of each processing request; data is not retained after processing
Nature of processingAutomated analysis and extraction, performed entirely in memory
PurposeConverting bank statement documents into structured CSV or Excel output as instructed by the Controller
Types of personal dataNames, addresses, account numbers, and financial transaction data appearing on bank statements
Categories of data subjectsAccount holders and individuals whose details appear on bank statement documents

4. Controller Obligations

The Controller represents and warrants that:

  • It has a valid legal basis under applicable law to process the personal data contained in documents uploaded to the Service.
  • It is authorised to instruct BankStatementHive to process that data on its behalf.
  • The personal data provided to BankStatementHive is accurate and its processing complies with applicable data protection law.

5. Processor Obligations

BankStatementHive agrees to:

5.1 Process Only on Instructions

Process personal data only on the documented instructions of the Controller — specifically, to extract and convert bank statement data as requested. BankStatementHive will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

5.2 Confidentiality

Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.

5.3 Security

Implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These measures are described on our Security page.

5.4 In-Memory Processing

Bank statement files are processed entirely in memory and are never written to disk or stored in any database. Personal data contained in uploaded documents is not retained by BankStatementHive after processing is complete.

5.5 Assistance with Data Subject Rights

Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, portability, restriction, objection).

5.6 Assistance with Security and Breach Notification

Assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR, including security obligations, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

5.7 Deletion on Termination

Upon termination of the Service, all personal data processed under this DPA is immediately discarded from memory as part of normal operation. No additional deletion step is required given the in-memory processing model.

5.8 Information and Compliance

Provide the Controller with all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, upon written request to [email protected].

BankStatementHive does not grant on-site audit rights. Where applicable law requires an audit right that cannot be satisfied by information provision, the parties will agree on a reasonable process in good faith.

6. Sub-processors

The Controller grants BankStatementHive general authorisation to engage sub-processors to assist in providing the Service.

The current list of sub-processors is available on our Subprocessors page.

BankStatementHive will notify the Controller of any intended changes to that list (additions or replacements) with at least 14 days' notice by updating the Subprocessors page and, for material changes, by email. The Controller may object to a new sub-processor within that notice period by contacting [email protected]. If the parties cannot resolve the objection in good faith, the Controller may terminate the Service.

BankStatementHive remains fully liable to the Controller for the performance of sub-processors' obligations under this DPA.

7. International Data Transfers

Personal data processed under this DPA is primarily stored and processed within the European Economic Area on Render infrastructure in Frankfurt, Germany.

Where sub-processors are located outside the EEA (currently Stripe and Cloudflare), BankStatementHive ensures an adequate level of protection through one or more of the following mechanisms:

  • The European Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914.
  • An adequacy decision by the European Commission for the relevant country.

Details of the transfer mechanisms in place for each sub-processor are available on request at [email protected].

8. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, BankStatementHive will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Notification will include, to the extent known at the time:

  • The nature of the breach and categories of data affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach.

The Controller is responsible for assessing whether the breach requires notification to the relevant supervisory authority or to affected data subjects.

9. Data Subject Rights

Where BankStatementHive receives a request directly from a data subject exercising their rights in relation to personal data processed under this DPA, BankStatementHive will promptly forward the request to the Controller. BankStatementHive will not respond to such requests on the Controller's behalf unless instructed to do so.

10. Termination

This DPA terminates automatically upon termination of the Terms of Service. Given that personal data is processed in memory only and not retained after processing, no further deletion action is required on termination.

11. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA takes precedence.

12. Governing Law

This DPA is governed by the same law as the Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution process set out in the Terms of Service.

13. Contact

For questions about this DPA or to make a written request under Section 5.8, contact us at [email protected].