Data Processing Agreement

1. Roles and scope

For the personal data contained in remittance documents and related Customer Data, the Customer is the controller and RemitClear is the processor. Each party will comply with applicable data protection law, including the UK GDPR and the Data Protection Act 2018, the EU GDPR where it applies, and the Australian Privacy Act 1988 (Cth) where it applies ("Data Protection Law"). The Customer is responsible for having a lawful basis to provide the personal data to us and for the accuracy and lawfulness of its instructions.

2. Processing on instructions

We will process personal data only on the Customer's documented instructions, including those set out in the Terms, this DPA, and the configuration and use of the Service, and as required to provide the Service. We will tell the Customer if we believe an instruction breaches Data Protection Law, unless prohibited from doing so. If law requires us to process otherwise, we will inform the Customer first unless prohibited.

3. Confidentiality

We ensure that personnel authorised to process the personal data are bound by appropriate confidentiality obligations and access it on a need-to-know basis.

4. Security

We implement appropriate technical and organisational measures to protect personal data, taking into account the state of the art, costs, and the nature and risk of the processing. A summary is in Annex 2 and on our Security page.

5. Sub-processors

The Customer gives general authorisation for us to engage the sub-processors listed on our Sub-processors page (Annex 3). We impose data protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give reasonable prior notice of any new or replacement sub-processor by updating that page; Customers are encouraged to check it periodically, and we can provide email notice of changes on request or under a bespoke contract. The Customer may object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the concern.

6. Assistance to the Customer

• Taking into account the nature of the processing, we will assist the Customer with appropriate technical and organisational measures to respond to requests from individuals exercising their rights, insofar as possible.
• We will assist the Customer in ensuring compliance with its security, breach notification, data protection impact assessment and prior consultation obligations, taking into account the information available to us.

7. Personal data breaches

We will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data, and provide information reasonably available to us to help the Customer meet its own notification obligations.

8. International transfers

Where we or our sub-processors process personal data outside the UK, the EEA, or Australia, we put in place a lawful transfer mechanism, such as the UK International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or reliance on adequacy. The relevant mechanism for each provider is reflected on the Sub-processors page.

9. Deletion and return

On termination of the Service, or on the Customer's earlier written request, we will delete the Customer's personal data within 30 days, except where law requires us to retain limited records. On request within that period we will make available a copy of Customer Data in a commonly used format before deletion.

10. Audits and information

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allow for and contribute to audits, including through providing relevant documentation. Audits will be at the Customer's cost, limited to once per year unless required by a supervisory authority or following a breach, and conducted so as not to disrupt our operations or other customers.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service.

Annex 1 - Details of processing

• Subject matter: processing of remittance documents and related data to extract, match and record payments.
• Duration: the term of the subscription, plus the deletion period in clause 9.
• Nature and purpose: ingestion, automated and AI-based extraction, matching against accounting records, storage, and assisting the recording of payments.
• Types of personal data: names and contact details of payers and contacts, payment references and amounts, and any other personal data the Customer includes in uploaded documents or its accounting records.
• Categories of data subjects: the Customer's customers, suppliers, contacts and their staff, and the Customer's own users.
• Special category data: not intended; the Customer should not upload special category data.

Annex 2 - Security measures (summary)

• encryption of data in transit;
• multi-tenant isolation with database row-level security scoped to each workspace;
• authentication with support for multi-factor authentication, and role-based access within workspaces;
• least-privilege internal access and audit logging of payment posting;
• use of reputable infrastructure providers with their own security certifications; and
• processing arrangements with our AI provider under terms that do not permit use of Customer content to train general models.

Annex 3 - Sub-processors

The current list of sub-processors is maintained on our Sub-processors page and forms part of this DPA. Questions about this DPA can be sent to privacy@remitclear.com.