Data Processing Agreement

Last updated: December 2025

Data Processing & Compliance

ExactSum is committed to GDPR compliance. All personal data and uploaded documents are processed securely with appropriate safeguards in place.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ExactSum ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of the DodgeTax service.

This DPA sets out the terms under which we process personal data on your behalf when you use our Service to scan bank statements for tax deductions.

2. Definitions

  • "Personal Data" - Any information relating to an identified or identifiable person
  • "Processing" - Any operation performed on Personal Data
  • "Data Subject" - The individual to whom the Personal Data relates
  • "Sub-processor" - Any third party engaged to process data on your behalf

3. Data Processed

When you upload bank statements, we may process:

  • Account holder names
  • Bank account numbers
  • Transaction details (dates, descriptions, amounts)
  • Account balances
  • Merchant and payee names

4. Purpose of Processing

We process this data solely to:

  • Scan and categorize transactions from your bank statements
  • Identify potential tax deductions
  • Generate deduction reports for download

5. Data Retention

  • Uploaded bank statements: Deleted within 12 hours
  • Deduction reports: Deleted within 12 hours
  • Processing logs: Retained for 30 days, then deleted

6. Security Measures

  • Encryption in transit: TLS 1.3 (256-bit)
  • Encryption at rest: AES-256
  • Access controls: Role-based with MFA
  • Audit logging: Comprehensive access logging

7. Sub-processors

We use the following sub-processors:

Sub-processor Purpose Location
Cloudflare R2 File storage EU
Stripe Inc. Payment processing EU/US
Reducto AI Document processing US

8. Your Obligations

As the Controller, you confirm that:

  • You have legal authority to upload the bank statements
  • You have obtained any necessary consents
  • You will use the Service in compliance with data protection laws

9. Our Obligations

As the Processor, we undertake to:

  • Process Personal Data only on your instructions
  • Ensure personnel are bound by confidentiality
  • Implement appropriate security measures
  • Assist with Data Subject requests
  • Notify you of any Personal Data breach
  • Delete all Personal Data upon service termination

10. Data Breach Notification

In the event of a breach, we will notify you within 48 hours with details of the breach, affected data, and remediation steps.

Contact Us

Questions about this Data Processing Agreement?

ExactSum

Email: legal@dodgetax.com