Data Processing Agreement

Last updated: February 16, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Rivofin (“Processor”) and you (“Controller”), and governs the processing of personal data that you submit to the Service on behalf of your clients or other third parties.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applies whenever Rivofin processes personal data on your behalf.

1. Definitions

“Controller” means you, the user of the Service, who determines the purposes and means of processing personal data.
“Processor” means Rivofin, which processes personal data on behalf of the Controller.
“Personal Data” means any information relating to an identified or identifiable natural person that the Controller submits to the Service.
“Sub-processor” means a third party engaged by Rivofin to process Personal Data on behalf of the Controller.
“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Data Protection Laws” means all applicable data protection and privacy laws, including the GDPR, Albanian Law No. 124/2024, the UK GDPR and Data Protection Act 2018, the Swiss FADP, the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission (Implementing Decision (EU) 2021/914) for the transfer of personal data to third countries.
“Supervisory Authority” means an independent public authority responsible for monitoring the application of data protection law, including the Information and Data Protection Commissioner of Albania (IDP) and any other applicable authority.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“DPIA” means a Data Protection Impact Assessment as described in GDPR Article 35.
“Service” means the Rivofin bank statement management platform, including the website, application, and API, as described in the Terms of Service.

2. Scope and Purpose of Processing

2.1 Subject Matter

Rivofin processes Personal Data contained in bank statements and financial documents uploaded by the Controller to provide the Service.

2.2 Nature and Purpose

Processing activities include:

Storing uploaded PDF bank statements
Extracting transaction data using AI-powered processing (OCR and natural language processing)
Matching counterparties and categorizing transactions
Generating structured exports (CSV, Excel, JSON)
Maintaining audit logs of processing activities

2.3 Categories of Personal Data

Personal Data processed may include:

Names of account holders and transaction counterparties
Bank account numbers and IBANs
Transaction amounts, dates, and descriptions
Tax identification numbers
Any other personal data contained in uploaded bank statements

2.4 Categories of Data Subjects

The Controller's clients and their customers/vendors
Individuals whose names or data appear in uploaded bank statements or reference documents

2.5 Processing Locations

Processing takes place in the United States and the European Union through the sub-processors listed in the Privacy Policy (Section 5.1). International transfers are governed by Section 8 of this DPA.

2.6 Duration

Processing continues for the duration of the Controller's use of the Service. Upon termination, data is handled in accordance with Section 9 of this DPA.

2.7 Sensitive and Special Category Data

The Controller acknowledges that bank statements and financial documents may incidentally contain data revealing information falling within special categories of personal data under GDPR Article 9 (such as political opinions inferred from donations, religious beliefs inferred from tithes, health information inferred from medical transactions, or trade union membership inferred from dues). Rivofin does not intentionally process special category data and does not use such information for any purpose other than providing the Service.

The Controller is responsible for ensuring that any processing of special category data through the Service has a valid legal basis under GDPR Article 9(2) and for implementing appropriate safeguards. Rivofin will apply the same technical and organizational security measures described in Section 6 and Annex 2 to all Personal Data, including any incidental special category data.

2.8 Rivofin as Controller

The parties acknowledge that Rivofin independently acts as a data controller for certain categories of personal data, including: account information (names, email addresses), usage data (log data, device information, pages viewed), billing information, and support correspondence. The processing of such data is governed by Rivofin's Privacy Policy and is outside the scope of this DPA.

This DPA governs only the processing of Personal Data where Rivofin acts as a processor on behalf of the Controller (i.e., the data contained in uploaded bank statements, financial documents, and related content submitted by the Controller to the Service).

