Legal

Data Processing Agreement

Last updated: 23 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between Settlesol ("Processor") and you, the subscriber ("Controller"). It governs how Settlesol processes personal data on your behalf in connection with the Service.

By accepting our Terms & Conditions, you are also agreeing to this DPA. No separate signature is required.

1. Definitions

Controller — you, the Settlesol subscriber, who determines the purposes and means of processing personal data belonging to your customers, suppliers, or employees
Processor — Settlesol, who processes personal data on your behalf
Personal data — any information relating to an identified or identifiable natural person contained in data you upload or enter into the Service
Processing — any operation performed on personal data, including collection, storage, use, and deletion
GDPR — UK General Data Protection Regulation and the Data Protection Act 2018

2. Nature of processing

Settlesol's core processing is in-memory only. Personal data contained in uploaded files (customer names, email addresses, supplier names) is processed temporarily in RAM to generate outputs and is never written to our database or stored beyond the active session.

Item	Detail
Subject matter	Finance operations automation — invoice chasing and supplier statement reconciliation
Duration	For the duration of your subscription, plus 90 days after termination
Nature	In-memory processing of uploaded financial data; sending emails to third parties on your behalf
Purpose	To provide invoice chase automation and supplier statement reconciliation as instructed by you
Types of personal data	Names and email addresses of your customers and suppliers (contained in uploaded files, processed in memory only)
Categories of data subjects	Your customers (invoice chase), your suppliers (statement reconciliation)

3. Processor obligations

Settlesol agrees to:

Process personal data only on your documented instructions and not for any other purpose
Ensure that personnel with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (see Section 5)
Not engage sub-processors without your knowledge (see Section 6 for list of sub-processors)
Assist you in responding to data subject rights requests within the legally required timeframes
Notify you without undue delay (and within 72 hours where feasible) of any personal data breach
Delete or return all personal data at the end of the service relationship, at your choice
Make available all information necessary to demonstrate compliance with this DPA

4. Controller obligations

You agree to:

Ensure you have a lawful basis for processing the personal data you upload to Settlesol
Ensure data subjects have been informed that their data may be processed by Settlesol as your service provider
Only upload data you have the legal right to process
Comply with all applicable data protection laws in your use of the Service

5. Security measures

Settlesol implements the following technical and organisational measures:

Encryption in transit (TLS 1.2+) for all data; storage security managed by Render infrastructure
Row-level security (RLS) ensuring strict tenant data isolation
httpOnly, Secure, SameSite=Lax authentication cookies
CSRF protection on all state-changing requests
Rate limiting and brute-force protection
Bcrypt password hashing (minimum 12 characters enforced)
Redis-backed session management
Infrastructure hosted in Frankfurt (EU) on Render's managed PostgreSQL platform. Database access controlled by credentials and Render's network security layer.
No financial file contents written to persistent storage

6. Sub-processors

Settlesol uses the following sub-processors. By agreeing to this DPA, you authorise their use:

Sub-processor	Location	Purpose	Data processed
Render	Frankfurt, EU	Cloud hosting and database	Account data, metadata
Stripe	US (SCCs applied)	Payment processing	Email, billing details
Resend	US (SCCs applied)	Transactional email	Recipient email, name
Cloudflare	EU/US	DNS, CDN, security	IP addresses, request metadata
Redis (via Render)	Frankfurt, EU	Session management, rate limiting	Session tokens

We will notify you of any changes to sub-processors by updating this page and emailing subscribers at least 14 days in advance.

7. International transfers

Where personal data is transferred outside the UK or EEA (to Stripe or Resend in the US), such transfers are made under Standard Contractual Clauses as approved by the UK Information Commissioner's Office, providing adequate protection for your data.

8. Data subject rights

If you receive a data subject rights request relating to personal data processed through Settlesol, we will assist you in responding. Where we receive a direct request from a data subject, we will forward it to you within 5 business days.

9. Breach notification

In the event of a personal data breach affecting data processed on your behalf, we will notify you without undue delay and within 72 hours of becoming aware. Notification will include: nature of the breach, categories and approximate number of data subjects affected, categories of personal data affected, likely consequences, and measures taken or proposed.

10. Audit rights

You have the right to audit our compliance with this DPA on reasonable notice (30 days minimum) and no more than once per year. We may satisfy audit requests by providing relevant documentation, certifications, or third-party audit reports.

11. Term and termination

This DPA remains in effect for as long as we process personal data on your behalf. Upon termination of your subscription, we will delete all personal data (other than data we are required to retain by law) within 90 days.

12. Governing law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of English courts.

13. Contact

For data protection queries: [email protected]