IInsurancePDFtoExcel

Data Processing Addendum

Effective April 22, 2026. Last updated April 22, 2026.

This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Customer") and InsurancePDFtoExcel("Processor"). It applies when Customer is processing personal data of EU/UK/EEA data subjects through the service.

1. Roles

Customer is the Data Controller. InsurancePDFtoExcel acts as Data Processor and processes personal data only on documented instructions from Customer (which include the act of uploading documents to the service).

2. Subject matter and duration

The subject matter is the extraction of structured data from insurance PDFs. Processing continues for the duration of the service subscription plus the retention window of 90 days.

3. Categories of data

  • Names, addresses, contact details, and business identifiers (FEIN, NAICS) appearing on insurance documents.
  • Policy numbers, coverages, limits, and claims data.
  • Customer account data (email, billing address, plan).

4. Data subjects

Insureds, policyholders, certificate holders, claimants, brokers, and other parties identified on insurance documents.

5. Subprocessors

Customer authorizes the subprocessors listed in our Privacy Policy (Supabase, Vercel, Anthropic, Stripe, Resend, Sentry, PostHog). We will provide 30 days' notice before engaging new subprocessors.

6. Security measures

  • Encryption in transit (TLS 1.3) and at rest.
  • Role-based access control with least privilege.
  • SHA-256 hashing of API keys; secrets never logged.
  • Annual penetration testing once we exceed $100k ARR.
  • SOC 2 Type I targeted within 12 months of service launch.

7. International transfers

Personal data is transferred to and processed in the United States. We rely on the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum, both incorporated by reference into this DPA.

8. Data subject requests

Processor will assist Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days of a documented request from Customer.

9. Breach notification

Processor will notify Customer of any personal data breach affecting Customer's data without undue delay and within 72 hours of becoming aware of it.

10. Audit

Customer may, no more than once per twelve-month period, request reasonable evidence of Processor's compliance with this DPA, including third-party audit reports (e.g. SOC 2 once available).

11. Deletion

Upon termination, Processor will delete all Customer personal data within 30 days, except where retention is required by law.

Questions? Email legal@insurancepdftoexcel.com.

Data Processing Addendum — InsurancePDFtoExcel