3. Obligations of the Processor

Rivofin shall:

Process Personal Data only on documented instructions from the Controller, including transfers to a third country, unless required by EU or member state law
Immediately inform the Controller if, in Rivofin's opinion, an instruction infringes the GDPR or other EU or member state data protection provisions
Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organizational security measures as described in our Privacy Policy (Section 8)
Engage sub-processors only in accordance with Section 5 of this DPA
Notify the Controller within 5 business days of receiving a Data Subject request, and assist the Controller in responding to such requests (access, rectification, erasure, portability, etc.) through appropriate technical and organizational measures
Assist the Controller in ensuring compliance with GDPR Articles 32-36, including conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities and providing information necessary for the Controller's own DPIAs upon request
Delete or return all Personal Data upon termination of the Service, at the Controller's choice, unless EU or member state law requires storage
Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits
Maintain records of processing activities carried out on behalf of the Controller in accordance with GDPR Article 30(2)

3.1 Data Protection Impact Assessments

Rivofin will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35, and prior consultations with Supervisory Authorities as required by GDPR Article 36. This assistance includes:

Providing information about the nature, scope, context, and purposes of processing
Describing the technical and organizational security measures implemented
Identifying risks to the rights and freedoms of Data Subjects arising from the processing
Cooperating with the Supervisory Authority in the performance of its tasks, upon the Controller's request

The Controller acknowledges that AI-powered processing of financial documents may constitute a type of processing that is likely to result in a high risk to the rights and freedoms of natural persons under GDPR Article 35(3)(a), and should conduct a DPIA accordingly.

3.2 Data Subject Rights Assistance

Rivofin will assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR (Articles 15-22), including requests for access, rectification, erasure, restriction, data portability, and objection. Specifically:

Rivofin will notify the Controller within 5 business days of receiving a request from a Data Subject relating to Personal Data processed under this DPA
Rivofin will not respond directly to Data Subject requests unless authorized by the Controller or required by applicable law
Rivofin will provide the Controller with the technical means to export, rectify, or delete Personal Data as needed to fulfill Data Subject requests
The Service provides built-in features for data export (CSV, JSON, XLSX) and deletion that the Controller may use to fulfill portability and erasure requests
The Controller bears the costs of any extraordinary measures required to fulfill complex or voluminous Data Subject requests, unless such costs result from Rivofin's non-compliance with this DPA

4. Obligations of the Controller

The Controller shall:

Ensure that the processing of Personal Data through the Service has a valid legal basis under GDPR
Obtain all necessary consents and authorizations from Data Subjects before uploading their Personal Data
Provide documented instructions for the processing of Personal Data
Inform Rivofin of any Data Subject requests that require Rivofin's assistance

5. Sub-processors

5.1 Authorization

The Controller provides general written authorization for Rivofin to engage sub-processors to carry out specific processing activities. The current list of sub-processors, including their names, purposes, data processed, and processing locations, is maintained in our Privacy Policy (Section 5.1).

5.2 Notification of Changes

Rivofin will notify the Controller by email at least 30 days before adding or replacing a sub-processor, providing the Controller with the opportunity to object. If the Controller objects on reasonable grounds related to data protection, Rivofin will use commercially reasonable efforts to provide an alternative or, if not possible, the Controller may terminate the affected Service without penalty.

5.3 Sub-processor Agreements

Rivofin will impose contractual obligations on each sub-processor that are no less protective than those in this DPA, including obligations regarding confidentiality, security, and data protection.

6. Security Measures

Rivofin implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM)
Access controls with role-based permissions
Regular security assessments and vulnerability testing
Secure authentication with optional two-factor authentication
Automated monitoring and alerting for security events
Employee background checks and security training
Pseudonymization of personal data where feasible and appropriate
Ensuring the ongoing resilience of processing systems and services
Ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident

7. Data Breach Notification

In the event of a Personal Data breach, Rivofin will:

Notify the Controller without undue delay after becoming aware of the breach, and in any case within 36 hours
Provide the Controller with sufficient information to fulfill the Controller's breach notification obligations under GDPR Articles 33 and 34
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

Notification will include, to the extent available: the nature of the breach, categories and approximate number of Data Subjects and personal data records affected, likely consequences, contact details of the Data Protection Officer, and measures taken or proposed to address the breach.

