Data Processing Agreement
Last updated: February 8, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Statement Scan, Inc. ("Statement Scan," "Processor," "we," "our," or "us") and you ("Controller," "you," or "your") and governs the processing of personal data in connection with your use of our services.
1. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion
- "Data Protection Laws" means applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations
- "Sub-processor" means any third party engaged by Statement Scan to process Personal Data
- "Data Subject" means the individual to whom Personal Data relates
2. Scope and Purpose
This DPA applies to the processing of Personal Data that you submit to Statement Scan or that we collect on your behalf through our portfolio analysis services.
Key Point: Most data processing occurs locally in your browser. We only process Personal Data on our servers when you explicitly choose to create an account or save portfolio data.
3. Data Processing Details
Categories of Data Subjects
- Users of Statement Scan services
- Account holders who save portfolio data
Types of Personal Data
| Category |
Examples |
Processing Location |
| Account Information |
Email address, name |
Server (encrypted) |
| Financial Data |
Holdings, account values, transactions |
Browser (local) / Server if saved |
| Usage Data |
Feature usage, analytics |
Server (anonymized) |
| Technical Data |
IP address, browser type |
Server (logs) |
Purpose of Processing
- Providing portfolio analysis services
- Account management and authentication
- Service improvement and analytics
- Customer support
- Legal compliance
4. Our Obligations as Processor
Statement Scan agrees to:
- Process Personal Data only on your documented instructions
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination of services, at your choice
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections
5. Security Measures
We implement the following security measures to protect Personal Data:
Technical Measures
- TLS/SSL encryption for data in transit
- AES-256 encryption for data at rest
- Secure authentication mechanisms
- Regular security assessments and penetration testing
- Intrusion detection and prevention systems
- Regular security patches and updates
Organizational Measures
- Access controls based on least privilege principle
- Employee background checks and confidentiality agreements
- Regular security awareness training
- Incident response procedures
- Business continuity planning
6. Sub-processors
We engage the following categories of sub-processors:
| Sub-processor |
Purpose |
Location |
| Cloud Infrastructure Provider |
Hosting and data storage |
United States |
| Plaid Inc. |
Brokerage account connection |
United States |
| Analytics Provider |
Anonymized usage analytics |
United States |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object. All sub-processors are bound by data protection obligations no less protective than those in this DPA.
7. Data Subject Rights
We will assist you in fulfilling your obligations to respond to Data Subject requests, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
We will notify you promptly if we receive a request directly from a Data Subject.
8. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
- Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects affected
- Describe likely consequences and measures taken or proposed to address the breach
- Cooperate with any investigation and provide necessary assistance
9. International Data Transfers
If Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses approved by the European Commission
- Binding Corporate Rules
- Adequacy decisions by the European Commission
10. Data Retention
We retain Personal Data in accordance with our Data Retention Policy. Upon termination of services or at your request, we will delete or return your Personal Data, unless retention is required by law.
11. Audit Rights
Upon reasonable notice and subject to confidentiality obligations, you may:
- Request information about our data processing activities
- Review our security certifications and audit reports
- Conduct or commission an audit (at your expense) to verify compliance with this DPA
12. Term and Termination
This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination:
- We will cease processing Personal Data
- We will delete or return all Personal Data at your choice
- We will provide certification of deletion upon request
13. Amendments
We may update this DPA from time to time to reflect changes in our practices or applicable law. We will notify you of material changes through the service or by other means.