1. Definitions

For the purposes of this DPA:

• "Controller" means you, the user who determines the purposes and means of processing personal data through the Service.
• "Processor" means FinPM, which processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by FinPM to process personal data.
• "Personal Data" has the meaning given in GDPR Article 4(1).
• "Processing" has the meaning given in GDPR Article 4(2).
• "Data Subject" means an identified or identifiable natural person.
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

2. Scope and Purpose

2.1 Scope

This DPA applies to all processing of personal data by FinPM on behalf of users in connection with the provision of our personal finance management service.

2.2 Purpose of Processing

FinPM processes personal data for the following purposes only:

• Importing and storing financial account information
• Parsing and categorizing financial transactions
• Providing budget management and financial insights
• Enabling household sharing features (with consent)
• AI-powered transaction analysis and categorization
• Generating financial reports and analytics

2.3 Duration

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller, and terminates upon deletion of all personal data as described in Section 11.

3. Data Subjects and Data Types

3.1 Categories of Data Subjects

• Users of the FinPM service
• Household members (when household sharing is enabled)

3.2 Categories of Personal Data

3.3 Special Categories of Data

We do not intentionally collect special categories of personal data (Article 9 GDPR). However, financial transaction data may incidentally reveal information about health, religion, or other sensitive matters. We implement appropriate safeguards as described in Section 7.

4. Controller Obligations

As the Controller, you agree to:

• Ensure you have a lawful basis for all personal data processing under Article 6 GDPR
• Provide clear and complete information about processing purposes
• Respond to data subject requests with our assistance
• Notify us promptly of any changes to processing instructions
• Ensure all household members provide informed consent to data sharing
• Maintain appropriate security measures under your control
• Ensure compliance with applicable data protection laws in your jurisdiction

5. Processor Obligations

FinPM, as Processor, commits to the following obligations in accordance with GDPR Article 28(3):

• Documented Instructions: Process personal data only on your documented instructions, including transfers to third countries, unless required by EU or Member State law
• Confidentiality: Ensure that all persons authorized to process personal data have committed themselves to confidentiality
• Security: Implement appropriate technical and organizational measures as specified in Section 7
• Sub-processing: Engage sub-processors only with your prior authorization and under written contracts imposing equivalent obligations
• Assistance: Assist you in responding to data subject requests and in ensuring compliance with Articles 32-36 GDPR
• Deletion: Delete or return all personal data upon termination, as specified in Section 11
• Audit: Make available all information necessary to demonstrate compliance and allow for audits as specified in Section 10

6. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors for the processing of personal data:

6.1 Sub-Processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to new sub-processors within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the service.

7. Security Measures

FinPM implements appropriate technical and organizational security measures in accordance with GDPR Article 32:

7.1 Technical Measures

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Encrypted database backups
• Network segmentation and firewalls
• Automated security patching
• Real-time intrusion detection

7.2 Organizational Measures

• Role-based access control
• Principle of least privilege
• Employee confidentiality agreements
• Regular security awareness training
• Documented incident response procedures
• Regular security audits and assessments

7.3 Authentication

• Secure password hashing (bcrypt)
• Two-factor authentication support
• Session management and timeout controls
• Brute-force protection

8. Data Subject Rights Assistance

FinPM provides the following technical capabilities to assist Controllers in responding to data subject requests:

9. Data Breach Notification

In the event of a personal data breach affecting your data, FinPM will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide the following information as required by GDPR Article 33(3):
  • Nature of the breach, including categories and approximate number of data subjects affected
  • Name and contact details of our privacy contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
• Cooperate with your investigation and assist with any regulatory notifications you are required to make
• Document the breach in our internal breach register

Breach notifications will be sent to the email address associated with your account and through in-application notifications.

10. Audit Rights

The Controller has the right to verify FinPM's compliance with this DPA:

• Documentation: We will provide documentation demonstrating compliance upon reasonable request (typically within 30 days)
• Third-party audits: We may satisfy audit requests by providing relevant third-party audit reports or certifications
• Scope: Audits shall be limited to processing activities and security measures related to personal data
• Confidentiality: All audit activities are subject to confidentiality obligations

11. Data Deletion and Return

Upon termination of the service or upon your request:

• Data Export: You may export all your personal data at any time through your account settings before termination
• Deletion Timeline: Upon account deletion request, all personal data will be permanently deleted within 30 days, including from backup systems
• Confirmation: We will provide confirmation of deletion upon request
• Exceptions: Data may be retained where required by applicable law or to establish, exercise, or defend legal claims. We will notify you of any such retention.

12. Contact Information

For questions about this DPA or data protection matters:

Privacy and DPA Inquiries:
Email: privacy@finpm.eu
Response time: Within 30 days as required by GDPR

Data Breach Reports:
Email: security@finpm.eu
Response time: Within 72 hours