8. International Transfers

Where Personal Data is transferred outside the EEA (see sub-processor list in our Privacy Policy), Rivofin ensures appropriate safeguards are in place through:

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor)
For transfers from Rivofin to its sub-processors, Module 3 (Processor to Sub-processor) of the Standard Contractual Clauses applies.
Supplementary measures where necessary, following the recommendations of the European Data Protection Board

For transfers of UK personal data, Rivofin relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

For transfers of Swiss personal data, Rivofin relies on the Swiss Federal Data Protection and Information Commissioner (FDPIC) recognized Standard Contractual Clauses.

Rivofin conducts and documents Transfer Impact Assessments for each international transfer, evaluating the legal framework of the recipient country and implementing supplementary measures where necessary.

9. Data Return and Deletion

Upon termination or expiry of the Service:

The Controller may export their data using the built-in export features before termination
Rivofin will delete all Personal Data within 30 days of account termination, unless EU or member state law requires continued storage
Data in encrypted backups will be purged as backups naturally expire (within 30 days)
Upon request, Rivofin will provide written confirmation of data deletion

10. Audits

Rivofin will make available to the Controller information necessary to demonstrate compliance with the obligations in GDPR Article 28 and this DPA.

The Controller (or an independent third-party auditor appointed by the Controller) may conduct an audit of Rivofin's processing activities, subject to the following conditions:

Audits require at least 30 days' written notice
Audits will be conducted during normal business hours
The auditor must be bound by confidentiality obligations and must not be a competitor of Rivofin
Audits will be conducted no more than once per year, unless required by law
The Controller bears the cost of audits (unless the audit reveals material non-compliance by Rivofin)

11. Financial Sector Customers (DORA)

Where the Controller is a financial entity subject to the Digital Operational Resilience Act (Regulation (EU) 2022/2554, “DORA”), the following additional terms apply to the extent required by DORA Article 30:

Rivofin will provide clear descriptions of the ICT services, including service level targets for availability, response times, and performance
Rivofin will notify the Controller without undue delay of any ICT-related incident that may impact the services provided
Rivofin will maintain and test business continuity and disaster recovery plans and make summaries available to the Controller upon request
Rivofin will grant the Controller and its competent authorities full access and cooperation rights for audits and inspections related to DORA compliance
Rivofin will assist the Controller with exit strategies, including data migration and transition support, with reasonable notice periods
Rivofin will participate in the Controller's ICT third-party risk assessment processes and provide information necessary for the Controller's register of information under DORA Article 28

These DORA provisions supplement and do not replace the obligations in the rest of this DPA. In the event of conflict, the provision that provides greater protection to Personal Data shall prevail.

12. US State Privacy Law Compliance

Where the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), or other US state privacy laws apply to the processing of Personal Data under this DPA:

Rivofin acts as a “service provider” (as defined by the CCPA) or “processor” (as defined by applicable US state privacy laws) with respect to Personal Data processed on behalf of the Controller
Rivofin shall not sell or share Personal Data, as those terms are defined under the CCPA or applicable US state privacy laws
Rivofin shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA, or as otherwise permitted by the CCPA or applicable US state privacy laws
Rivofin shall not combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA or applicable US state privacy laws
Rivofin shall assist the Controller in responding to verifiable consumer requests to know, delete, or correct Personal Data, within the timeframes required by applicable law
Rivofin grants the Controller the right to take reasonable and appropriate steps to ensure that Rivofin uses the Personal Data in a manner consistent with the Controller's obligations under applicable US state privacy laws
Rivofin shall notify the Controller if it determines that it can no longer meet its obligations under applicable US state privacy laws

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that nothing in the Terms of Service limits or excludes either party's liability for obligations under the GDPR that cannot be limited by contract, including liability to data subjects under Article 82 GDPR.

14. Governing Law

This DPA is governed by the laws of the Republic of Albania, without regard to conflict of law principles, and is subject to the jurisdiction of the courts of Tirana, Albania. Where the GDPR applies, this DPA shall be interpreted in accordance with the GDPR.

