Data Processing Agreement (DPA)
Last updated: 17 July 2026
This Data Processing Agreement ("DPA") supplements the Terms and Conditions and implements the requirements of Article 28(3) and (4) of Regulation (EU) 2016/679 (GDPR) for the processing that PROACTIVE SHIPPING S.R.L., VAT no. RO49176949, Trade Registry no. J2023022378407, registered office at Str. Ion Țuculescu no. 42, Bl. P3, Sc. C, 3rd floor, Ap. 47, District 3, Bucharest, Romania ("Finur", "Processor") carries out on your behalf. Its structure follows the Standard Contractual Clauses adopted by the European Commission through Implementing Decision (EU) 2021/915, adapted to Finur's activity. It applies automatically, from account creation, in electronic form (Article 28(9) GDPR), to any accounting firm or sole-practitioner accountant using the platform for the clients in their own portfolio ("Controller", "you").
For the purposes of this Agreement: "Controller" means your firm, which determines the purposes and means of processing your portfolio clients' data; "Processor" means Finur, which processes that data solely on your behalf and instructions. The roles are also described on the GDPR page.
1. Description of the processing
- Categories of data subjects: employees of the companies in your portfolio (payroll data), the customers and suppliers of those companies (invoices, receipts, payments), and the contact persons of the portfolio companies.
- Categories of data: identification data (name, national ID number for payroll), contact details, financial and banking data (IBAN, transactions, issued/received invoices), payroll data (income, deductions, leave days).
- Data that may fall under a special category (Article 9 GDPR): sick-leave days in payroll records, processed strictly as periods and benefit percentages (no diagnosis or other medical data), with access restricted to the payroll feature.
- Nature of processing: collection, storage, automated extraction from documents (OCR/language model), generation of documents and tax returns, transmission to ANAF/bank exclusively upon your explicit approval.
- Purpose of processing: providing the platform features described in the Terms (document processing, payroll, e-Invoicing, bank reconciliation, communication with your clients).
- Duration of processing: for the duration of the contract between you and Finur, plus a window of up to 30 days after account closure, described in the Privacy Policy §6.
2. Your instructions
We process your clients' data solely on your documented instructions — given through normal use of the platform (configuration, approvals, actions in the interface) or explicitly by email at contact@finur.io.
If we consider that an instruction infringes GDPR or other data protection law, we inform you before carrying it out. We do not use your clients' data for purposes other than those described in this Agreement, except where required by EU or Romanian law — in which case we inform you in advance, unless the law prohibits this.
3. Confidentiality and security
Persons authorised to process data on Finur's behalf (employees, contractors) are bound by contractual confidentiality obligations.
The technical and organisational measures applied, in accordance with Article 32 GDPR, are those described on the GDPR page §4: per-firm data isolation at database level (Row Level Security), TLS encryption in transit and encryption at rest, two-factor authentication, audit logs for sensitive actions, and restricted, role-based, logged internal access to production. These measures are periodically reassessed based on the state of the art and identified risks.
The AI model providers (Anthropic, OpenAI) do not train their models on your clients' data sent through the API — an explicit contractual guarantee under their commercial terms, not merely a stated intention. Documents are kept temporarily (a few days) solely for abuse prevention, then automatically deleted by the provider.
4. Sub-processors
You grant a general, written authorisation for the sub-processors listed in the Privacy Policy §3 (Supabase, Anthropic, OpenAI, Vercel, Railway, Paddle, Resend, Meta Platforms, Cloudflare). We impose on each sub-processor, by contract, data protection obligations at least equivalent to those in this Agreement, and we remain fully liable to you for their performance.
If we intend to add or replace a sub-processor that would process your clients' data, we notify you by email or in-app notice at least 30 days before processing begins, so you can raise a reasoned objection. If the objection is well-founded and we cannot offer a reasonable alternative, you may close your account without penalty for the remaining period, in accordance with the Refund Policy.
5. International transfers
Data is stored in the European Union. Certain sub-processors (Anthropic, OpenAI, Meta) may process data outside the European Economic Area; in those cases, the transfer relies on the Standard Contractual Clauses for international data transfers, approved through Implementing Decision (EU) 2021/914 of the European Commission, or an equivalent mechanism (e.g. the EU-U.S. Data Privacy Framework, for certified providers). We do not transfer data to sub-processors that do not offer equivalent safeguards.
6. Assistance to the Controller
We help you respond to data subject requests (access, rectification, erasure, restriction, portability, objection) concerning your clients' data, taking into account the nature of the processing. If a client of your firm contacts us directly with such a request, we do not respond without your instructions — we inform you and forward the request, as described on the GDPR page §3.
For requests you make directly in the platform (data export, deletion), we already provide the self-service tools described in the Privacy Policy — resolved automatically, typically within minutes to a few hours for asynchronous processes (the export archive). For requests requiring manual intervention on our part, we respond within 5 business days at the latest.
We also assist you with Data Protection Impact Assessments (DPIAs) and any required prior consultation with ANSPDCP, when processing through Finur falls within the scope of the assessment, by providing the relevant technical information.
7. Notification of personal data breaches
If we identify a data security breach affecting your clients' data processed through Finur, we notify you without undue delay and, in any event, within 72 hours at the latest from becoming aware of the incident.
The notification includes, to the extent available at the time: the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to remedy and mitigate the effects. If the information cannot be provided in full at first, we supplement it without undue delay. It remains your responsibility to assess notification to ANSPDCP (Article 33 GDPR) and to data subjects (Article 34); we support you with the technical information needed for that assessment.
8. Documentation and audits
We provide the information necessary to demonstrate compliance with the obligations in this Agreement, upon reasonable request, once a year or whenever there is concrete evidence of non-compliance.
Finur's infrastructure is multi-tenant (several firms share the same systems, logically isolated via database-level Row Level Security), so we cannot offer physical audits at our infrastructure providers' premises. We do, however, provide the relevant technical and organisational documentation and, if needed, a verification call with our technical team. The information is also available to the competent supervisory authority upon request.
9. End of processing — deletion or return of data
Upon termination of the contract, at your choice, we provide a complete copy of your clients' data via the export feature in Settings → Security (an archive with all relevant tables, in CSV/PDF/XML format), then delete the data in cascade from all systems (database, file storage, vector search index) within the timeframe described in the Privacy Policy §6 — a maximum of 30 days after account closure, except for documents we are legally required to retain longer (for instance, our own tax records). We do not keep copies of your clients' data for other purposes after this deadline.
10. Non-compliance with this Agreement
If we substantially breach the obligations in this Agreement and fail to remedy the breach within a reasonable time (a maximum of 30 days) after your written notice, you may close your account without penalty for the remaining subscription period, regardless of the 14-day window in the Refund Policy (which remains separately available to you for any other reason).
If you insist on an instruction that we have previously informed you (§2) infringes data protection law, we may suspend, with prior notice, the feature affected by that instruction until the situation is clarified.
11. Hierarchy and changes to this Agreement
This Agreement is part of Finur's Terms and Conditions and prevails over them regarding data processing in the event of a conflict. We do not amend the substantive clauses of this Agreement except to update the sub-processor list (§4) or to align with legislative changes; any other significant change is announced under Terms §8 (at least 15 days in advance).