Data Processing Agreement

Last Updated: 2026-06-03

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms of Service between you ("Controller", "Customer", "you") and Human Beyond LLC, a Florida limited liability company with its principal place of business at 1818 Hollywood Blvd, Hollywood, FL 33020 ("Processor", "MainBook", "we", "us").

This DPA applies whenever you use the MainBook service ("Service") to process documents that contain personal data of third parties on whose behalf you act as Controller — for example, when you are a bookkeeper, accountant, certified public accountant, tax preparer, or financial advisor processing bank or credit card statements containing personal data of your clients, their employees, their vendors, or other individuals.

By accepting the Terms of Service and using the Service to process such third-party personal data, you accept this DPA. If you do not agree, do not use the Service to process third-party personal data.

This DPA is intended to satisfy Article 28 of the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"), the corresponding provisions of the UK General Data Protection Regulation as it forms part of UK law ("UK GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA"), and analogous service-provider provisions of other applicable U.S. state privacy laws (collectively, "Data Protection Laws").

1. Definitions

Terms used but not defined in this DPA have the meanings given in the Terms of Service, the Privacy Policy, or the GDPR. For convenience:

"Customer Personal Data" means personal data contained in documents you upload to the Service and any personal data derived therefrom that we process on your behalf.

"Data Subject" means an identified or identifiable natural person whose personal data is included in the Customer Personal Data.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

"Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as updated from time to time.

"Sub-processor" means any third party engaged by us to process Customer Personal Data on our behalf in connection with the Service.

"UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, as updated from time to time.

2. Roles and Responsibilities

2.1 Roles. With respect to Customer Personal Data, you are the Controller and we are the Processor. With respect to your own personal data (your name, email, payment-related identifiers, IP address, and similar data about you as our User), we are the Controller as described in our Privacy Policy.

2.2 Customer's responsibilities. You represent, warrant, and covenant on a continuing basis that:

(a) you have a lawful basis under applicable Data Protection Laws to process the Customer Personal Data and to authorize us to process it on your behalf;

(b) you have provided all required privacy notices, obtained all required consents, and given all required information to the Data Subjects in respect of our processing of the Customer Personal Data;

(c) your instructions to us are lawful, complete, and within the scope of the Service;

(d) the Customer Personal Data does not include "sensitive" or "special category" personal data (such as health data, biometric identifiers for unique identification, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, or genetic data) unless you have notified us in writing in advance and we have agreed in writing to process it;

(e) the Customer Personal Data does not include protected health information ("PHI") subject to the Health Insurance Portability and Accountability Act ("HIPAA"), non-public personal information ("NPI") subject to the Gramm-Leach-Bliley Act ("GLBA"), federal information subject to the Federal Information Security Management Act ("FISMA"), cardholder data subject to PCI-DSS, or data subject to similar industry-specific regulations. You may not use the Service to process such regulated data;

(f) you will provide us with prompt written notice if any instruction you give us, in your view, infringes any Data Protection Law.

2.3 Our role. We act solely as Processor and process Customer Personal Data only on your documented instructions, as set out in this DPA, in the Terms of Service, in the configuration of your Account, and in your use of the Service.

2.4 Processor's right to push back. If we believe an instruction from you would, or does, violate applicable Data Protection Law, we will inform you of that view and may suspend processing of the affected Customer Personal Data until the instruction is withdrawn, amended, or confirmed by you in writing. We have no obligation to follow instructions that we reasonably believe to be unlawful.

3. Subject Matter, Nature, Purpose, and Duration

3.1 Subject matter. The subject matter of processing is the provision of the Service to you (OCR and LLM-based conversion of bank statement and credit card statement PDFs into structured data formats).

3.2 Nature and purpose of processing. We process Customer Personal Data for the purposes of (a) performing the Service for you on your instructions, (b) operating and securing the Service, and (c) complying with our obligations under the Terms of Service and applicable law. Detailed descriptions of the categories of Customer Personal Data, Data Subjects, and processing operations are set out in Schedule 1.

3.3 Duration. Processing continues for the duration of your use of the Service, plus the retention periods set out in our Privacy Policy and Schedule 1 of this DPA.

4. Processor Obligations

4.1 Documented instructions. We will process Customer Personal Data only on your documented instructions, including with regard to transfers to a third country or an international organization, unless required to do otherwise by applicable law. If we are required by law to process Customer Personal Data in a manner not authorized by you, we will, unless legally prohibited, inform you of that legal requirement before processing.

4.2 Confidentiality. We ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory).

4.3 Security measures. We implement and maintain the technical and organizational measures described in Schedule 2 designed to ensure a level of security appropriate to the risk. You acknowledge that these measures are subject to technical progress and development and we may update them from time to time, provided the updated measures do not materially decrease the overall security of Customer Personal Data.

