Data Processing Agreement
Last updated · 2026-05-03
This Data Processing Agreement ("DPA") is entered into between the Rexa Customer ("Controller") and Rexa B.V. ("Processor") and forms part of the Terms of Service. It implements Article 28 of Regulation (EU) 2016/679 (the "GDPR") and the EU Standard Contractual Clauses where applicable.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given in the GDPR. "Customer Personal Data" means personal data submitted to the Service by or on behalf of Controller within a workspace.
2. Subject matter and duration
Processor processes Customer Personal Data to provide the Service for the duration of the Terms of Service plus the post-termination data export period (30 days).
3. Nature, purpose, and types of data
Processor processes the following categories of data on Controller's behalf: contact identifiers (email, name where supplied), card metadata (last-4 only), transaction data (merchant, amount, date), receipt files (encrypted), OCR output, approval decisions, free-text notes and comments, audit events.
Data subjects include Controller's employees and contractors who are designated as cardholders, approvers, finance staff, admins, or auditors within a workspace.
4. Processor obligations
- Process Customer Personal Data only on documented instructions from Controller (these Terms + the configuration choices made within the Service).
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures (see Annex II).
- Assist Controller with data-subject requests, security obligations under Articles 32–36, and Data Protection Impact Assessments.
- Notify Controller without undue delay (and in any case within 24 hours of confirmed knowledge) of any personal data breach.
- Make available to Controller all information necessary to demonstrate compliance, including by allowing audits as described in section 8.
5. Sub-processors
Controller authorizes Processor's use of the sub-processors listed at /legal/subprocessors. Processor will give 30 days' prior notice of any new sub-processor; Controller may object within that window.
6. International transfers
Customer Personal Data is stored in the EU. Where Customer enables optional AI features, prompts and a workspace activity snapshot may transit to a US-based sub-processor (Anthropic) under the EU Standard Contractual Clauses (2021/914) and Processor's Transfer Impact Assessment.
7. Data subject rights
Processor provides in-product mechanisms for data export (GDPR Art. 15) and erasure (Art. 17) accessible by the relevant data subjects. Where rights cannot be exercised through the product, Processor will assist Controller in fulfilling the request within 30 days.
8. Audit rights
Processor will respond to reasonable written security questionnaires once per year and provide a copy of the most recent SOC 2 / ISO 27001 attestation when available. On-site audits require 30 days' written notice and are subject to confidentiality and reasonable cost reimbursement.
9. Return or deletion of data
Upon termination, Processor will make Customer Personal Data available for export for 30 days, then delete it within 60 days unless retention is required by law (e.g., Netherlands tax retention).
10. Governing law
This DPA is governed by the laws of the Netherlands. The competent courts of Amsterdam have exclusive jurisdiction.
Annex I — Processing details
Subject matter: provision of the Service. Duration: term of the Terms + 30 day export window. Nature: storage, retrieval, OCR processing, matching, export. Categories of data: as in section 3. Categories of data subjects: as in section 3.
Annex II — Technical and organizational measures
- Encryption at rest (AES-256-GCM envelope; KMS-wrapped key in production).
- Encryption in transit (TLS for all internal and external connections in production).
- Postgres row-level security on every tenant table.
- Application runs as a non-superuser database role.
- Append-only audit log enforced at the SQL grant layer.
- Multi-factor authentication available; mandatory for admins on Enterprise.
- Segregation of production and non-production environments.
- Quarterly tabletop incident-response drills.
- Sub-processor due diligence and DPAs with each sub-processor.
Annex III — Sub-processors
Maintained at /legal/subprocessors.