This DPA is also subject to Albanian Law No. 124/2024 on Personal Data Protection. Where both the GDPR and Albanian law apply, the provision that provides greater protection to Personal Data shall prevail.

15. Conflict and Precedence

In the event of any conflict between the provisions of this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to the processing and protection of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses (Annex 4), the Standard Contractual Clauses shall prevail.

16. Changes to This Agreement

We review this Data Processing Agreement at least annually to ensure it remains accurate and compliant with applicable laws. Material changes will be communicated with at least 30 days' notice.

17. Contact

For questions about this DPA or to exercise your rights, please contact:

Email: privacy@rivofin.com
Data Protection Officer: dpo@rivofin.com

Annex 1: Description of Processing

The description of processing activities is set out in Section 2 of this DPA, including the subject matter, nature and purpose of processing, categories of personal data, categories of data subjects, processing locations, and duration.

Annex 2: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

Encryption of data in transit using TLS 1.2+ and at rest using AES-256-GCM with managed encryption keys stored securely and separately from the encrypted data
Passwords hashed using scrypt with per-user salts
Two-factor authentication (TOTP) available for all user accounts
Role-based access controls limiting data access to authorized personnel
Automated audit logging of all data access and modifications
Regular security assessments and vulnerability testing
Automated monitoring and alerting for security events
Database backups encrypted and retained for 30 days (rolling)
Hosting on SOC 2 certified infrastructure providers
Data Protection Impact Assessments conducted for high-risk processing activities
Employee confidentiality agreements and security training
Incident response procedures documented and tested
Pseudonymization applied where feasible
System resilience through redundant infrastructure and automated failover
Disaster recovery procedures to restore data access within defined recovery time objectives
Separation controls ensuring multi-tenant data isolation, preventing one customer's data from being accessed by or visible to another customer
Physical security of processing locations managed through SOC 2 certified cloud infrastructure providers with access controls, surveillance, and environmental protections
Event logging and monitoring of all access to Personal Data, with logs retained for security investigation purposes
IT security governance including documented security policies, procedures, and organizational responsibility assignments
Data minimization applied in accordance with GDPR Article 5(1)(c), collecting and processing only the Personal Data necessary for the stated purposes

Annex 3: List of Sub-processors

The current list of approved sub-processors is maintained in the Privacy Policy (Section 5.1) and includes the sub-processor name, purpose, data processed, and processing location. The Controller will be notified of changes in accordance with Section 5.2 of this DPA.

Annex 4: Standard Contractual Clauses

For international data transfers outside the EEA, the Processor relies on the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), specifically Module 2 (Controller to Processor). For Rivofin-to-sub-processor transfers, Module 3 (Processor to Sub-processor) applies. Copies of the executed SCCs are available upon request by contacting privacy@rivofin.com.

Annex 5: Jurisdiction-Specific Provisions

European Economic Area (EEA)

Where the Controller is established in the EEA or the processing relates to EEA Data Subjects, the GDPR applies to all processing under this DPA. The lead Supervisory Authority for Rivofin is the Information and Data Protection Commissioner of Albania (IDP).

United Kingdom

Where the processing relates to UK Data Subjects, the UK GDPR and Data Protection Act 2018 apply. International transfers of UK personal data are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. The relevant Supervisory Authority is the Information Commissioner's Office (ICO).

Switzerland

Where the processing relates to Swiss Data Subjects, the Swiss Federal Act on Data Protection (FADP) applies. International transfers of Swiss personal data rely on Swiss FDPIC-recognized Standard Contractual Clauses. The relevant authority is the Federal Data Protection and Information Commissioner (FDPIC).

United States

Where the CCPA, VCDPA, or other US state privacy laws apply, the provisions of Section 12 (US State Privacy Law Compliance) of this DPA govern. Rivofin acts as a “service provider” under the CCPA and a “processor” under other applicable US state privacy laws.

Version History

Version	Date	Changes
1.0	February 16, 2026	Initial version

This document is also available in Shqip (Albanian).