4.4 Sub-processors. Our use of Sub-processors is governed by Section 5 of this DPA.

4.5 Assistance with Data Subject requests. Taking into account the nature of the processing, we will provide reasonable assistance to you (insofar as possible) by appropriate technical and organizational measures, for the fulfilment of your obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, objection, and portability).

If we receive a request from a Data Subject in relation to Customer Personal Data, we will, to the extent legally permitted, direct the Data Subject to you. We will not otherwise respond to such a request without your prior written authorization, except to acknowledge receipt and inform the Data Subject that we are a Processor on your behalf.

4.6 Assistance with controller obligations. Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to you with your obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation) at your reasonable expense for any work beyond the inherent capabilities of the Service.

4.7 Personal Data Breach notification. We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. For Personal Data Breaches affecting Customer Personal Data subject to the GDPR or UK GDPR, we will notify you no later than forty-eight (48) hours after becoming aware of the breach. The notification will, to the extent reasonably available at the time, describe the nature of the breach (including categories and approximate numbers of Data Subjects and records concerned), the likely consequences of the breach, the measures we have taken or propose to take to address the breach, and the contact point at MainBook for further information.

Any notification by us under this Section 4.7 will not be construed as an acknowledgement of fault or liability on our part with respect to the Personal Data Breach.

4.8 Return or deletion of data on termination. Upon termination of the Service, at your election communicated in writing within thirty (30) days of termination, we will either (a) return Customer Personal Data to you or (b) delete Customer Personal Data from our systems. If you do not make an election within thirty (30) days, we will delete the Customer Personal Data. In either case, we may retain Customer Personal Data to the extent (i) required by applicable law (including tax, audit, and bookkeeping recordkeeping requirements), (ii) reasonably necessary for our legal-defense purposes (consistent with GDPR Article 17(3)(b) and (e)), or (iii) contained in routine, encrypted backups that are deleted in accordance with our standard backup-retention cycle.

4.9 Demonstration of compliance. We will make available to you, on reasonable written request and no more frequently than once per twelve (12) month period, information reasonably necessary to demonstrate compliance with our obligations under this DPA. To the extent we have obtained relevant third-party security certifications (for example, ISO 27001, SOC 2 Type II), the relevant certification report or summary will satisfy this obligation. Until we have obtained such certifications, we will respond to reasonable security questionnaires within a reasonable time. We are not obligated to permit on-premises audits at this time, given the size and stage of our Service; we will revisit this obligation if and when we obtain third-party security certifications. Any audit-related activity beyond the reasonable scope of this Section 4.9 will be at your expense on a time-and-materials basis.

5. Sub-processors

5.1 General authorization. You provide a general authorization for us to engage Sub-processors to process Customer Personal Data in connection with the Service. The current list of Sub-processors is published at Sub-Processors.

5.2 Notice of new Sub-processors. Before engaging a new Sub-processor, we will provide at least thirty (30) days' notice by email (if you have subscribed to Sub-processor email updates), by an in-product notification, or by updating the Sub-Processors page.

5.3 Objection. You may reasonably object to a new Sub-processor on grounds related to the protection of Customer Personal Data by sending a written objection to hello@human-beyond.ai within thirty (30) days after receipt of notice. If we are unable to make available a commercially reasonable alternative or to reasonably mitigate the grounds of your objection within thirty (30) days after receipt of your objection, you may terminate the affected portion of the Service for cause and we will refund any pre-paid Credits to the extent they correspond to the unused period following the date of such termination. You acknowledge that our Sub-processors are essential to the provision of the Service, and that if you object to a Sub-processor we use, and we cannot mitigate or replace that Sub-processor, we are under no obligation to provide the affected portion of the Service to you. Your remedy is limited to the termination and refund described in this Section 5.3.

5.4 Flow-down obligations. We will impose on each Sub-processor data-protection obligations that, taken as a whole, are no less protective than those imposed on us under this DPA. We remain liable to you for the acts and omissions of our Sub-processors with respect to their processing of Customer Personal Data, subject to the limitations of liability in the Terms of Service.

6. International Data Transfers

6.1 General. Some Sub-processors are located outside the country in which you reside, including in the United States. By using the Service you instruct us to process and to authorize Sub-processors to process Customer Personal Data in such other countries to the extent necessary for the Service.

6.2 EEA, UK, and Swiss transfers. Where applicable Data Protection Laws (including the GDPR, UK GDPR, or the Swiss Federal Act on Data Protection) require an appropriate transfer mechanism for transfers of Customer Personal Data to a country that has not received an adequacy decision from the European Commission, the UK Information Commissioner, or the Swiss Federal Data Protection and Information Commissioner (as applicable), the parties incorporate the Standard Contractual Clauses by reference into this DPA, with the following selections:

  • Module 2 (Controller to Processor) applies when you act as Controller and we act as Processor;
  • Module 3 (Processor to Processor) applies when you act as Processor (for example, on behalf of your client) and we act as Sub-processor;
  • For UK transfers, the UK Addendum is incorporated and applies in addition to or in modification of the SCCs as set out in the UK Addendum;
  • For Swiss transfers, the SCCs are deemed amended to the extent necessary to comply with the Swiss Federal Act on Data Protection;
  • Clause 7 (Docking Clause) is not enabled;
  • Clause 9 (use of Sub-processors): Option 2 (general authorization) applies, with thirty (30) days' notice as set out in Section 5.2 of this DPA;
  • Clause 11 (redress): the optional independent dispute-resolution language is not included;
  • Clause 17 (governing law): the law of the EU member state in which the data exporter is established (or, if not in the EEA, the Republic of Ireland);
  • Clause 18 (forum and jurisdiction): the courts of the EU member state whose law governs under Clause 17;
  • Annexes I.A, I.B, I.C, II, and III are populated by the contents of Schedules 1, 2, and the Sub-Processors page, respectively.

6.3 Conflicts. In the event of any conflict between this DPA and the SCCs or the UK Addendum, the SCCs or the UK Addendum (as applicable) prevail with respect to the matters they cover.

6.4 Supplementary measures. Where required, we apply supplementary technical and organizational measures including encryption in transit, encryption at rest where supported by the relevant Sub-processor, role-based access controls, and contractual restrictions on government-access requests.

7. Government Access Requests

If we receive a request from a governmental or public authority to disclose Customer Personal Data, and unless we are legally prohibited from doing so or determine in good faith that an urgent risk of serious harm requires immediate disclosure, we will: (a) endeavour to make the authority redirect the request directly to you; (b) assess the request and seek to challenge it where we determine it is unlawful, overly broad, or disproportionate; (c) disclose only the minimum amount of Customer Personal Data strictly required; and (d) where legally permitted, promptly inform you of the request.

8. Customer Indemnification

8.1 Your indemnification. You agree to indemnify, defend, and hold harmless MainBook, its officers, directors, members, managers, employees, agents, contractors, licensors, and affiliates from and against any and all third-party claims, demands, actions, proceedings, losses, damages, liabilities, judgments, settlements, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to:

(a) any breach by you of this DPA or your representations and warranties in Section 2.2;

(b) any Data Subject claim arising from your instructions, your lack of lawful basis, your failure to provide required notices, or your failure to obtain required consents;

(c) any claim from a regulatory authority arising from your acts or omissions as Controller; and

(d) any claim arising from your use of the Service to process data that you were not authorized to process or that falls outside the categories set out in Schedule 1.

8.2 Limitation. The limitations of liability in the Terms of Service apply to all claims under this DPA, including all claims arising out of or relating to the SCCs incorporated under Section 6, except where applicable Data Protection Law requires otherwise (in which case the limitations apply to the maximum extent permitted by that law).

9. Term and Termination

This DPA enters into force when you accept the Terms of Service (which incorporate this DPA by reference) and continues for as long as we process Customer Personal Data on your behalf. Termination of the Terms of Service automatically terminates this DPA, except that Sections 4.7 (Personal Data Breach notification with respect to incidents before termination), 4.8 (Return or deletion of data), 6 (International Data Transfers, to the extent transfers continue post-termination during the retention period), 7 (Government Access Requests), 8 (Customer Indemnification), 10 (General), and any obligation of confidentiality survive termination.

10. General

10.1 Order of precedence. In the event of a conflict between the Terms of Service, this DPA, and the SCCs/UK Addendum, the order of precedence (to the extent of the conflict) is: (a) the SCCs/UK Addendum (to the extent applicable to a particular processing activity); (b) this DPA; (c) the Terms of Service.

10.2 Updates. We may update this DPA from time to time, including to reflect changes in applicable law, technological developments, or our security measures. Material updates take effect on at least thirty (30) days' notice; non-material updates take effect upon posting. Where an update is required to comply with applicable Data Protection Law, it takes effect upon posting.

10.3 No third-party beneficiaries. Other than Data Subjects with rights expressly conferred by applicable Data Protection Law, no person other than you and us has any rights or remedies under this DPA.

10.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect, and the invalid or unenforceable provision will be modified to the minimum extent necessary to make it valid, legal, and enforceable.

10.5 Notices. Notices under this DPA must be sent to hello@human-beyond.ai (for notices to us) or to the email associated with your Account (for notices to you).

10.6 Governing law. Except where the SCCs or applicable Data Protection Law provides otherwise, this DPA is governed by the laws of the State of Florida, U.S.A., consistent with Section 17 of the Terms of Service.

Schedule 1 — Details of Processing

A. List of Parties

Data Exporter / Controller. You (the Customer), as identified in your Account registration. Activities: use of the Service for OCR and conversion of bank or credit card statements containing personal data of Data Subjects.

Data Importer / Processor. Human Beyond LLC, 1818 Hollywood Blvd, Hollywood, FL 33020, United States; contact hello@human-beyond.ai. Activities: provision of the Service.

B. Description of Transfer

Categories of Data Subjects. Depending on the documents you upload, Data Subjects may include: account holders, joint account holders, employees, employers, customers, vendors, payees, payers, and other individuals whose personal data appears in bank statements, credit card statements, or related financial documents.

Categories of Personal Data. Identifying information (names, addresses, account numbers, partial account numbers, card numbers, last-four digits); contact information present in documents; transaction descriptions (which may contain identifying information of third parties); transaction dates, amounts, and balances; merchant and counterparty names; bank or institution names; and similar information present in the source documents.

Special categories of personal data. Not intended to be processed. If special categories appear unexpectedly in the source documents (for example, references to medical providers in transaction descriptions), they are processed only incidentally and only as part of the document conversion.

Frequency. On a continuous basis for as long as you use the Service.

Nature of processing. Receipt, storage, OCR, LLM-based structured extraction, format conversion (XLSX, CSV, JSON), display, export, and deletion at the end of the retention period.

Purpose. Provision of the document-conversion Service to you on your instructions.

Retention. As set out in our Privacy Policy. In summary: uploaded documents and Output are retained ninety (90) days; payment, tax, audit, and security records up to seven (7) years; anonymized aggregated data indefinitely.

C. Competent Supervisory Authority

Where the GDPR applies, the supervisory authority of the EU/EEA member state in which the data exporter (you) is established. For the UK, the Information Commissioner's Office. For Switzerland, the Federal Data Protection and Information Commissioner.

Schedule 2 — Technical and Organizational Security Measures

The following describes the technical and organizational measures we maintain. These measures may be updated from time to time provided the updates do not materially decrease the overall security of Customer Personal Data.

Encryption in transit. All connections to the Service use TLS 1.2 or higher. Internal service-to-service traffic is encrypted in transit.

Encryption at rest. Customer Personal Data stored in object storage (DigitalOcean Spaces) and in the application database (PostgreSQL on DigitalOcean managed database) is encrypted at rest using the relevant provider's encryption-at-rest capabilities. Sensitive credentials (passwords, two-factor backup codes, API keys) are stored hashed using industry-standard algorithms (bcrypt or equivalent).

Access controls. Role-based access controls within the application and infrastructure. Privileged access to production systems is limited to authorized personnel under the principle of least privilege. Two-factor authentication is enforced for production-infrastructure access.

Network and infrastructure security. We use Cloudflare Turnstile for anti-fraud challenges at signup and guest upload. Production backend services run in isolated environments on DigitalOcean App Platform with managed networking; the front-end application is served via Vercel. All application traffic is carried over encrypted TLS connections.

Application security. Industry-standard protections against common web vulnerabilities (CSRF, SQL injection, XSS, IDOR) including parameterized queries, output encoding, CSRF double-submit tokens, and authorization checks at view boundaries.

Authentication. Passwords stored hashed using bcrypt (cost 12+). JWT-based session tokens delivered as httpOnly cookies with Secure and SameSite=Lax flags. Optional TOTP-based two-factor authentication with hashed backup codes.

Logging and monitoring. Application errors and exceptions are captured through Sentry (configured to exclude PII by default). Audit-relevant events are recorded in a structured audit log retained for up to seven (7) years.

Backups. Routine automated backups of the application database, retained for a short reasonable period and deleted on cycle. Backups are encrypted at rest.

Personnel. Personnel with access to Customer Personal Data are bound by confidentiality obligations.

Sub-processor controls. As described in Section 5 and in the Sub-Processors list.

Incident response. We maintain an internal incident-response process including breach notification consistent with Section 4.7 of this DPA.

Updates. These measures evolve as the Service grows and as we obtain additional security certifications. We commit to maintaining a level of security appropriate to the risk presented by the processing.

Schedule 3 — Approved Sub-processors

The current list of Sub-processors, including each Sub-processor's identity, function, processing location, and a brief description of the processing they perform, is published at Sub-Processors and is incorporated into this DPA by reference. The list is updated from time to time as described in Section 5.